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Preface 


ASIACRYPT 2016, the 22nd Annual International Conference on Theory and 
Application of Cryptology and Information Security, was held at InterContinental 
Hanoi Westlake Hotel in Hanoi, Vietnam, during December 4-8, 2016. The conference 
focused on all technical aspects of cryptology, and was sponsored by the International 
Association for Cryptologic Research (IACR). 

Asiacrypt 2016 received a total of 240 submissions from all over the world. The 
Program Committee selected 67 papers from these submissions for publication in the 
proceedings of this conference. The review process was made via the usual double- 
blind pier review by the Program Committee comprising 43 leading experts in the field. 
Each submission was reviewed by at least three reviewers and five reviewers were 
assigned to submissions co-authored by Program Committee members. This year, the 
conference operated a two-round review system with a rebuttal phase. In the first-round 
review the Program Committee selected the 140 submissions that were considered of 
value for proceeding to the second round. In the second-round review the Program 
Committee further reviewed the submissions by taking into account their rebuttal letter 
from the authors. The selection process was assisted by a total of 309 external 
reviewers. These two- volume proceedings contain the revised versions of the papers 
that were selected. The revised versions were not reviewed again and the authors are 
responsible for their contents. 

The program of Asiacrypt 2016 featured three excellent invited talks. Nadia Heninger 
gave a talk on “The Reality of Cryptographic Deployments on the Internet,” Hoeteck 
Wee spoke on “Advances in Functional Encryption,” and Neal Koblitz gave a non- 
technical lecture on “Cryptography in Vietnam in the French and American Wars.” The 
conference also featured a traditional rump session that contained short presentations on 
the latest research results of the field. The Program Committee selected the work “Faster 
Fully Homomorphic Encryption: Bootstrapping in Fess Than 0.1 Seconds” by Ilaria 
Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachene for the Best Paper 
Award of Asiacrypt 2016. Two more papers, “Nonlinear Invariant Attack — Practical 
Attack on Full SCREAM, iSCREAM, and Midori64” by Yosuke Todo, Gregor Feander, 
Yu Sasaki and “Cliptography: Clipping the Power of Kleptographic Attacks” by 
Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou were solicited to submit 
full versions to the Journal of Cryptology. 

Many people contributed to the success of Asiacrypt 2016. We would like to thank 
the authors for submitting their research results to the conference. We are very grateful 
to all of the Program Committee members as well as the external reviewers for their 
fruitful comments and discussions on their areas of expertise. We are greatly indebted to 
Ngo Bao Chau and Phan Duong Hieu, the general co-chairs for their efforts and overall 
organization. We would also like to thank Nguyen Huu Du, Nguyen Quoc Khanh, 
Nguyen Duy Fan, Duong Ngoc Thai, Nguyen Ta Toan Khoa, Nguyen Ngoc Tuan, 



VI 


Preface 


Le Thi Lan Anh, and the local Organizing Committee for their continuous supports. 
We thank Steven Galbraith for expertly organizing and chairing the rump session. 

Finally we thank Shai Halevi for letting us use his nice software for supporting the 
paper submission and review process. We also thank Alfred Hofmann, Anna Kramer, 
and their colleagues at Springer for handling the editorial process of the proceedings. 
We would like to express our gratitude to our partners and sponsors: XLIM, Microsoft 
Research, CISCO, Intel, Google. 

December 2016 Jung Hee Cheon 

Tsuyoshi Takagi 
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Hoeteck Wee 
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Abstract. Functional encryption is a novel paradigm for public-key encryption that 
enables both fine-grained access control and selective computation on encrypted 
data, as is necessary to protect big, complex data in the cloud. In this talk, I will 
provide a brief introduction to functional encryption and an overview of the state 
of the art, with a focus on constructions based on lattices. 


CNRS, INRIA and Columbia University. Supported in part by ERC Project aSCEND (H2020 639554) 
and NSF Award CNS- 1445424. 



The Reality of Cryptographic Deployments 
on the Internet 


Nadia Heninger 

University of Pennsylvania, Philadelphia, USA 


Abstract. Security proofs for cryptographic primitives and protocols rely on a 
number of (often implicit) assumptions about the world in which these compo- 
nents live. They assume that implementations are correct, that specifications are 
followed, that systems make sensible choices about error conditions, and that 
reliable sources of random numbers are present. However, a number of real world 
studies examining cryptographic deployments have shown that these assump- 
tions are often not true on a large scale, with catastrophic effects for security. 
In addition to simple programming errors, many real-world cryptographic vul- 
nerabilities can be traced back to more complex underlying causes, such as 
backwards compatibility, legacy protocols and software, hard-coded resource 
limits, and political interference in design choices. 

Many of these issues appear on the surface to be at an entirely different level 
of abstraction from the cryptographic primitives used in their construction. 
However, by taking advantage of the structure of many cryptographic primitives 
when used at Internet scale, it is possible to uncover fundamental vulnerabilities 
in implementations. I will discuss the interplay between mathematical crypt- 
analysis techniques and the thorny implementation issues that lead to vulnerable 
cryptographic deployments in the real world. 
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Abstract. In this paper we introduce a new type of attack, called 
nonlinear invariant attack. As application examples, we present new 
attacks that are able to distinguish the full versions of the (tweakable) 
block ciphers Scream, iScream and Midori64 in a weak- key setting. Those 
attacks require only a handful of plaintext-ciphertext pairs and have min- 
imal computational costs. Moreover, the nonlinear invariant attack on 
the underlying (tweakable) block cipher can be extended to a ciphertext- 
only attack in well-known modes of operation such as CBC or CTR. 
The plaintext of the authenticated encryption schemes SCREAM and 
iSCREAM can be practically recovered only from the ciphertexts in the 
nonce-respecting setting. This is the first result breaking a security claim 
of SCREAM. Moreover, the plaintext in Midori64 with well-known modes 
of operation can practically be recovered. All of our attacks are experi- 
mentally verified. 


Keywords: Nonlinear invariant attack • Boolean function • Ciphertext- 
only message-recovery attack • SCREAM • iS CREAM • Midori64 • CAE- 
SAR competition 


1 Introduction 

Block ciphers are certainly among the most important cryptographic primitives. 
Since the invention of the DES [1] in the mid 70’s and even more with the design 
of the AES [2] , a huge amount of research has been done on various aspects 
of block cipher design and block cipher analysis. In the last decade, many new 
block ciphers have been proposed that aim at highly resource constrained devices. 
Driven by new potential applications like the internet of things, we have wit- 
nessed not only many new designs, but also several new cryptanalytic results. 
Today, we have at hand a well established set of cryptanalytic tools that, when 
are carefully applied, allow to gain significant confidence in the security of a 
block cipher design. The most prominent tools here are certainly differential [5] 
and linear [21] attacks and their numerous variations [4,7,14,15]. 

© International Association for Cryptologic Research 2016 
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Despite this fact, quite some of the recently proposed lightweight block 
ciphers got broken rather quickly. One of the reasons for those attacks, on what is 
supposed to be a well-understood field of cryptographic designs, is that the new 
lightweight block ciphers are designed more aggressive than e.g. most of the AES 
candidates. Especially when it comes to the design of the key schedule, many new 
proposals keep the design very simple, often using identical round keys. While 
there is no general defect with such a key schedule, structural attacks become 
much more of an issue compared to a cipher that deploys a more complicated key 
schedule. In this paper we introduce a new structural attack, named nonlinear 
invariant attack. At first glance, it might seem quite unlikely that such an attack 
could ever be successfully applied. However, we give several examples of ciphers 
that are highly vulnerable to this attack. 


1.1 Our Contribution 

Given a block cipher : FJ — > F2, the general principle of the nonlinear 
invariant attack is to find an efficiently computable nonlinear Boolean function 
g : F2 — ► F 2 such that 

g(x) © g(E k (x)) 

is constant for any x and for many possible keys k. Keys such that this term is 
constant are called weak keys. The function g itself is called nonlinear invariant 
for Ek. Clearly, when the block cipher E has a (non-trivial) nonlinear invariant 
function <7, g(p)(&g(Ek(p)) is constant for any plaintext p and any weak key k. On 
the other hand, the probability that random permutations have this property is 
about 2 -Ar+1 when g is balanced. Therefore, attackers can immediately execute 
a distinguishing attack. Moreover, if the constant depends on the secret key, an 
attacker can recover one bit of information about the secret key by using one 
known plaintext-ciphertext pair. 

For round-based block ciphers, our attack builds the nonlinear invariants 
from the nonlinear invariants of the single round functions. In order to extend 
the nonlinear invariant for a single round to the whole cipher, all round-keys 
must be weak keys. It may be infeasible to find such weak- key classes for block 
ciphers with a non-trivial key schedule. However, as mentioned above, many 
recent block ciphers are designed for lightweight applications, and they adopt 
more aggressive designs to achieve high performance even in highly constrained 
environments. Several lightweight ciphers do not deploy any key schedule at all, 
but rather use the master key directly as the identical round key for all rounds. 
In such a situation, the weak- key class of round keys is trivially converted into 
the weak- key class of the secret key. In particular, when all round keys are weak, 
this property is iterative over an arbitrary number of rounds. 


(Ciphertext-Only) Message-Recovery Attacks. The most surprising 
application of the nonlinear invariant attack is an extension to ciphertext-only 
message-recovery attacks. Clearly, we cannot execute any ciphertext-only attack 
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without some information on the plaintexts. Therefore, our attack is ciphertext- 
only attack under the following environments. Suppose that block ciphers which 
are vulnerable against the nonlinear invariant attack are used in well-known 
modes of operation, e.g., CBC, CFB, OFB, and CTR. Then, if the same unknown 
plaintext is encrypted by the same weak key and different initialization vectors, 
attackers can practically recover a part of the plaintext from the ciphertexts 
only. 


Applications. We demonstrate that our new attack practically breaks the full 
authenticated encryption schemes SCREAM 1 * [11] and iSCREAM [10] and the 
low-energy block cipher Midori64 [3] in the weak- key setting. 


Table 1 . Summary of the nonlinear invariant attack 



# of weak keys 

Max. # of recovered bits 

Data complexity 

Time complexity 

SCREAM 

2 96 

32 bits 

33 ciphertexts 

32 3 

iSCREAM 

2 96 

32 bits 

33 ciphertexts 

32 3 

Midori64 

2 64 

32h bits 

33 h ciphertexts 

32 3 x h 


h is the number of blocks in the mode of operation. 


We show that the tweakable block ciphers Scream and iScream have a non- 
linear invariant function, and the number of weak keys is 2 96 . Midori64 also has 
a nonlinear invariant function, and the number of weak keys is 2 64 . Table 1 sum- 
marizes the result of the nonlinear invariant attack against SCREAM, iSCREAM, 
and Midori64. The use of the tweakable block cipher Scream is defined by the 
authenticated encryption SCREAM, and the final block is encrypted like CTR 
when the byte length of a plaintext is not multiple of 16. We exploit this pro- 
cedure and recover 32 bits of the final block of the plaintext if the final block 
length ranges from 12 bytes to 15 bytes. We can also execute a similar attack 
against iSCREAM. Note that our attack breaks SCREAM and iSCREAM in the 
nonce-respecting model. Midori64 is a low-energy block cipher, and we consider 
the case that Midori64 is used by well-known modes of operation. As a result, 
we can recover 32 bits in every 64-bit block of the plaintext if Midori 64 is used 
in CBC, CFB, OFB, and CTR. 


Comparison with Previous Attacks. Leander et al. proposed invariant sub- 
space attack on iSCREAM [19], which is a weak-key attack working for 2 96 weak 
keys. The attack can be a distinguishing attack and key recovery attack in the 
chosen-message and chosen-tweak model. Guo et al. presented a weak-key attack 
on full Midori64 [12], which works for 2 32 weak keys, distinguishes the cipher with 
1 chosen-plaintext query, and recovers the key with 2 16 computations. 


1 Note that throughout the paper SCREAM always refer to the latest version as 

SCREAM, i.e. SCREAM (v3). 
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Compared to [19], our attack has the same weak key size and we distinguish 
the cipher in the known-message and chosen-tweak model. Compared to [12], 
our weak-key class is much larger and the cipher is distinguished with 2 known- 
plaintext queries. In both applications, the key space can be reduce by 1 bit, 
besides a part of message/plaintext can be recovered from the ciphertext. 

1.2 Related Work 

The nonlinear invariant attack can be regarded as an extension of linear crypt- 
analysis [21]. While linear cryptanalysis uses a linear function to approximate the 
cipher, the nonlinear invariant attack uses a nonlinear function and the proba- 
bility of the nonlinear approximation is one. When g is linear, ciphers that are 
resistant against the linear cryptanalysis never have a linear approximation with 
probabilistically one. 

The use of the nonlinear approximation has previously been studied. This 
extension was first discussed by Harpes et al. [13], and Knudsen and Robshaw 
later investigated the effectiveness deeply [16]. However, they showed that there 
are insurmountable problems in the general use of nonlinear approximations. For 
instance, one cannot join nonlinear approximations for more than one round of 
a block cipher because the actual approximations depend on the specific value of 
the state and key. Knudsen and Robshaw demonstrated that nonlinear approxi- 
mations can replace linear approximations in the first and last rounds only [16]. 
Unfortunately, nonlinear cryptanalysis has not been successful because of this 
limited application. Our attack can be seen as the first application of the non- 
linear cryptanalysis against real ciphers in the past two decades. 

Other related attacks are the invariant subspace attack [18,19] and symmet- 
ric structures [8, 17,23]. Similar to the nonlinear invariant attack, those attacks 
exploit a cryptanalytic property which continues over an arbitrary number of 
rounds in the weak-key setting. While those attacks have to choose plaintexts, 
i.e. are chosen plaintext attacks, the nonlinear invariant attack does not need to 
choose plaintexts in general. This in particular allows us to extend the nonlin- 
ear invariant attack from a pure distinguishing attack to the (ciphertext-only) 
message-recovery attack. 


1.3 Paper Organization 

We explain the general ideas and principles of the new attack in Sect. 2. Section 3 
explains how, in many cases, the attack can be constructed in an almost auto- 
matic way using an algorithmic approach that is for most ciphers practical. 
Moreover, we give a structural reason why some ciphers, more precisely some 
linear layers, are inherently weak against our attack and why our attacks are 
possible against those ciphers. In Sect. 4 we explain in detail our attacks on 
SCREAM and iSCREAM. Moreover, Sect. 5 details our nonlinear invariant attack 
on Midori64. Finally, in Sect. 6, we give some additional insights into the general 
structure of nonlinear invariant functions and outline some future work. 
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2 Nonlinear Invariant Attack 

In this section, we describe the basic principle of the attack and its extension 
to (ciphertext-only) message-recovery attacks when used in common modes of 
operations. While our attack can be applied to any cipher structure in princi- 
ple, we focus on the case of key-alternating ciphers and later on substitution 
permutation networks (SPN) ciphers to simplify the description. We start by 
explaining the basic idea and later how, surprisingly, the attack can be extended 
to a (ciphertext-only) message-recovery attack in many scenarios. 


2.1 Core Idea 

Let F : F2 ^ F2 be the round function of a key- alternating cipher and F k (x) = 
F(x ® k) be the round function including the key XOR. Thus, for an r-round 
cipher, the ciphertext C is computed from a plaintext P using round keys ki as 

x 0 = P 

x i+ 1 = F k .(xi) = F(xi © ki) 0 < i < r - 1 
C = x r 

where we ignore post-whitening key for simplicity. 

The core idea of the nonlinear invariant attack is to detect a nonlinear 
Boolean function g such that 

g(F(x ® k)) = g{x ® k) ® c = g(x) ® g(k) ® c \/x 

for many keys fc, where c is a constant in F 2 . Keys for which this equality holds 
will be called weak keys. The function g itself is called nonlinear invariant in 
this paper. 

The important remark is that, if all round- keys ki are weak then 

g(C) = g(F(x r -i ® k r — 1)) 

= g(x r - 1) ® g(k r - 1) ® c 
= g(F(x r - 2 ® k r - 2 )) © g(k r - 1) © c 
= g(x r - 2 ) © g(k r - 2 ) © g(k r —\) 


r — 1 r—1 

= a{P ) © ® g(h) © ® c. 

i = 0 i = 0 

Thus, the invariant is iterative over an arbitrary number of rounds and immedi- 
ately leads to a distinguishing attack. 
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Distinguishing Attack. Assume that we found a Boolean function g that is 
nonlinear invariant for the round function F& of a block cipher. Then, if all 
round keys are weak, this function g is also nonlinear invariant over an arbitrary 
number of rounds. 

Let ( Pi,Ci ) 1 < i < N be N pairs of plaintexts and corresponding cipher- 
texts. Then, g(Pi)®g(Ci) is constant for all pairs. If g is balanced, the probability 
that random permutations have this property is about 2 -Ar+1 . Note that the case 
that g is unbalanced can be handled as well, but is not the main focus of our 
paper. Therefore, we can practically distinguish the block cipher from random 
permutations under a known-plaintext attack. 


Suitable Nonlinear Invariants. We next discuss a particular choice of a 
nonlinear invariant g for which it is directly clear that weak keys exist. Imagine 
we were able to identify a nonlinear invariant g for F, i.e. a function such that 

g(F(x))®g(x) 

is constant, such that g is actually linear (or constant) in some of the inputs. 
In this case, all round keys that are zero in the nonlinear components of g, are 
weak. 

More precisely, without loss of generality, assume that the nonlinear invariant 
g is linear in the last t bits of input (implying that g is nonlinear in the first s 
bits of input where s = n — t). Namely, we can view g as 

9 : (F| x r 2 ) - F 2 


such that 


g(x, y ) = g(x, 0 ) © g{ 0 , y) = f(x) © £(y) 

where / is the nonlinear part of g, and £ is the linear part of g. As g is a nonlinear 
invariant for F, it holds that 

g(x,y)®g(F(x,y)) = c, 

where c is a constant in F 2 . Now consider a round key k G x of the form 
(0, k'). That is, we consider a round key such that its first s bits are zero. Then 
it holds that 


g(F k {x,y)) = g(F(x,y@k')) 

= g(x,y® k') © c 
= f(x) 0 £(y 0 k') 0 c 
= f{x) 0 £(y) 0 £(k') 0 c 
= g(x, y) 0 0 ( 0 , k') 0 c. 


In other words, all those round-keys that are zero in the first s bits are weak. 
Phrased differently, the density of weak keys is 2~ s . 
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Example 1. Let g : — > F 2 be a nonlinear invariant as 


g(x 4,x 3 ,X2,xi) = X4X3 ® x 3 ® x 2 ® x\. 

Then, the function g can be viewed as 

g(x 4 ,x 3,X2,X 1 ) = f(x 4 ,X 3 )®£(x 2 ,X 1 ). 

Now consider a round key k £ Fj x Fj of the form (0, k'). Then, the function g 
is a nonlinear invariant for the key XOR because 

g{x) © g(x 0 k) = g{x) 0 g(x) 0 5(0, k') = g( 0, k'). 


On Key Schedule and Round Constants. Many block ciphers generate 
round keys from the master key by a key schedule. For a proper key schedule, 
it is very unlikely that all round keys are weak in the above sense. However, 
many recent lightweight block ciphers do not have a well- diffused key schedule, 
but rather use (parts of) the master key directly as the round keys. From a 
performance point of view, this approach is certainly preferable. 

However, the direct XORing with the secret key often causes vulnerabilities 
like the slide attack [ 6 ] or the invariant subspace attack [18]. To avoid those 
attacks, round constants are additionally XORed in such lightweight ciphers. 
While dense and random-looking round constant would be a conservative choice, 
many such ciphers adopt sparse round constants because they are advantageous 
in limited memory requirements. 

Focusing on the case of identical round keys, assume that there is a Boolean 
function g which is nonlinear invariant for the round function F. Now if all used 
round constants ci are such that q is only involved in the linear terms of < 7 , the 
function g is nonlinear invariant for this constant addition. This follows by the 
same arguments for the weak keys above. We call such constants, in line with 
the notation of weak keys from above, weak constant. 

To conclude, given a key- alternating cipher with identical round-keys and 
weak round-constants, any master-key that is weak, is immediately weak for an 
arbitrary number of rounds. In this scenario, the number of weak keys is 2 t , or 
equivalently, the density of weak keys is 2~ s . 


2.2 Message Recovery Attack 

As described so far, the nonlinear invariant attack leaks at most one bit of 
the secret key. However, if a block cipher that is vulnerable to the nonlinear 
invariant attack is used in well-known modes of operation, e.g., CBC, CFB, 
OFB, and CTR, surprisingly, the attack can be turned into a ciphertext- only 
message recovery attack. 

Clearly, we cannot execute any ciphertext-only attack without some infor- 
mation on the plaintexts. When block ciphers are used under well-known modes 
of operation, the plaintext itself is not the input of block ciphers and the input 
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is rather initialization vectors. Here we assume that an attacker can collect sev- 
eral ciphertexts where the same plaintext is encrypted by the same (weak) key 
and different initialization vectors. We like to highlight that this assumption is 
more practical not only compared to the chosen-ciphertext attack but also to the 
known-plaintext attack. In practice, for instance, assuming an application sends 
secret password several times, we can recover the password practically. While 
the feasibility depends on the behavior of the application, our attack is highly 
practical in this case. 


Attack Against CBC Mode. Figure 1 shows the CBC mode, where h mes- 
sage blocks are encrypted. Let Pj be the j th plaintext block, and Cj denotes 
the j th ciphertext block by using the initialization vector IV 1 . The attacker 
aims at recovering the plaintext (Pi, P2, • • • , Ph) by observing the ciphertext 
(. IV 1 , C{, C2, • • • , C l h ). Moreover, we assume that the block cipher E k is vulner- 
able against the nonlinear invariant attack, i.e., there is a function g such that 
g(x) ® g(y) is constant, where x and y denote the input and output of the block 
cipher. 



Fig. 1. CBC mode 


First, we explain how to recover the plaintext Pi by focusing on the first 
block. Since E \ is vulnerable against the nonlinear invariant attack, there is a 
function g such that g(P\ ® IV 1 ) ® g(C[) is constant for any i £ { 1 , 2 ,..., N}. 
If g would be a linear function, 

g(Pi © IV!) ® g(C{) = g(P 1) ® g{IV() ® g(C{) 

is constant, and the attacker could only recover at most one bit of secret infor- 
mation. However, g is nonlinear in our attack. Therefore, we can guess and 
determine the part of Pi that is involved in the nonlinear term of g. More pre- 
cisely, assume as above - without loss of generality - that g is nonlinear in the 
first s inputs and linear in the last t inputs, i.e. 


g:¥ s 2 x F| 
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such that 

g(x,y) = f(x)®£(y) 

where / is any Boolean function, and I is a linear Boolean function. Consider 
again a plaintext Pi = (x,y) with x G and y G F^. The corresponding 
ciphertext C{ is split as C\ = (c*,d*) and the IVs as IV 1 = (a*, 6*). With this 
notation, we can rewrite the following 

9 {Pi © IV 1 ) = (f(x 0 a,i) 0 l(y 0 bi)) , 

9(Pi ® TV 7 ) = (/O ® %) ® ^(2/ ® &j)) , 

9{Ci) = {f{c i )®l{d i )) : 
g(ci) = (f(c j )®e(d j )). 

Now, by using two distinct initialization vectors IV 1 and TV J 
0 = g(P 1 © IV) 0 g{C[) 0 5 (Pi 0 IV j ) 0 5 (CJ) 


implies 


/(a:®ai)0/(i0flj) = £(bi 0 bj) 0 g(C{) 0 g(C { ). (1) 

Assuming that the left side of Eq. (1) randomly changes depending on x, that 
is the left part of Pi, we can recover one bit of information on Pi by using 
two initialization vectors. Similarly, we can recover N — 1 bits of Pi by using 
N initialization vectors. Note that we can usually efficiently recover these bits 
by solving linear systems if the algebraic degree of / is small [22]. We show 
the specific procedure for SCREAM and Midori64 in Sects. 4 and 5, respectively. 
The relationship among (Pi,/V,Ci) is equivalent to that among (P^, C^-i, Ci). 
Therefore, we can similarly guess and determine the part of Pi from Ci - 1 and 
Ci for any of the plaintext blocks. One interesting remark is that as long as we 
start to recover the message from the second block, the attack can be executed 
even without the knowledge of the IV. 


Attacks Against Other Modes. We can execute similar attack against the 
CFB, OFB, and CTR modes. 

In the CFB mode, the hth ciphertext block Ch is encrypted as 

Ch = Ek(Ch- 1 ) 0 Phi 

where the initialization vector IV is used as the input of the first block. For 
simplicity, let Co be IV. Then, we can recover the part of Ph from two ciphertext 
blocks Ch - 1 and Ch • 

In the OFB mode, the hth ciphertext block Ch is encrypted as 

C h = (E k ) h (IV)®P h , 
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where ( Eh) h (IV ) is h times multiple encryption. Since the nonlinear invariant 
property is iterative over an arbitrary number of rounds, the multiple encryp- 
tion is also vulnerable against the nonlinear invariant attack. Therefore, we can 
recover the part of Ph from IV and Ch- 
in the CTR mode, the hth ciphertext block Ch is encrypted as 

C h = E k (IV + h)®P h . 

Therefore, we can recover the part of Ph from IV + h and Ch- 

3 Finding Nonlinear Invariants for SP-ciphers 

We start by considering the very general problem of finding nonlinear invariants. 
Namely, given any function 

F : F™ — > F™, 

our goal is to find a Boolean function 

g : F™ — > F 2 


such that 


g(x) = g(F(x)) © c 


( 2 ) 


where c is a constant in F 2 . 

The description so far is generic in the sense that it applies to basically any 
block cipher. For now, and actually for the remainder of the paper, we focus 
on key-alternating ciphers with a round function using a layer of S-boxes and a 
linear layer, so called substitution-permutation networks (SPN). 


3.1 SPN Ciphers 

In the following, we consider the un-keyed round function only. That is to say 
that we ignore the key schedule and also any round constants. 

For simplicity, we focus on the case of identical S-boxes, but the more general 
case can be handled in a very similar manner. We denote by t the number of 
S-boxes and by n the size of one S-box. Thus, the block size processed is n • t 
bits. With this notation, we consider one round R of an SPN 

R : (F2)‘ (Fj)* 

as consisting of a layer of S-boxes S with 

S(x x t ) = (S(x 1 ),...,S(x t )) 
where S is an n-bit S-box and a linear layer 


L : (Fj) 4 (Fj) 4 
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which can also be seen as 

L : F 2 t — > Ff . 

The round function R is given as the composition of the S-box layer and the 
linear layer, i.e. 

R(x) = L o S(x). 

We would like to find nonlinear invariant g for R. However, computing this 
directly is difficult as soon as the block size is reasonable large. For any function 
F, let us denote by 

U(F) := {g : F™ — > F 2 | g{x) = g(F{x)) © c} 
the set of all nonlinear invariants for F, and it holds that 

ge(U(S)nU(L))cU(R). 

In other words, functions that are invariant under both S and L are clearly 
invariants for their composition R. 

As we will explain next, computing parts of U(S) fl U(L ) is feasible, and 
sufficient to automatically detect the weaknesses described later in the paper. 


The S-box Layer. We start by investigating the S-box-layer. Given the S-box 
as a function 

S: F£ -> F£ 

computing U ( S ) is feasible as long as n is only moderate in size. 

Note that, for any function F, U(F) is actually a subspace of Boolean func- 
tions. To see this, note that given two Boolean functions /, g E J7(F), it holds 

(7 'v .'/)(•'•) = /(•'•) '• //(•'•) 

= (f(F(x)) © c) © (g(F(x)) © c') 

= (f ®g)(F(x)) © (c® c') 

for any x. Thus the sum, /®g, is in V (F) as well. Moreover, the all-zero function 
is in U (F) for any F. Therefore, any nonlinear invariant gs G U (S) can actually 
be described by a linear combination of basis elements of U(S). More precisely, 
let 61 , . . . , bd : FJ — ► F 2 be a basis of U (5), then any gs (S) can be written s 

d 

gs(x ) = ® 7 AM 

i=l 


for suitable coefficients 7 $ in F 2 . 

To identify a nonlinear invariant G C/(5), the idea is to consider the 
algebraic normal form (ANF) of gs, that is to express gs as 

gs(x) = ® \ u x u , 

uG 



14 


Y. Todo et al. 


where X u G F 2 are the coefficients to be determined and x u denotes iw- The 
key observation is that Eq. (2), for any fixed x G FJ, translates into one linear 
(or affine) equation for the coefficients A u , namely 

0 X u (x u © S(x) u ) = c. 
ue F£ 

The ANF of ( x u 0 S(x) u ) is computed for all w E FJ, and we can easily solve 
the basis Jq, . . . , bd G U(S) for n not too big. Appendix A shows the algorithm 
in detail. In particular, for commonly used S-box sizes of up to 8 bits, the space 
U(S) can be computed in less than a second on a standard PC. 

So far, we have considered only a single S-box, and it still needs to be dis- 
cussed how those results can be translated into the knowledge of invariants for 
the parallel execution of S-boxes, i.e. for S. Again, for a layer of S-boxes S com- 
puting U(S) directly using its ANF is (in general) too expensive. However, we 
can easily construct many elements in U(S) from elements in U(S) as summa- 
rized in the following proposition. 

Proposition 1. Let gi G U(S ), for i G {1 ,...,£} be any set of invariants for 
the S-box S. Then , any function of the form 

t 

g s {x x t ) = 0 ongi(xi ) 

i= 1 

with a,i G F 2 is in U(S), that is an invariant for the entire S-box layer. The set 
of function form a subspace ofU(S ) of dimension d*t where d is the dimension 
ofU(S), and t is the number of parallel S-boxes. 

We denote this subspace of invariants for S by £/g(S), and Ui(S) C U(S). 

It turns out that, in general, many more elements are contained in U(S) 
than those covered by the construction above. We decided to shift those details, 
which are not directly necessary for the understanding of the attacks presented 
in Sects. 4 and 5 to the end of the paper, in Sect. 6 . 


The Linear Layer. For the linear layer computing U (L) using its ANF seems 
again difficult. But, as stated above, we focus on 

g G (U(L) n Ui(S)) c (U(L) n U(S)) C U(R), 

and computing U(L ) fi Ui(S) is feasible in all practical cases. 

Recall that any nonlinear invariant g e U (S) can actually be described by a 
linear combination of basis of U (S) as 


d 

9 six) = 07AO) 

i = 1 


for suitable coefficients 7 i in F 2 . 
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as 


As any / in Ut(S) is itself a direct sum of elements in U (S'), it can be written 

t d 

f( x li • • * ,X t ) = Pi,jbj(Xi) 

i=l j = 1 


with /3i : j G F 2 . Computing those coefficients can again be done by solv- 
ing linear system, as any fixed x G (F^) results in a linear equation for the 
coefficients by using 

f(x) = f(L(x)). 


As long as the dimension of L^(<S), i.e. the number of unknowns, is not too large, 
this again can be computed within seconds on a standard PC. 


Experimental Results. When the procedure explained above was applied to 
the ciphers SCREAM and Midori, it instantaneously detected possible attacks. 
Actually, as we will explain next, there is a common structural reason why non 
linear invariant attacks are possible on those ciphers. 

3.2 Structural Weakness with Respect to Nonlinear Invariant 

Let us consider linear layers which are actually used in the LS-designs [9] (cf. 
Sect. 4) and also in any AES-like cipher that uses a binary diffusion matrix as 
a replacement for the usual MixColumns operation. Then, we consider a linear 
layer that can be decomposed into the parallel application of n identical t x t 
binary matrices M. The input for the first t x t matrix is composed of all the 
first output bits of the t S-boxes, the input for the second matrix is composed 
of all the second output bits of the S-boxes, etc. 

Here, when M is an orthogonal matrix, that is if 

(x, y) = (xM, yM) Va :,y, 

any quadratic nonlinear invariant for the S-box can be extended to a nonlinear 
invariant of the whole round function as described in Theorem 1. 

Note that from a design point of view, taking M as an orthogonal matrix 
seems actually beneficial. Thanks to the orthogonality of M, bounds on the 
number of active S-boxes for differential cryptanalysis directly imply the same 
bounds on the number of active S-boxes for linear cryptanalysis. 

Theorem 1 . For the SPN ciphers whose round function follows the construction 
used in LS-designs, let M G F^ be the binary representation of the linear layer 
and M is orthogonal. Assume there is a nonlinear invariant gs for the S-box. If 
gs is quadratic, then the function 

t 

g(x x t ) := 0gs(a;i) 


is a nonlinear invariant for the round function L o S. 


16 


Y. Todo et al. 


Proof. First, due to Proposition 1, it is immediately clear that g is a nonlinear 
invariant for the S-box layer S. 

Next, let us consider the linear layer L. Let x G (F ^ Y and y G (F^) t be 
the input and output of L, respectively. Moreover, Xi[j] and yi[j] denotes the 
j th bit of Xi and y^ respectively. For simplicity, let x T G (Fr>) n and y T G 
(F*) n be the transposed input and output, respectively, where xj G F 2 denotes 
(%i\j\, X2\j\, • • • , x t \j\). Then, it holds y[ = xj x M for all i G {1, 2, . . . , n}. Since 
the Boolean function g$ is quadratic, the function is represented as 

n n 

9s( x i) = 0 07ti,t 2 ( a: t[ i i] AliN), 

i\ = 1 22 = 1 

where 7q,z 2 are coefficients depending on the function g. From the inner product 
(xf^xT) = AXi[i 2 }, 

9(x) = 05s(^i) = 0 ^'Jiui 2 (xf 1 ,xj 2 ). 

2=1 2 i =1 22 = 1 


Then, 


9{y) ~ 0 0 In^x^M , xf 2 M) 

2l=l 2 2 = 1 


From the orthogonality of M, 


9(y) — 0 0 'Yii,i 2 ( x T 1 ,xJ 2 ) 

21 = 1 22 = 1 

t 

= 09s(^i) = g{x) 

2=1 

Therefore, the function g{pc) = ©- =1 gs{ x i) is a nonlinear invariant for L. □ 

Assuming that the matrix M is orthogonal, Theorem 1 shows that there is a 
nonlinear invariant for the round function L o S if there is a quadratic function 
which is nonlinear invariant for the S-box. 

4 Practical Attack on SCREAM 

The most interesting application of the nonlinear invariant attack is a practi- 
cal attack against the authenticated encryption SCREAM and iS CREAM in the 
nonce-respecting model. Both authenticated encryptions have 2 96 weak keys, 
and we then practically distinguish their ciphers from a random permutation. 
Moreover, we can extend this attack to a ciphertext-only attack. 
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4.1 Specification of SCREAM 

SCREAM is an authenticated encryption and a candidate of the CAESAR com- 
petition [11]. It uses the tweakable block cipher Scream, which is based on the 
tweakable variant of LS-designs [9]. 


LS-Designs. LS-designs were introduced by Grosso et al. in [9], and it is used to 
design block ciphers. We do not refer to the design rational in this paper, and we 
only show the brief structure to understand this paper. The state of LS-designs 
is represented as an s x £ matrix, where every element of the matrix is only one 
bit, i.e., the block length is n = s x i. The ith round function proceeds as follows: 

1. The 5-bit S-box S is applied to i columns in parallel. 

2. The ^-bit L-box L is applied to s rows in parallel. 

3. The round constant C(i) is XORed with the state. 

4. The secret key K is XORed with the state. 

Figure 2 shows the components of a LS-design. Let SB and LB be the S-box layer 
and L-box layer, respectively. Then, we call the composite function (LB o SB) a 
LS-function. Let x £ be the state of LS-designs. Then x[i,*] £ Fr> denotes 
the row of index i of x, and x[*,j] £ denotes the column of index j of x. 
Moreover, let x[i,j] be the bit in the (i + l)th row and (j + l)th column. The 
S-box S is applied to x[*,j] for all j £ [0, £), and the L-box L is applied to x[i, ★] 
for all i £ [0, 5 ). 


t 

A. 



Fig. 2. The components of a LS-design 


Tweakable Block Cipher Scream. Scream is based on a tweakable LS-design 
with an 8 x 16 matrix, i.e., the block length is 8 x 16 = 128 bits. Let x £ F^ 16 be 
the state of Scream, then the entire algorithm is defined as Algorithm 1. Here S 
and L denote the 8-bit S-box and 16-bit L-box, respectively. The round constant 
C(r) is defined as 


C(r) = 2199 -r mod 2 16 . 
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Algorithm 1. Specification of Scream 
1: z <- P©TA(0) 

2: for 0 < a < N s do 
3: for 0 < p < 2 do 

4: r = 2(cr - 1) + p 

5: for 0 < j < 16 do 

6: xj = 5[a;[*, j]] 

7: end for 

8: x <— x ® C{r) 

9: for 0 < i < 8 do 

10: Xi = L[x[i, ★]] 

11: end for 

12: end for 

13: x<^x(&TK(cr) 

14: end for 
15: return x 
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C(2(a - 1)) (7(2 (cr - 1) + 1) TK(a) 


Fig. 3. The crth step function of Scream 


The binary representation of C(r) is XORed with the first row x[0,*]. Scream 
uses an 128-bit key K and an 128-bit tweak T as follows. First, the tweak is 
divided into 64-bit halves, i.e. , T = topi- Then, every tweakey is defined as 

TK(cr = Si) = K © (t 0 pi), 

TK(a = 3i + 1) = K ® (t 0 ® ti||ti), 

TK(a = 3i + 2) = K 0 (t\ ||t 0 0 t\). 

Here, the x[i,*\ contains state bits from 1 6(z — 1) to 1 6i — 1, e.g., x[0,^] contains 
state bits from 0 to 15 and x[l,*] contains state bits from 16 to 31. Moreover, 
Fig. 3 shows the step function, where SB and LB are the S-box layer and L-box 
layer, respectively. 

Authenticated Encryption SCREAM. The authenticated encryption 
SCREAM uses the tweakable block cipher Scream in the TAE mode [20]. SCREAM 
consists of three steps: associated data processing, encryption of the plaintext 
block, and tag generation. Since our attack exploits encryption of the plaintext 
block, we explain the specification (see Fig. 4). Plaintext values are encrypted 
by using Scream in order to produce the ciphertext values, and all blocks use 
T c = (N || c| 1 00000000). If the last block is a partial block, its bit length is 
encrypted to generate a mask, which is then truncated to the partial block size 
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Fig. 4. Encryption of plaintext blocks 


and XORed with the partial plaintext block. Therefore, the ciphertext length is 
the same as the plaintext length. 


Security Parameter. Finally, we like to recall the security parameters of 
SCREAM, as described by the designers. Let n & be the nonce bytesize, and 
it can be chosen by the user between 1 and 15 bytes. However, the designers 
recommend that n 5 = 11 , and we also use the recommended parameter in this 
paper. 

SCREAM has three security parameters, i.e., lightweight security, single- key 
security, and related-key security. They are summarized as follows. 

Lightweight security: 80-bit security, with a protocol avoiding related keys. 
Tight parameters: 6 steps, Safe parameters: 8 steps. 

Single-key security: 128-bit security, with a protocol avoiding related keys. 
Tight parameters: 8 steps, Safe parameters: 10 steps. 

Related-key security: 128-bit security, with possible related keys. Tight para- 
meters: 10 steps, Safe parameters: 12 steps. 

More precisely, designers order their recommended sets of parameters as follows: 

- First set of recommendations: SCREAM with 10 steps, single-key security. 

- Second set of recommendations: SCREAM with 12 steps, related-key security. 


4.2 Nonlinear Invariant for Scream 

The L-box of Scream is chosen as an orthogonal matrix. Therefore, there is a 
nonlinear invariant for the LS function from Theorem 1 if we can find quadratic 
Boolean function g : F| — > F 2 which is a nonlinear invariant for the S-box S. 

Let x E F| and y G F| be the input and output of the S-box 5, respectively. 
Moreover, x[j] G F 2 and y[j] G F 2 denote the j th bits of x and y, respectively. 
Then, the Scream S-box has the following property 


(x[l] A x[2]) © x[0] © x[2\ © x[5\ = (y[ 1] A y[ 2]) © y[ 0] © y[ 2] © y[ 5] © 1. 
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Let gs : F| — > F 2 be a quadratic Boolean function, where 

gs(x) = (x[l\ A x[2]) 0 x[0] © x[2\ 0 x[b\. 

Then, the function gs is a quadratic nonlinear invariant for S because 
gs{x) © g s (S(x)) = g s (x) © g s (x) ©1 = 1. 

Therefore, due to Theorem 1, the Boolean function 

15 15 , 

g{x) = ®9s(x[*,j]) = 0 (x[l,j]Ax[2,j]®x[0,j]@x[2,j]®x[5,j] 

3 = o j = o ' 

is a nonlinear invariant for the LS function. Note that this nonlinear invariant g 
is clearly balanced, as it is linear (and not constant) in parts of its input. 

Next, we show that this Boolean function is also a nonlinear invariant for 
the constant addition and tweakey addition. The round constant C(r) is XORed 
with only x[0,*]. Since C(r) linearly affects the output of the function g, 

g{x © C{r )) = g{x) © g(C(r)) 

for any x. The tweakey TK(a) is defined as 

TK(a = 3i) = K®(t 0 \\t 1 ), 

TK(cr = 3i 0 1) = K 0 (to 0 tipi), 

TK(cf = 3i 0 2) = K 0 (ti\\to 0 ti), 

where T = topi. Therefore, if we restrict the key and tweak by fixing 

K[l,*]mK[2,*]=0, 

T[l,*] =T[2,*] «T[5,^] =T[6,4*0, 

TK(cr)[l,*\ and TK(a)[ 2,^] are always zero vectors. Then, since the tweakey 
linearly affects the output of the function g , 

g(x 0 TK{o )) = g(y) 0 g(TK(a )), 

and all those keys are weak. Therefore, the density of weak keys is 2 -32 , i.e., 
there are 2 96 weak keys. 

Let P and C be the plaintext and ciphertext of Scream, respectively. In 
7V s -step Scream, the relationship between p and c is represented as 

2 N s N s 

g(P) = g{C) © ©s(C(r)) ($g{TK{o)) 

r= 1 cr=0 

= g(C) 0 c 0 gx{N s ^ T ) 0 gx{ N s , K), 
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where c = ©r=i 9ip{rj), and g T {N s ,T ) and g K (N s ,K ) are defined as 


P(*i||0) 


N s = 0 mod 6, 
7V S = 1 mod 6, 
N s = 2 mod 6, 
N s = 3 mod 6, 
7V S . = 4 mod 6, 
7V S = 5 mod 6, 



g(ti\\t 0 ®h) 

0 

\ 


and 


9k(N s ,K) 


g{K) N s = 0 mod 2, 
0 N s = 1 mod 2, 


respectively. When the master key belongs to the class of weak- keys, #(p)®g(c)® 
gT{Ns,T) is constant for all plaintexts and a given key. When the key does not 
belong to the weak-key class, the probability that the output is constant is about 
2 ~n+i gi ven n known plaintexts. Therefore, we can easily distinguish whether 
or not the using key belongs to the weak- key class. Note that all recommended 
numbers of rounds are even number. Therefore, from 

g{K) = 9 (p ) © fl'(c) 0C© g T (N s , T ), 

we can recover one bit of information about the secret key K. 

4.3 Practical Attack on SCREAM 

Known-Plaintext Attack. We exploit the encryption step of SCREAM (see 
Fig. 4). The nonlinear invariant attack is a chosen-tweak attack under the weak- 
key setting. First, let us consider the class of weak tweaks. In the encryption 
step, the tweak T c = (7V|| c||00000000) is used, where we assume that n & = 11. 
Figure 5 shows the structure of T c . From the condition of the nonlinear invariant 
attack, the following T c 


T c [l,*] =T C [2,*\ =T C [5,*] =T C [6,*] =0 


are weak tweaks. Namely, we choose N whose 3rd, 4th, 5th, 6th, and 11th bytes 
are zero. Then, if the counter c is less than 256, i.e. from Tq to ^255) the tweak 
fulfils the condition. Moreover, the actual nonce fulfils the needs of the tweak 
if the nonce is implemented as a counter increment, which seems to occur in 
practice. If the master key belongs to the weak-key class, we can recover one bit 
of information about the secret key by using only one known plaintext. Moreover, 
by using n known plaintexts, the probability that the output is constant is about 
2 -n+1 when the key does not belong to weak-key class. Therefore, an attacker 
can distinguish whether or not the used key belongs to the weak-key class. 
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■ nonce (11 bytes) 

□ counter (4 bytes) 

□ zero bits (1 byte) 


Fig. 5. Tweak mapping 


Ciphertext-Only Message Recovery Attack. The interesting application 
of the nonlinear invariant attack is a ciphertext-only attack. This setting is more 
practical than the known-plaintext attack. 

We focus on the procedure of the final block. The input of Scream is the 
bitlength of P m _i, and the bitlength is encrypted to generate a mask. Then the 
mask is truncated to the partial block size and XORed with P m -i- Therefore, 
the ciphertext length is the same as the plaintext length. In the ciphertext-only 
attack, we cannot know P m _i. On the other hand, we know ciphertext C m -i and 
the bitlength |P m -i| can be obtained from |C m _i|. Therefore, we guess P m -i 
and evaluate 


gi\Pm-l\) 0 g{Pm - 1 0 Cm- 1 ) 0 #t(^s 5 P)> 

and the above value is always constant for any weak tweaks T. Therefore, from 
two ciphertexts corresponding to the same final plaintext block encrypted by 
distinct tweaks, we create a linear equation as 

g(Pm - 1 0 Cm- 1 ) 0 g{Pm - 1 0 C' rn _ 1 ) = gT(N s ,T) ® gT(N s ,T f ). (3) 

We can compute the right side of Eq. (3). Moreover, we regard the function g as 

g(X) = f(X)®£(X), 

where 

/P0 = ® (x[l,j]AX[2J]\, 

3=0 ' ' 

15 

£(X) = ®X[0,j] ®X[2,j] ®X[5,j]. 

3 = 0 

Then, 

g{Pm- 1 0 Cm- 1 ) 0 g{Pm- 1 0 C' rn _ 1 ) 

= /(Pm- 1 0 C m - 1) 0 / (Pm— 1 0 C' m _ 1 ) ® £(C rn -l) 0 £(C' rn _ 1 ) 
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0 £(C m -i) 0 


The equation above is actual a linear equation in 32 unknown bits, P m -i M 
and P m _i[2,j], as all other terms are known. Therefore, we can create t linear 
equations by collecting t + 1 ciphertexts encrypted by distinct tweaks. We can 
recover 32 bits, P m _i[l,j] and P m _i[2,j] by solving this system as soon as 
the corresponding system has full rank. Assuming the system behaves like a 
randomly generated system of linear equations, we can expect that the system 
has full rank already when taking slightly more than 33 equations. The time 
complexity for solving this system is negligible. 

Note that the system involves four 16-bit words, C m _i[0,j], C m _i[l,j], 
C m _i[2, j], and C m _i[5, j]. Since the bitlength of C m _i is equal to that of P m _ i, 
we cannot solve this system if |P m _i| < 96. Therefore, the necessary condition 
of this attack is 96 < |P m -i| < 128. 

Experimental Results. In order to verify our findings and in particular to 
verify that the system indeed behaves like a random system of linear equations, 
we implemented our ciphertext-only message recovery attack for SCREAM. In 
our experiment, the key is randomly chosen from the weak- key class. Moreover, 
we use N distinct nonces such that the corresponding tweak is weak, and col- 
lect N corresponding ciphertexts. We repeated our attack 1000 times. Table 2 
summarizes the success probability of recovering the correct 32 bits. Moreover, 
in the table we compare the experimental success probability to the theoreti- 
cally expected probability in the case of a randomly generated system of linear 
equations. As can be seen, the deviation of the experimental results to the the- 
oretically expected results is very small. 

Table 2. The success probability of recovering the correct 32 plaintext bits on 

SCREAM. 


# nonces 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

Experimental 

0.289 

0.571 

0.762 

0.885 

0.942 

0.976 

0.991 

0.995 

0.998 

0.999 

1 

Theoretical 

0.289 

0.578 

0.770 

0.880 

0.939 

0.969 

0.984 

0.992 

0.996 

0.998 

0.999 


4.4 Application to iSCREAM 

The authenticated encryption iSCREAM also has the similar structure of 
SCREAM. We search for the nonlinear invariant for the underlying tweakable 
block cipher iScream. As a result, the following quadratic Boolean function 
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gs{x) = (#[4] A x[5\) 0 x[0] 0 x[6\. 
is nonlinear invariant for the S-box 2 , and it holds 

9s(x) ®gs(S(x)) = gs(x)®gs(x) = 0. 

Therefore, from Theorem 1, the following Boolean function 

15 15 

g( x ) = @9s(x[*,j]) = 0 

3=0 3=0 

is nonlinear invariant for the LS function. 

5 Practical Attack on Midori64 

5.1 Specification of Midori64 

Midori is a light-weight block cipher recently proposed by Banik et al. [3], which 
is particularly optimized for low-energy consumption. There are two versions 
depending on the block size; Midori64 for 64-bit block and Midori 128 for 128-bit 
block. Both use 128-bit key. The nonlinear invariant attack can be applied to 
Midori64, thus we only explain the specification of Midori64 briefly. 

Midori64 adopts an SPN structure with a non-MDS matrix and a very light 
key schedule. The state is represented by a 4 x 4-nibble array. At first the plaintext 
is loaded to the state, then the key whitening is performed. The state is updated 
with a round function 16 times, and a final key whitening is performed. The 
resulting state is the ciphertext. The overall structure is illustrated in Fig. 6. 
More details on each operation will be given in the following paragraphs. 


x[4,j] Az[5, j] ® z[0, j] © x[6,j] 


tf 0 ©Kl 
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RK 1 

RK 13 

rk 14 
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Fig. 6. Computation structure of Midori64 


2 In the round function of iScream with the constant addition, the equation, gs{x) — 
(x[5] A x[6]) 0 x[2] 0 x[5] 0 x[6\ 0 x[7], is another nonlinear invariant. 
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Key Schedule Function. A user-provided 128 -bit key is divided into two 
64 -bit key states Kq and K\. Then, a whitening key WK and 15 round keys 
RKi,i = 0 . 1 , . . . , 14 are generated as follows. 

WK < — Kq 0 K \ , RKi < — Ki mo d 2 © 

where the on are fixed 64 -bit constants. The round constant oti are binary for 
each nibble, i.e. any nibble in ai is either 0000 or 0001. Using such constants 
is beneficial to keep the energy consumption low. The exact values of the ai 
are given in Table 3 for the first 6 rounds. We refer to [ 3 ] for the complete 
specification. 


Table 3. Examples of round constant oti 
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Round Function. The round function consists of four operations: SubCell, 
ShufHeCell, MixColumn, and KeyAdd. Each operation is explained in the 
following. 

SubCell: The 4 -bit S-box S defined below is applied to each nibble in the state. 


X 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

A 

B 

C 

D 

E 

F 

S{x) 

c 

A 

D 

3 

E 

B 

F 

7 

8 

9 

1 

5 

0 

2 

4 

6 


ShufHeCell: Each cell of the state is permuted as ShiftRows in AES. Let 
so, si, S2, S3 be four nibbles in the first row. Let 54, ... , 515 be the other 12 
nibbles similarly defined. Then, the cell permutation is specified as follows. 

(so, Si, . . . , 515) (50, S10, S5, 815, 814, 84, 811, Si, 89, 83, 812, 86, 87, 813, 82, Sg) 

Note that our nonlinear invariant attack would actually work in exactly the 
same way for any other cell permutation as well. 


26 


Y. Todo et al. 


MixColumn: The following 4x4 orthogonal binary matrix M is applied to 
every column of the state. 


(0 1 1 i\ 

M = 1011 

110 1 

\1 1 1 0 / 

Key Add: The round key RKi is xored to the state in round i. 

In the last round, only SubCell (followed by the post-whitening) is performed. 


5.2 Nonlinear Invariant for Midori64 

The matrix used in MixColumn is a binary and orthogonal matrix. Thus, 
Theorem 1 implies that any quadratic Boolean function g : — > F 2 , which 

is a nonlinear invariant for the S-box S', allows us to find nonlinear invariant for 
the entire round function. Similarly to the previous section, we use the notation 
x\j] G F 2 and y[j] G F 2 to denote the j th bits of 4-bit S-box input x and 4-bit 
S-box output y, respectively. 

We search for g such that g{x) = g(S(x)). Different from Scream, the S-box 
of Midori64 is small, and many of such g usually exist. Actually, we found 15 
choices of such g. 

We then pick up ones that are also nonlinear invariant for the key addition 
RKi , which is computed by RKi <— Ki mo d 2 ® QY Here, takes 0 or 1 in each 
nibble, i.e. the 2nd, 3rd, and 4th bits are always 0. Thus we need to avoid g in 
which the first bit is included in the nonlinear component, i.e. g cannot involve 
x[0] and y[ 0] in their nonlinear component. 

Among 15 choices, only one can satisfy this condition. The picked S-box 
property of Midori64 is as follows. 

(x[3] A x[2]) 0 x[2] 0 x[l\ 0 #[0] = (y[ 3] A y[ 2]) 0 y[ 2] 0 y[ 1] 0 y[ 0]. 

Then, the following gs : — > F is nonlinear invariant for S ; 

gs(x) = (x[3] A x[2]) 0 x[2\ 0 x[l\ 0 x[0]. 

Here, ShuffleCell does not affect the nonlinear invariant. Therefore, from 
Theorem 1, the following Boolean function 

15 

9{x) = 05s(sj) 

3 = 0 

is a nonlinear invariant for the round function of Midori64. Note, as for SCREAM 
the Boolean function g is actually balanced. 
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5.3 Distinguishing Attack 

As mentioned in Sect. 2, the simple distinguishing attack can be mounted against 
a weak key. Let i : — > F be a linear part of g , namely £(x) = x[2\ ®x[l] ®x[0]. 
We have g(p) ® g(c) = const and const is a linear part of the values injected to 
round function during the encryption process; 

const = £{WK) © £{RK 0 ) © £(RK t ) © • • • © £(RK 14 ) © £(WK), 

= £{RK 0 ) © £(RK 1 ) © • • • © £(RK 14 ). 

Given RKi = K{ mo d 2 © a® the above equation is further converted as 

const = © £(oq) © • • • © £{ol 14). 

As OLi[ 2] = cti[ 1] = 0 for any i, it can be simply written as 

14 15 

const = £(Ki) © ©©«*> 

i = 0 3=0 

where is the j th nibble of c^. We confirmed that the total number of 1 in all 
oti is even, thus ©j=o a iJ = -*- n enc ^’ 9(p)®d( c ) = £(Ki) always holds 

for Midori64, while this holds with probability 1/2 for a random permutation. 

5.4 Experimental Results 

As mentioned in Sect. 2, the above property can reveal 32 bits (the two most 
significant bits from each nibble) of an unknown plaintext block in the weak-key 
setting when Midori64 is used in well-known block cipher modes. 

We implemented our ciphertext-only message recovery attack for Midori 64 
in the CBC mode. In our experiment, the key and IV are chosen uniformly at 
random from the weak- key space and the entire IV space. We also choose a 
64-bit plaintext block p, uniformly at random, and assume that p is iterated 
over b blocks, where 33 < b < 43. We executed our attack of repeating 1000 
times, and Table 4 summarizes the success probability of recovering the correct 
32 bits. 

Table 4. The success probability of recovering the correct 32 bits on Midori64-CBC. 


# blocks 

33 

34 

35 

36 

37 

38 

39 

40 

41 

42 

43 

Experimental 

0.279 

0.574 

0.753 

0.883 

0.931 

0.968 

0.988 

0.991 

0.999 

0.997 

1 

Theoretical 

0.289 

0.578 

0.770 

0.880 

0.939 

0.969 

0.984 

0.992 

0.996 

0.998 

0.999 


Similarly to the case of SCREAM the system of equations behaves very much 
like a random system of equation in the sense that the probability that it has 
full rank is very close to the corresponding probability for a random system with 
the same dimensions. 
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6 Extensions and Future Work 

In this section we outline some extensions to the previously described attacks. 
Furthermore, we give some additional insights in the structure of nonlinear 
invariants in general. Finally, we explain how invariant subspace attacks can 
be seen as a special, chosen plaintext , variant of nonlinear invariant attacks. It 
is important to point out that none of the observations in this section lead to 
any attacks. But we feel that those explanations provide good starting points 
for future investigations. 


More General Nonlinear Invariant. We continue to use the notation that 
we fixed in Sect. 3. First recall Proposition 1, that allowed to construct nonlinear 
invariants for the whole S-box layer by linearly combining nonlinear invariants 
for each single S-box. This proposition can actually be easily extended. Instead of 
only linearly combining the nonlinear invariants for each S-box, any combination 
by using an arbitrary Boolean function results in an invariant for the whole S-box 
layer as well. The following proposition summarizes this observation. 

Proposition 2. Given any Boolean function f : F?> — > F 2 and t elements 

9U- • ■ ,9t : F 2 -► F 2 

from U ( S ) it holds that 

g s : (F2)‘ - F 2 

g s (x i,...,x n ) = f(gi(xi),...,g t (x t )) 
is an element ofU(S ) 

Note that the special case of / being linear actually corresponds to the choice 
made in Proposition 1. 

While this generalization potentially allows a much larger variety of invari- 
ants, and therefore potential attacks, we like to mention that the restriction made 
in Proposition 1 has two crucial advantages. First, the choice is small enough, 
so that it can be handled exhaustively and second, the invariants generated by 
Proposition 1 are usually balanced, while this is not necessarily the case for the 
generalization. 

At first sight, one might be tempted to assume that the above construction 
actually covers all invariants for the S-box layer. However, in general, this is not 
the case. 

One counter-example, that is a nonlinear invariant not covered by this con- 
struction, can easily be identified as follows: For simplicity, consider an S-box 
layer consisting of two identical n bit S-boxes only. If the two inputs to those 
two S-boxes are equal, so are the outputs. Thus, the function 

9 : x F£ - F 2 

5(x ’ y) = {o else X = V 
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is an nonlinear invariant of the S-box layer as 

g(x, y) = 1 <^> x = y <s=> S(x) = S(y) <s=> g(S(x),S(y)) = 1. 

Moreover, this nonlinear invariant can certainly not be generated by 
Proposition 2. 


Cycle Structure. Actually, there is a nice, and potentially applicable way, of 
describing all nonlinear invariants for a given permutation F by considering its 
cycles. Recall that a cycle of F being a set 

C x := {F\x) | i G N} 

for a value x G F£. Actually, one can show that a mapping g is contained in 
U(F) if and only if g is either constant on all cycles of F or alternating along 
the cycles of F. The later case corresponds to nonlinear invariants such that 

g(x)+g(F(x)) = 1. 

This is because g(x) = g(F(x )) implies 

g(x) = g(F(x)) = g(F(F(x))) = • • • = g(F\x)). 

Thus, looking at the cycle structure of F, we can assign to each cycle one 
value the function g should evaluate to on this cycle. That view point also shows 
that the number of invariant functions g is equal to 

\U(F)\ = 2 cycles of F \ 


in the case where there exist at least one cycle of odd length or 

\U(F)\ = 2^ Q y cles of f )+ 1 5 


in the case where all cycles of F have even length. This perspective allows to 
actually compute a basis of U(F) very efficiently. Consider, for simplicity, the 
case were not all cycles are of even length. Then, a basis of U (F) clearly consists 
of the set of all indicator functions of C x , i.e. 


U(F) = span{£ Co | a G F£}. 

Here, for a subset dCF^, the function 5a denotes the indicator function of the 
set A , i.e. 


S A (x) 


1 if x G A 
0 else 


Example 2. Consider the function F : » Fo with 


X 

0 

1 

2 

3 

F(x) 

1 

2 

0 

3 
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The cycle composition of F is 


(0, 1, 2)(3). 

Thus we have two cycles of odd length. Following the above, any nonlinear 
invariant of F is constant on those cycles. In this case we have the following 
invariants 


gx(x) = %> )lj2 }0r) 
9 i{x) = £> {3} (a;) 


or, more explicitly 


and 



together with the trivial invariants, that is the identical zero or identical one 
functions. So in total F has 4 invariants. □ 


Relation to Invariant Subspace Attack. Along the same lines, one can also 
see the invariant subspace attack as a special case of a nonlinear invariant. Recall 
that a subspace V C F 2 is called invariant under (a block cipher) F if 

F(V) = V. 

That is, the set V is mapped to itself by the function F. Note that the com- 
plement V is also mapped to itself because the function F is permutation. This 
means nothing else than that the nonlinear Boolean function Sy(x) is a nonlinear 
invariant for F as 

5y(x) = l<^XGy F(x) G V <G> 8y(F(x)) = 1, 

5y (x) = 0 <G> X G V <G> F(x) G V <G> 8y(F(x)) = 0. 

In other words, invariant subspace attacks are nonlinear invariant attacks where 
the support of the nonlinear invariant is a subspace of F 2 . And as such, nonlinear 
invariant attacks could be called invariant set attacks , as the function g splits in 
the inputs into two sets, the support of g and its complement, that are invariant 
under F. 


Further Research. Other interesting directions for further research include the 
generalization of the nonlinear invariant to the case where one does not consider 
the same function g in every round, but rather a sequence of functions that can be 
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chained together. In fact, we also found quadratic Boolean function g' : F| — > F 2 
such that g(x ) = g'(S(x )) for Midori64. Owing to the involution property of 
the S-box, g(x) = g'(S(x)) always implies g'(x) = g(S(x)). Combining with the 
alternative use of Kq and K\ in the key schedule, such g,g' may be exploited 
in the attack. Unfortunately, since such Boolean functions are not nonlinear 
invariant for the constant addition in Midori64, we cannot exploit them in real 
cryptanalysis. However, it is clearly worth discussing this extension. And last 
but not least, even so it seems notoriously difficult, it would be nice to be able 
to use a statistical variant of the attack described here, i.e. consider nonlinear 
functions such that g(F(x)) = g(x) for many - but not necessarily for all - 
inputs x. 

A Algorithm to Solve Basis of U(S ) 

Let gs G U(S), and the algebraic normal form (ANF) is expressed as 

9s(x) = (D X u x u , 

'uGlF^' 

where A u G F 2 are the coefficients to be determined and x u denotes ]\x^ 1 . From 
the definition of the nonlinear invariant, for any x G Frf , the following equation 

© 9s,u{x) = © \ u {x u S(x) u ) 

u G F 2 u G F 2 

is constant. The ANF of gs, u is computed for all u G F^, and the ANF is 
expressed as 


9 S,u(x) — ^u,yX • 

VE^2 

Then, we prepare a matrix [/||M], where I is a (2 n x 2 n ) identical matrix and 
coefficients of M is computed as 


M[u,v] = \ u ,v 

Then, by Gaussian elimination like computation, we compute matrix M' = 
[M[ 1 1 M^]. If rows of M 2 are [0, 0, . . . , 0] or [1, 0, 0, . . . , 0], the corresponding row 
of Mi is the basis of U(S). In particular, for commonly used Sbox sizes of up to 
8 bits, the space U (S) can be computed in less than a second on a standard PC. 

From our experiments, 4-bit S-boxes usually have quadratic nonlinear invari- 
ant. On the other hand, it is generally rare that 8-bit S-boxes have quadratic 
nonlinear invariant. However, as described in this paper, it is not always rare if 
low-degree S-boxes are applied like Scream or iScream for the efficiency. 
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Abstract. Kleptography, introduced 20 years ago by Young and Yung 
[Crypto ’96], considers the (in)security of malicious implementations (or 
instantiations) of standard cryptographic primitives that may embed a 
“backdoor” into the system. Remarkably, crippling subliminal attacks 
are possible even if the subverted cryptosystem produces output indis- 
tinguishable from a truly secure “reference implementation.” Bellare, 
Paterson, and Rogaway [Crypto ’14] recently initiated a formal study 
of such attacks on symmetric key encryption algorithms, demonstrating 
that kleptographic attacks can be mounted in broad generality against 
randomized components of cryptographic systems. 

We enlarge the scope of current work on the problem by permit- 
ting adversarial subversion of (randomized) key generation; in partic- 
ular, we initiate the study of cryptography in the complete subversion 
model , where all relevant cryptographic primitives are subject to klepto- 
graphic attacks. We construct secure one-way permutations and trapdoor 
one-way permutations in this “complete subversion” model, describing 
a general, rigorous immunization strategy to clip the power of klep- 
tographic subversions. Our strategy can be viewed as a formal treat- 
ment of the folklore “nothing up my sleeve” wisdom in cryptographic 
practice. We also describe a related “split program” model that can 
directly inform practical deployment. We additionally apply our gen- 
eral immunization strategy to directly yield a backdoor- free PRG. This 
notably amplifies previous results of Dodis, Ganesh, Golovnev, Juels, and 
Ristenpart [Eurocrypt ’15], which require an honestly generated random 
key. 

We then examine two standard applications of (trapdoor) one-way 
permutations in this complete subversion model and construct “higher 
level” primitives via black-box reductions. We showcase a digital signa- 
ture scheme that preserves existential unforgeability when all algorithms 
(including key generation, which was not considered to be under attack 
before) are subject to kleptographic attacks. Additionally, we demonstrate 
that the classic Blum-Micali pseudorandom generator (PRG), using an 
“immunized” one-way permutation, yields a backdoor- free PRG. 

(c) International Association for Cryptologic Research 2016 

J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 34-64, 2016. 

DOI: 10.1007/978-3-662-53890-6-2 
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Alongside development of these secure primitives, we set down a hier- 
archy of kleptographic attack models which we use to organize past 
results and our new contributions; this taxonomy may be valuable for 
future work. 


1 Introduction 

Consider conventional use of a cryptographic primitive in practice, such as an 
encryption scheme: To encrypt a desired plaintext, one simply runs an implemen- 
tation (or an instantiation with particular parameters) of the encryption algo- 
rithm obtained from a hardware or software provider. Although the underlying 
algorithms may be well-studied and proven secure, malicious implementations 
or instantiations may cleverly “backdoor” the system or directly embed sensitive 
information — such as the secret key — into the ciphertext in a fashion that per- 
mits recovery by the provider /manufacturer but is undetectable to other parties. 
Notably, such leakage is possible even if the implementation produces ‘ function- 
ally and statistically clean” output that is indistinguishable from that of a faithful 
implementation. While the underlying concept of kleptography was proposed by 
Young and Yung two decades ago [27,28], striking recent examples — including 
those of the Snowden revelations [20] — have reawakened the security commu- 
nity to the seriousness of these issues [21]. As a result, the topic has received 
renewed attention; see, e.g., [1,2,4,10,18]. In particular, Bellare, Paterson, and 
Rogaway [4] studied algorithm substitution attacks — with a focus on symmet- 
ric key encryption — and demonstrated a devastating framework for such attacks 
that apply in broad generality to randomized algorithms. These results were later 
amplified [3] to show that such attacks can be carried out even if the adversar- 
ial implementation is stateless. Soon after, Dodis, Ganesh, Golovnev, Juels, and 
Ristenpart [10] formalized the subversion of DuaLEC pseudorandom generators 
(PRG) and studied backdoored PRGs in generality; they additionally studied 
methods for “immunizing” PRG in such hostile settings. 

Our contributions. We continue this line of inquiry. Specifically, we are moti- 
vated to develop cryptographic schemes in a complete subversion model , in which 
all algorithms of a scheme are potentially subverted by the adversary. This model 
provides a conceptually simple abstraction of the adversary’s power, and signifi- 
cantly amplifies previously studied settings, which rely on trusted key generation 
or clean randomness that is assumed private from the adversary. 

In particular, motivated by the question of defending against the klepto- 
graphic attacks on key generation as demonstrated in the original paper of 
[27,28], we study two fundamental cryptographic primitives in the complete 
subversion model — one-way permutations (OWP) and trapdoor one-way permu- 
tations (TOWP) — and apply these primitives to construct other cryptographic 
tools such as digital signatures and PRGs. Along the way, we identify novel 
generic defending strategies and a hierarchy of attack models. We hope to stim- 
ulate a systematic study of “cliptography,” the challenge of developing a broad 
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class of familiar cryptograhpic tools that remain secure in such kleptographic set- 
tings. As mentioned above, prior to our work kleptographic attacks on various 
primitives have been addressed in weaker models; see the discussion of related 
work in Sect. 1. In detail, we show the following: 

- We set down a hierarchy of security models that capture practical klepto- 
graphic settings. The models are characterized by three parties: an adversary, 
who may provide potentially subverted implementations of all cryptographic 
algorithms; a “watchdog,” who either certifies or rejects the implementations 
by subjecting them to (black-box) interrogation; 1 and a challenger, who plays 
a conventional security game (but now using the potentially subverted algo- 
rithms) with the adversary. Armed with the “specification” of the crypto- 
graphic algorithms and oracle access to the implementations provided by the 
adversary, the watchdog attempts to detect any subversion in the implemen- 
tations. Various models arise by adjusting the supervisory power of the watch- 
dog; see Sect. 2. 

- We study (trapdoor) one-way permutations in the presence of kleptographic 
attacks, introducing notions of subversion-resistance that can survive various 
natural kleptographic attacks. We first give a simple example of a OWP that 
can be proven secure in the conventional sense, but can be completely broken 
under the kleptograhic attack. This demonstrates the need for judicious design 
of cryptographic primitives to defend against kleptographic attacks. 

We then construct subversion-resistant (trapdoor) one way permutations via 
a general transformation that “sanitizes” arbitrary OWPs by randomizing 
the function index. This transformation clips potential correlation between 
the function and the possible backdoor that the adversary may possess. 
Additionally, we introduce a split-program model to make the general method 
above applicable using standard hash functions (see Sect. 3.3). 

- In Sect. 4, we observe that subversion-resistant trapdoor OWPs give us a way 
to construct key generation algorithms (for digital signature schemes ) against 
kleptographic attacks. We then showcase a concrete example of a digital sig- 
nature scheme in the complete subversion model. More concretely, we achieve 
this result by (1) using the subversion-resistant trapdoor OWP directly as a 
key generation algorithm, and then (2) instantiating the unique signature gen- 
eration mechanism via full domain hash (FDH). We stress that the reduction 
of the standard FDH signature scheme does not go through in the klepto- 
graphic setting. To resolve this issue, we slightly modify the FDH approach 
by hashing the message together with the public key. We remark that the orig- 
inal kleptographic attacks [27,28] were indeed applied to the key generation 
algorithm, while recent efforts [1,4] shift focus to other algorithmic aspects 
of encryption or digital signature schemes, assuming that key generation is 
honest. Our result is the first digital signature scheme allowing the adversary 
to sabotage all algorithms, including key generation. 


1 Without the watchdog, it is elusive to achieve interesting cryptographic functional- 
ities in those stringent settings. 
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- We then turn our attention to PRGs. Previous work of Dodis et al. [10] inves- 
tigated a notion of “backdoored PRG” in which the adversary sets up a PRG 
instance (i.e., the public parameter), and is able to distinguish the output from 
uniform with a backdoor. They then proposed powerful immunizing strate- 
gies which apply a keyed hash function to the output — assuming the key is 
unknown to the adversary — in the public parameter generation phase. Moti- 
vated by their success, we focus on constructing backdoor-free PRGs in the 
complete subversion model (where such clean randomness is not permitted). 
Our first construction is based on the classic Blum-Micali construction, using 
our subversion-resistant OWP and the Goldreich-Levin hardcore predicate. 
Dodis et al. [10] additionally show that it is impossible to achieve a pub- 
lic immunizing strategy for all PRGs by applying a public function to the 
PRG output. We sidestep this impossibility result via an alternative public 
immunizing strategy: Rather than randomizing the output of the PRG, we 
randomize the public parameter of PRG, which yields a general construction 
for PRG in the complete subversion model. See Sect. 5. 

Finally, we remark that black-box constructions and reductions do not, in gen- 
eral, survive in the kleptographic model. However, two of the results above — the 
Blum-Micali construction and the signature scheme — give explicit examples of 
reductions that can be salvaged. 

Remarks: Our techniques and the “nothing up my sleeve” princi- 
ple; single use of randomized algorithms and subliminal channels. We 

remark that our general defending technique significantly differs from known 
methods: We use a — potentially subverted — hash function to “randomize” the 
index and public parameter of a (perhaps randomized) algorithm so that any 
correlation with some potential backdoor can be eliminated. This can be seen as 
an instance of the folklore wisdom of a “nothing up my sleeve number” [26] which 
has been widely used in practical cryptographic designs. The basic principle calls 
for constants appearing in the development of cryptographic algorithms to be 
drawn from a “rigid” source, like the digits of i r; the idea is that this prevents 
them from possessing hidden properties that might give advantage to an attacker 
(or the designer). In our setting, the fact that a given value v is supplied along 
with a preimage x so that h(x ) = v (for a hash function h) is a evidence that 
v has “nothing up its sleeve.” In fact, the situation is complicated: While this 
does effectively mean that v is generated by selecting x and computing h(x) and, 
thus, severely restricts the possibility for tampering with v, it does not eliminate 
subliminal channels introduced by rejection sampling or entirely “clean” v. In 
particular, detailed analysis is still required to control the behavior of v . 

Previous results either use a trusted random source to re-randomize the 
output of a randomized algorithm, or consider only deterministic algorithms. 
Permitting randomized algorithms in a kleptographic framework immediately 
invites the (devastating) general “steganochannel” attack of Bellare et al. [3,4]. 
Apparently, the prospect of full “immunization” for general randomized algo- 
rithms (in particular, generic destruction of a steganochannel) is a presumably 
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challenging direction of future work. We note that our primitives here do permit 
randomized algorithms, although the security games we analyze invoke them 
only once (to, e.g., derive a key). Very interestingly, recent subsequent work of 
Russell et al. [23] addresses this major problem for a class of randomized algo- 
rithms; as a consequence, they can achieve the first IND-CPA secure public key 
encryption in the kleptographic setting. 

For simplicity, we focus on (potentially subverted) algorithms that do not 
maintain “internal state” between invocations. We remark that typical stegano- 
graphic attacks can indeed be in carried out in a stateless model [3]. Moreover, 
this restriction can be lifted for the constructions in the paper; see Remark 1. 

Related work. The concept of kleptography — subverting cryptographic algo- 
rithms by modifying their implementations to leak secrets covertly — was pro- 
posed by Young and Yung [27,28] in 1996. They gave concrete examples show- 
ing that backdoors can be embedded into the public keys of commonly used 
cryptographic schemes; while the resulting public keys appear normal to every 
user, the adversary is nevertheless capable of learning the secret keys. Young and 
Yung have shown kleptographic backdoors in digital signature algorithms, key 
exchanges, SSL, symmetric crypto (e.g., block ciphers), composite key genera- 
tion (e.g., RSA), and public key cryptosystems [27-32]. It may not be surprising 
that defending against such deliberate attacks is challenging and only limited 
feasibility results exist. We next briefly describe these existing results. 

In [16], Juels and Guajardo suggested the following idea: the user and a 
trusted certificate authority (CA) jointly generate the public key; as a part of 
this process, the user proves to the CA that the public key is generated honestly. 
This contrasts markedly with our setting, where the the user does not have any 
secret, and every component is provided by the adversary. 

Bellare et al. considered a powerful family of kleptographic attacks that they 
call algorithm substitution attacks , and explore these in both symmetric-key [3,4] 
and public-key [2] settings. They first proposed a generic attack, highlighting 
the relevance of steganographic techniques in this framework: specifically, a sab- 
otaged randomized algorithm can leak a secret bit-by-bit by invoking stegano- 
graphic rejection-sampling; then an adversary possessing the backdoor can iden- 
tify the leaked bits from the biased output, which appears unmolested to other 
observers. The attack and analysis relies on the effectiveness of subliminal chan- 
nels [15,24,25]. They then introduced a framework for defending against such 
attacks by focusing on algorithms that having a unique output for each input: 
relevant examples of such algorithms include unique ciphertext encryption algo- 
rithms. These results were later refined by [9]. Their defending mechanism does 
not, however, address the (necessarily randomized) process of key generation — it 
implicitly assumes key generation to be honest. This state of affairs is the direct 
motivation of the current article: we adopt a significantly amplified complete sub- 
version model where all cryptographic algorithms — including key generation — 
are subject to kleptographic (i.e., substitution) attacks. The details of the model, 
with associated commentary about its relevance to practice, appear below. 
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Dodis et al. [10] pioneered the rigorous study of pseudorandom generators 
in such settings, developing an alternative family of kleptographic attacks on 
pseudorandom generators in order to formalize the notorious DuaLEC PRG 
subversion [7,19]. In their model, the adversary subverts the security of the 
PRG by opportunistically setting the public parameter while privately keeping 
some backdoor information (instead of providing an implementation). They then 
demonstrate an impossibility result: backdoored PRGs cannot be immunized by 
applying a public function — even a trusted random oracle — to the output. They 
also proposed and analyzed immunizing strategies obtained by applying a keyed 
hash function to the output (of the PRG). Note that the (hash) key plays a 
special role in their model: it is selected uniformly and is unknown to the adver- 
sary during the public parameter generation phase. These results likewise inspire 
our adoption of the amplified complete subversion model , which excludes such 
reliance on public randomness beyond the reach of the adversary. In particu- 
lar, our general immunizing strategy (randomizing the public parameter of a 
backdoored PRG instead of randomizing the PRG output) permits us to bypass 
the impossibility result. Additionally, our results on subversion-resistant OWFs 
can be applied to construct a specific “backdoor-free” PRG following the classic 
Blum-Micali framework. 

Other works suggest different angles of defense against mass surveillance. 
For example, in [11,18] the authors proposed a general framework of safeguard- 
ing protocols by randomizing the incoming/outgoing messages via a trusted 
(reverse) firewall. Their results demonstrate that with a trusted random source, 
many tasks become achievable. As they rely on a “subversion- free” firewall, these 
results require a more generous setting than provided by our complete subversion 
model. 

Ateniese et al. [1] continued the study of algorithm substitution attacks on 
signatures and propose two defending mechanisms, one utilizes a unique signa- 
ture scheme assuming the key generation and verify algorithms to be honest; 
the other adopts the reverse firewall model that assumes trusted randomness. 
We construct a signature scheme that can be proven secure in the complete sub- 
version model which does not make assumptions on honesty or require trusted 
randomness. We remark that the strength of the “watchdog” that is required 
for the signature scheme is, however, stronger than that required for the other 
primitives; it must be permitted a transcript of the security game. See Sect. 4. 

2 A Definitional Framework for Cliptography 

2.1 From Cryptography to Cliptography 

In this section, we lay down a definitional framework for cliptography. The adver- 
sary in this new setting is “proud-but-malicious” : the adversary wishes to supply 
a subverted implementation in order to break security while keeping the sub- 
version “under the radar” of any detection. Thus the basic framework should 
reflect the ability of the adversary to provide (potentially subverted) implemen- 
tations of the cryptographic algorithms of interest, the ability of an efficient 
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“watchdog” to interrogate such implementations in order to check their verac- 
ity, and a classical “challenger- adversary” security game. Specifically, the model 
considers an adversary that commences activities by supplying a (potentially 
subverted) implementation of the cryptographic primitive; one then considers 
two parallel procedures: a classical challenger- adversary security game in which 
the challenger must use only (oracle access to) the adversary’s implementations, 
and a process in which the “watchdog” compares — also via oracle access — the 
adversary’s implementations against a specification of the primitives. (For enter- 
tainment, we occasionally refer to the adversary as “big brother.”) 

Cryptographic games. We express the security of (standard) cryptographic 
schemes via cryptographic games between a challenger C and an adversary A. 

Definition 1. (Cryptographic Game [14]). A cryptographic game G = (C,S) 
is defined by a random system C , called the challenger, and a constant S G [0, 1). 
On security parameter \, the challenger C( 1 A ) interacts with some adversary 
A( 1 A ) and outputs a bit b. We denote this interaction by b = (*4(1 A ) C(1 A )). 

The advantage of an attacker A in the game G is defined as 

Adv AG (l A ) = Pr [(A( 1 A ) ^ C(1 A )) = 1] - <5 . 

We say a cryptographic game G is secure if for all ppt attackers A, the advantage 
Adv^c(l A ) is negligible in A. 

The above conventional security notions are formulated under the assumption 
that the relevant algorithms of the cryptographic scheme are faithfully imple- 
mented and, moreover, that participants of the task have access to truly private 
randomness (thus have, e.g., truly random keys). In the kleptographic setting, 
these assumptions are relaxed. 

The complete subversion model. A basic question that must be addressed 
by a kleptographic model concerns the selection of algorithms the adversary is 
permitted to subvert. We work exclusively in a setting where the adversary is 
permitted to provide implementations of all the relevant cryptographic elements 
of a scheme, a setting we refer as the complete subversion model. Thus, all guar- 
antees about the quality of the algorithms are delivered by the watchdog’s testing 
activities. This contrasts with all previous work, which explicitly protected some 
of the algorithms from subversion, or assumed clean randomness. Such a setting 
we refer to as partial subversion model. 

Choosing the right watchdog. By varying the information provided to the 
watchdog, one obtains different models that reflect various settings of practical 
interest. The weakest (and perhaps most attractive) model is the offline watch- 
dog, which simply interrogates the supplied implementations, comparing them 
with the specification of the primitives, and declares them to be “fit” or “unfit.” 
Of course, we must insist that such watchdogs find the actual specification “fit” : 
formally, the definition is formulated in terms of distinguishing an adversarial 
implementation from the specification. 
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One can strengthen the watchdog by permitting it access to the full tran- 
script of the challenger- adversary security game, resulting in the online watch- 
dog. Finally, we describe an even more powerful omniscient watchdog, which 
is even privy to private state of the challenger. (While we do not use such a 
powerful watchdog in our results, it is convenient for discussing previous work.) 

We remark these various watchdogs reflect various levels of “checking” that 
a society might entertain for cryptographic algorithms (and conversely, various 
levels of tolerance that an adversary may have to exposure) : the offline watchdog 
reflects a “one-time” laboratory that attempts to check the implementations; an 
online watchdog actually crawls public transcripts of cryptographic protocols to 
detect errors; the omniscient watchdog requires even more, involving (at least) 
individuals effectively checking their results against the specification. 


2.2 A Formal Definition 

Having specified the power of the big brother (the adversary) and that of the 
watchdog, we are ready to introduce cliptographic games to formulate security. 
To simplify the presentation, we here initially consider complete subversion with 
an offline watchdog. In the next section, we will discuss the other variants. 

A cryptographic scheme 77 consists of a set of (possibly randomized) algo- 
rithms (F 1 , . . . , F k ). (In general, deterministic algorithms determine functions 
F l : (A, x) t— > 2 /, whereas randomized algorithms determine distributions F 2 ( A, x) 
over an output set Y\.) For example, a digital signature scheme consists of 
three algorithms, a (randomized) key generation algorithm, a signing algo- 
rithm, and deterministic verification algorithm. The definition of 77 results in a 
specification of the associated algorithms; for concreteness, we label these as 
77 SPEC = (F S pec, • • • , F S pec); when a scheme is (perhaps adversarially) imple- 
mented, we denote the implementation as 77 IMPL = (F^ PL , . . . , F^p L ). If the 
implementation honestly follows the specification of the scheme, we overload the 
notation and represent them interchangeably with the specification as 77 SPEC . 

In our definition, the adversary A will interact with both the challenger C 
and the watchdog W. (In the offline case, these interactions are independent; in 
the online case, W is provided a transcript of the interaction with C.) Following 
the definition of cryptographic game, we use be = (*4.(1 A ) C Fimplv " ,Fimpl ( 1 a )) 
to denote the interaction between A and C; be denotes the bit returned by 
the challenger C. (Note that the challenger must use the implementation of 77 
provided by the adversary, while the interaction between A , C is the same as in 
the classical cryptographic game.) 

As for the watchdog W, the adversary provides W his potentially subverted 
implementations 77 IMPL of the primitive (as oracles); W may then interrogate 
them in an attempt to detect divergence from the specification, which he pos- 
sesses. On the basis of these tests, the watchdog produces a bit (Intuitively, the 
bit indicates whether the implementations passed whatever tests the watchdog 
carried out to detect inconsistencies with the specification.) 
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Definition 2. (Cliptographic Game). A cliptographic game G = (C,77 spec , 
(5) is defined by a challenger C, a specification 77 SPEC; and a constant S E [0,1). 
Given an adversary A, a watchdog W, and a security parameter X, we define 
the detection probability of the watchdog W with respect to A to be 


Detw^(l A ) = Pr[W 


^IMPL ( 1 ^ ~ 1] Pr [W^ SP EC , "‘ , '^ Sp EC (]_ A ) = lj 


where 77 IMPL = (^im PL , • • • , ^Impl) denotes the implementation produced by A . 
The advantage of the adversary is defined to be 


Adv^(l A ) 


Pr 


(^(l A ) <&c* 


rpk 
L 5 • • • 5 IM 


u x )) 



We say that a game is subversion-resistant if for any polynomial qf), there 
exists a ppt watchdog W such that for all ppt adversaries A, either Detyy 5 ^4(l A ) 
is non-negligible, or Adv^(l A ) is negligible , in the security parameter A. 

Other watchdog variants. In the above definition, we chose the strongest 
model: the watchdog is universal and offline. In particular, primitives secure 
in this model are secure in any of the other models considered. The detection 
algorithm of the watchdog must be designed for a given specification , regardless 
of how the adversary subverts the implementation; furthermore, it may only 
carry out a one-time check on the implementation (and may not supervise the 
security game). To permit a broader class of feasibility results, it is possible to 
extend the basic model in both directions. 

Swapping the quantifiers. It is also reasonable to consider a watchdog that may be 
tailored to the adversary, i.e., the quantifiers are changed to be V04, 3W. Indeed, 
such quantification (or even more generous settings, see below) was considered 
implicitly in previous works, e.g., [3,4,10]. We remark that such a model is still 
highly non-trivial in that the adversary can be randomized by, e.g., selecting a 
random backdoor. (Thus knowing the code of the adversary does not necessarily 
help the watchdog to identify a faulty implementation which might be based 
on a random backdoor that is only known to A.) Note that such a model is 
particularly interesting for evaluating attacks , where one would like to guarantee 
that the attack is undetectable even by a watchdog privy to the details of the 
adversary: specifically, when establishing security, weak watchdogs are prefer- 
able; when establishing the value of an attack, strong watchdogs are preferable. 

We develop one-way permutations and pseudorandom generators in the 
offline model. However, it appears that richer primitives may require qualita- 
tively stronger watchdogs. Considering that an offline watchdog cannot ensure 
exact equality for deterministic algorithms, we remark that a clever adversary 
may be able to launch attacks by altering a deterministic function at a single 
location. Imagine a security game where the adversary supplies a string m to 
which the challenger is expected to apply one of the subverted algorithms; this 
takes place, e.g., in the typical signature security game. The adversary may now 
select a random string w and implement the deterministic algorithm in such 
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a way that it diverges from the specification at (only) this preselected point. 
While such inconsistencies are (essentially) undetectable by an offline watchdog, 
the adversary can ensure that the subverted algorithm is indeed queried at w 
during the security game. Such “input-triggering attacks” in [1,4,9] motivated 
them to consider extra “decryptability condition” and “verifiability condition” 
assumptions. 

An online watchdog can guard against this possibility; he is permitted to 
monitor the public interactions between users. More precisely, the online watch- 
dog is permitted to certify both the implementations and the transcript between 
the challenger and adversary. The security game is then altered by considering 
W 77 impl( 1 a , r), identical to the offline case except that the watchdog is provided 
the transcript r of the security game (C A). 2 (We use the shorthand notation 
ZZimpl here to denote the collection of oracles ^im PL , • • • , ^impl-) The detection 
game must then be adjusted, guaranteeing that the transcripts produced when 
the challenger uses IJ lMPL are indistinguishable from those produced when the 
challenger uses 77 SPEC . Our results on digital signature schemes will require such 
a watchdog. We remark that previous work on subversion-resistant digital signa- 
tures [1] assumes a verifiability condition: every message-signature pair produced 
by the subverted sign algorithm (at least the responses to the signing queries) 
can pass the verification of the specification of the verify algorithm. This extra 
assumption can be guaranteed by an online watchdog (and, indeed, it demands 
either an absolute universal guarantee or an on-line guarantee for those pairs 
that appear in the security game). 

An omniscient watchdog is even stronger. In addition to access to the tran- 
script, the omniscient watchdog is aware of the entire internal state of the chal- 
lenger (and can monitor the interactions between users and the subverted imple- 
mentations) . Similarly, by replacing W in Definition 2 above with an omniscient 
watchdog, we obtain cliptographic games with omniscient watchdog. As men- 
tioned, omniscient watchdog has been considered in literature [4,9]. In those 
works, they assume the extra decryptability condition such that ciphertext gen- 
erated by the subverted encryption algorithm decrypts correctly with the honest 
decryption algorithm. Again, without allowing the watchdog to input the whole 
transcript and the decryption key, this assumption cannot supported. 

Discussion: The guarantees provided by an offline watchdog. We 

make some general observations about the guarantees that an offline watchdog 
provides. 

Consider a deterministic algorithm implemented by the adversary; an offline 
watchdog cannot ensure that such an algorithm is perfectly implemented. How- 
ever, it can ensure that the implementation agrees with the specification with 
high probability over a particular (sampleable) distribution of choice (by simply 
drawing from the distribution and checking equality). This frequently arises in 
our setting, where we are led to study the behavior of a deterministic algorithm 
on a particular “public input distribution.” 


2 We remark that the transcript r includes the final output bit of the challenger. 
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Lemma 1 . Consider an adversarial implementation n iMPE •= (^iLpls • • • > ^impl) 
of a specification II SPEC = (Ff lJEC , .... F^ PKC ) in a cliptographic game , where 
F 1 , . . . , F k are deterministic algorithms. Additionally, for each security parame- 
ter \, (sampleable) public input distributions X x , . . . , X x are defined respectively. 

e [k], Pr[F/ M p L (a;) ^ Fi PEC (x) : % X J x ] is non-negligible, then there is a 
ppt offline watchdog that can detect with a non-negligible probability. 

The above includes the cases that the deterministic algorithm is with a known 
input distribution (e.g., uniform distribution), or with an input distribution that 
is generated by other (adversarial) implementations. Jumping ahead, the evalu- 
ation function of a one way permutation takes a uniform input distribution; and 
a pseudorandom generator stretch function takes JC xU as (public) input distri- 
bution, where JC is the output distribution of a parameter generation algorithm 
implemented by the adversary and U is the uniform seed distribution. 

In our analysis, we will use this simple observation extensively. In particular, 
when a hash specification is modeled as a random oracle we can check that the 
hash function has been faithfully implemented by the adversary (with high prob- 
ability) for any particular sampleable distribution of choice; in many cases, these 
will be distributions generated by other adversarial implemented algorithms. 

Next, consider a randomized algorithm (with fixed inputs) that is supposed 
to output a high-entropy distribution. The offline watchdog can provide a weak 
guarantee of min-entropy by simply running the algorithm twice to see whether 
there is collision. While this does not guarantee large entropy, it can guarantee 
a critical feature: the result is unpredictable to the adversary. 

Lemma 2. Consider an adversary A which prepares the implementation F IMPL 
of a specification F SPEC , where F SPEC is a randomized algorithm that produces an 
output distribution with cj(logA) min-entropy. If Pr[x = x' : x <— A(X),x' <— 
F IMPL ] < negl(A) does not hold, then there is a ppt offline watchdog that can 
detect this with a non-negligible probability. 

Discussion: random oracles . In many settings, we establish results in the 
conventional random oracle model which requires some special treatment in the 
model above. In general, we consider a random oracle to be an (extremely pow- 
erful) heuristic substitute for a deterministic function with strong cryptographic 
properties. In a kleptographic setting with complete subversion, we must explic- 
itly permit the adversary to tamper with the “implementation” of the random 
oracle supplied to the challenger. In such settings, we provide the watchdog — as 
usual — oracle access to both the “specification” of the random oracle (simply a 
random function) and the adversary’s “implementation” of the random oracle, 
which may deviate from the random oracle itself. For concreteness, we permit 
the adversary to “tamper” with a random oracle h by providing an efficient algo- 
rithm T h (x) (with oracle access to the random oracle h) which computes the 
“implementation” h — thus the implementation h(x) is given by T h {x) for all x. 
Likewise, during the security game, the challenger is provided oracle access only 
to the potentially subverted implementation h of the random oracle. As usual, 
the probabilities defining the security (and detection) games are taken over the 
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choice of the random oracle. In this sense, the random oracle assumption used 
in our complete subversion model is weaker than the classical one, since we can 
allow even “imperfect” random oracles. Fortunately, when the random oracle is 
applied to a known input distribution, an offline watchdog can ensure that the 
implementation is almost consistent with its specification (see Lemma 1). 

Remark 1. Stateless/stateful implementations. In principle, algorithms in 
the specification of a cryptographic scheme or implementations provided by an 
adversary could be stateful; for simplicity, we focus on stateless implementa- 
tions in the above lemmas. However, to jump ahead a bit, those results still hold 
(with simple modifications) in natural stateful settings. To see this, (1) consider 
a randomized algorithm specified to produce a high-entropy output distribu- 
tion: in the case of a stateful implementation (maintaining a local state), the 
unpredictability requirement can still be ensured by an offline watchdog who 
can rewind the implementation. The watchdog simply samples (rewinds to the 
same state and then samples) from the randomized algorithm to see whether 
there is a collision. (2) For deterministic algorithms with a state, as an example, 
we consider a stateful PRG, where the seed is updated in each iteration. In this 
case, the public input distribution is evolving during the iterations. Observe that 
the offline watchdog can indeed ensure the consistency of the implementation of 
the PRG when the input is chosen from a uniform distribution. This means the 
“bad” input set (on which the implementation deviates from its specification) 
could be at most negligibly small (in the uniform distribution). Note that start- 
ing from a uniform seed, any polynomially number of PRG iterations will yield 
poly-many pseudorandom bits. Thus the probability for any of them falls into 
the “bad” input set would still be negligible. 

Schemes with augmented system parameter. Often, deployment of a cryp- 
tographic scheme may involve a system parameter generation algorithm pp <— 
Gen(l A ). When we consider such an augmented scheme 77 = (Gen, F 1 , F 2 , F 3 ) 
in our setting, we can treat the system parameter pp in two natural ways: (1) 
as in Definition 2, the adversary simply provides the implementation Gen IMPL to 
VV (and C ) as usual and the challenger computes pp by running Gen IMPL dur- 
ing the security game; (2) the adversary provides pp directly to the watchdog 
W (and C); we write W 77lMPL (l A ,pp) to reflect this. By replacing >V 7 Iimpl ( 1 a ) in 
Definition 2 with >V 77 impl (1 a , pp), and suitably changing the security game so 
that the challenger does not generate pp, we can obtain the adversarially chosen 
parameter model. This model was used for studying pseudorandom generator 
under subversion in [10], we choose to present it as a general model that would 
be interesting to consider for any cryptographic primitive. 

It is clear that if a primitive is secure in the adversarially chosen parameter 
model, then it is secure according to Definition 2. (Observe that the adversary is 
always free to generate pp according to the algorithm provided to the challenger.) 
We record this below. 

Lemma 3. 7/77 is secure in the adversarially chosen parameter model, then 77 
is secure according to Definition 2. 
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Schemes with split-program. Randomized algorithms play a distinguished 
role in our kleptographic setting. One technique we propose for immuniza- 
tion may also rely on the decomposition of a randomized generation algorithm 
y Gen(l A ) into two algorithms: a random string generation algorithm RG 
responsible for producing a uniform poly(A)-bit random string r, and a deter- 
ministic output generation algorithm dKG that transforms the randomness r 
into an output y. Note that dKG is deterministic and is always applied to a pub- 
lic input distribution. In light of Lemma 1, we may assume that the maliciously 
implemented dKGi M pL is consistent with the honest implementation dKG SPE c with 
overwhelming probability. See results in this model in Sect. 3.3, and definition 
in the full version [22]. 

We remark that this perspective only requires a change in the specification 
of TIspec- When we apply Definition 2 with a specification that has been altered 
this way, we say that a primitive is proven secure in the split-program model. 

The split-program model is quite general and can be applied to most practical 
algorithms. To see this, the user is provided the source code of the implemen- 
tation which makes calls to some API for generating randomness (e.g., randO) 
whenever necessary. The user can hook up the calls to the randomness API with 
the separate program RG provided by the adversary. (In fact, full source code is 
not strictly necessary in this setting; object code that adopts a particular fixed 
convention to gather randomness would also suffice.) 

3 Subversion-Resistant One-Way Permutations 

In this section, we study one-way permutations (OWP) in our cliptographic 
framework. As mentioned before, this is motivated by the problem of defending 
against subverted key generation. In particular, we propose general constructions 
for subversion-resistant OWPs that require only the weakest (offline) watchdog 
with adversarially chosen parameters. Our “immunizing strategy” consists of 
coupling the function generation algorithm with a hash function that is applied 
to the function index — intuitively, this makes it challenging for an adversary 
to meaningfully embed a backdoor in the permutation or its index. 3 We prove 
that if the specification of the hash function is modeled as a random oracle, 
then randomizing the permutation index using the (adversarially implemented) 
hash function destroys any potential backdoor structure. We emphasize that the 
permutation evaluation algorithm, the name generation algorithm, and the hash 
function may all be subverted by the adversary. 

The cliptographic model introduces a number of new perspectives on the 
(basic) notion of security for one-way permutations. We actually consider three 
different notions below, each of which corresponds to distinct practical settings: 
the first corresponds to the classical notion, where the challenger chooses the 
index of the function (using subverted code provided by the adversary) — we 
call this OWP c ; the second corresponds to a setting where the adversary may 

3 In concrete constructions, the hash function becomes a component of, e.g., the eval- 
uation function, so that the syntax of the primitive is still the same. 
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choose the index — we call this OWP A ; the last corresponds to our “split program 
model,” discussed above — we call this OWP SP . 

In many cases of practical interest, however, the permutation index may have 
special algebraic structure, e.g., RSA or DLP. In such cases, it would appear that 
the public hash function would require some further “structure preserving” prop- 
erty (so that it carries the space of indices to the space of indices). Alternatively, 
one can assume that the space of indices can be “uniformized,” that is, placed in 
one-to-one correspondence with strings of a particular length. In order to apply 
our approach to broader practical settings, we apply the “split-program” model 
discussed above. This effectively “uniformizes” index space by insisting that the 
function generation algorithm is necessarily composed of two parts: a random 
string generation algorithm RG that outputs random bits r, and a deterministic 
function index generation algorithm dKG which uses r to generate the index. 
Hashing is then carried out on r; see Sect. 3.3 for details. 


3.1 Defining Subversion Resistant OWP/TDOWP 

In this subsection, following our general definitional framework, we define the 
security of one-way permutations and trapdoor one-way permutations. We first 
recall the conventional definitions. 

One-way permutation (OWP). A family of permutations T = {fi : X{ — ► Xi}i e j 
is one-way if there are ppt algorithms (KG, Eval) so that (i) KG, given a security 
parameter A, outputs a function index i from I x = I p\ { 0,1} A ; (ii) for xElj, 
Eval (i,x) = fi(x ); (iii) T is one-way; that is, for any ppt algorithm A, it holds 
that Pr[y4.(«, y) e f~\y) \ i <- KG(A);a; <— X^y := fi(x)] < negl(A). 

Trapdoor one-way permutation (TDOWP). A family of permutations T = {fi : 
Xi — > Xi}i e i is trapdoor one-way if there are ppt algorithms (KG, Eval, Inv) 
such that (i) KG, given a security parameter A, outputs a function index and the 
corresponding trapdoor pair (i,U) from I\ x T, where I\ = / D {0, 1} A , and T 
is the space of trapdoors; (ii) Eval (i,x) = fi(x) for x G Xi\ (iii) T is one-way; 
and (iv) it holds that Pr[lnv(t^, i, y) = x \ i <— KG(A);x Xi]y := fi(x)\ > 
1 - negl(A). 

Sometimes, we simply write fi(x) rather than Eval(i,x). 

Subversion — resistant 0 one — way permutations : OWP c . As described 
in Sect. 2, we assume a “laboratory specification” of the OWP, (KG SPEC , Eval SPEC ), 
which has been rigorously analyzed and certified (e.g., by the experts in the cryp- 
tography community). The adversary provides an alternate (perhaps subverted) 
implementation (KGimpl, Eval IM p L )- We study OWP/TDOWP in the offline watch- 
dog model; while the implementations may contain arbitrary backdoors or other 
malicious features, they can not maintain any state. 

Intuitively, the goal of the adversary is to privately maintain some “backdoor 
information” z so that the subverted implementation KGimpl will output func- 
tions that can be inverted using z. In addition, to avoid detection by the watch- 
dog, the adversary must ensure that implementations (KG IM pl(z)> Eval IM pL(^)) are 
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computationally indistinguishable from the specification (KG SPE c, Eval SPEC ) given 
only oracle access. Formally, 

Definition 3. A one-way permutation family T = {fi : Xi — > with the 

specification F SPEC — (KG SPEC , Eval SPEC ) ; is subversion-resistant c in the offline 
watchdog model if there exists a ppt watchdog W, s.t.: for any ppt adversary A 
playing with the challenger C in the following game, (Fig. 1), either the detection 
probability Detyy;^ is non-negligible, or the advantage Adv^ is negligible. 

Here the detection probability of the watchdog W with respect to A is defined 
as 

Detw,^(l A ) = |Pr[W KG,MPL,Eval,UPL (l A ) = 1] - Pr[W KGsrac,EvalsPE0 (l A ) = 1] | , 

and the advantage of the adversary A is defined as 

Adv^(l A ) = P r [(A(1 a ) c KG,MPL ’ EvallMPL (l A )) = l] . 

For convenience, we also say that such F S pec is a OWP G in the offline watchdog 
model. On the other hand, we say that an OWP is subvertible if: 

Det>v 5 ^(l A ) is negligible for all ppt W, and Adv^(l A ) is non-negligible A 


vv 

TEST PHASE 

KG impl , Eval IMPL prfiparfi 

A 

KGimpl, EvaliMPL 

yyKG IMP L,EvaliMPL^A 

) 

c 

run i <- KGimpl(1 A ) 
sample x 

run y := Eval IMP L (i,x) 

EXECUTE PHASE 

i,y 

A 

x' 


be := 1 if x = x 
be := 0 otherwise 




Fig. 1 . Subversion-resistant 0 security game: OWP°. 


Subvertible OWPs. Next we observe that it is easy for an adversary to break 
the security of a conventional OWP in the kleptographic setting. In particular, 
the following lemma shows that one can construct a subvertible OWP (so the 


4 We choose a stronger definition for subvert ibility (swap the quantifiers of A,W) to 
describe attacks instead of directly negating the definition of OWP° . 
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subverted implementation can evade detection by all watchdogs and the adver- 
sary can invert) using a conventional trapdoor OWP. In particular, if we wish 
to use public-key cryptography in a kleptographic setting, nontrivial effort is 
required to maintain the security of even the most fundamental cryptographic 
primitives. 

Our construction of a subvertible OWP substantiates the folklore knowledge 
that sufficient random padding can render cryptosystems vulnerable to backdoor 
attacks, e.g., [27,28]. Specifically, the random padding in the malicious imple- 
mentation can be generated so that it encrypts the corresponding trapdoor using 
the backdoor as a key. For detailed proofs, we defer to the full version [22]. 

Lemma 4. One can construct a subvertible OWP from any TDOWP. In par- 
ticular , given a TDOWP, we can construct a OWP that is not a OWP c . 

We defer the question of the existence of a OWP c to the next section, where 
we will construct permutations that satisfy a stronger property. 

Subversion-resistant OWPs with adversarially chosen indices: OWP A . 

The notion of OWP c formulated above defends against kleptographic attacks 
when the adversary provides a subverted implementation of the defining algo- 
rithms. In many cases, however, it is interesting to consider a more challenging 
setting where the adversary may directly provide the public parameters, includ- 
ing the function index. Indeed, this is the case in many real-world deployment 
settings, where a “trusted” agency sets up (or recommends) the public parame- 
ters. One notorious example (for a different primitive) is the DuaLEC PRG [7]. 
Note that, in general, this notion is not very suitable for asymmetric key primi- 
tives, e.g. TDOWP, since allowing the adversary to set up the public key gives 
him the chance to generate the trapdoor. We will focus on OWP A . 

Definition 4. A one-way permutation family T = {fi : Xi — > Xi}i E j with the 
specification tF S p KC = (KG SPEC , Eval SPEC ) ; is subversion- re sistant A in the offline 
watchdog model, if there is a ppt watchdog W, such that: for any ppt adversary 
A playing the following game (Fig. 2) with the challenger C , either the detection 
probability Detyy^ is non-negligible, or the advantage Adv^ is negligible. 

Here the detection probability of the watchdog W with respect to A is defined 
as: 

Det w ^(l A ) = |Pr[W EvallMPL (l\i.) = 1] - Pr[W EvalsPEC (l\ i) = 1]| , 

and the advantage of the adversary A is defined as 

Adv4(l A ) = Pr [(A(l A )^C Eval -(l A ,i.)) = 1] , 

where i <— KG SPEC (1 A ), and i m is chosen by the adversary. 

We also say that such F S pec is a OWP A in the offline watchdog model. 

Relating OWP c and OWP A . Following Lemma 3, an adversary that success- 
fully breaks the OWP c game can be easily transformed into an adversary that 
breaks the OWP A game; thus any OWP A is also a OWP c . As far as existence 
is concerned, then, it suffices to construct a OWP A . 
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TEST PHASE 

W 

z. , EvaliMPL 

A 

- prepare z., Evali M p L 

&w <- yv E ' ,allMPL (l A , i.) 

EXECUTE PHASE 

c 

sample x 

run y := F\/al IMPL (z. , rr) ^ 

A 

x' 


be := 1 if x = x 
be := 0 otherwise 



Fig. 2. Subversion-resist ant A security game: OWP A . 

3.2 Constructing Subversion-Resistant A OWP 

In this section, we discuss methods for safeguarding OWP against kleptographic 
attacks. We first present a general approach that transforms any OWP to a 
OWP A under the assumption that a suitable hash function can be defined on 
the index space. Specifically, we prove that randomizing the function index (via 
hashing, say) is sufficient to eliminate potential backdoor information. These 
results assume only the weakest (offline) watchdog. More importantly, we per- 
mit the hash function — like the other relevant cryptographic elements — to be 
implemented and potentially subverted by the adversary. 

Note that we treat only the specification of the hash function in the random 
oracle model, assuming that the adversary may arbitrary subvert the (randomly 
specified) hash function; thus the watchdog is provided both the adversary’s 
arbitrarily subverted “implementation” and the correct (random) hash function 
“specification.” 5 Despite the adversary’s control over the OWP and the hash 
function (which is partially constrained by the watchdog), it is difficult for the 
adversary to arrange a backdoor that works for a large enough target subset of 
function indices that these can be reliably “hit” by the hash function. 

One remaining difficulty is to keep the “syntax intact,” that is, to avoid chang- 
ing the structure of the specification. For this purpose, we propose to treat the 
hash function only as a component of (jumping ahead) the evaluation algorithm 
(see Fig. 3). The adversary only implements the evaluation algorithm as a whole 
with the hash function built in (as the specification demands). In this case, the 
hash implementation (and specification) are not explicitly given to the watchdog 
anymore. However, we still manage to show the security by exploring the fact that 

5 Note that we place no a priori constraints on the subverted hash function provided 
by the adversary. The watchdog, of course, can ensure that the subverted function 
and the specification (which is just a random function, in this case) agree with high 
probability on slices of the space, or possess other common statistical properties. 
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both hash and the evaluation algorithm are deterministic algorithms with pub- 
lic input distribution, so that the offline watchdog can force the implementation 
of Eval IMPL to agree with the specification Eval SPEC with overwhelming probability 
when inputs are sampled according to the input generation distribution. 


General feasibility results for OWP A 

Let T be any OWP family with 
specification .F S pec •= (KG^ EC , 
E v al^ E c); while we assume, of cou- 
rse, that it is one-way secure (in the 
classical sense), it may be subvert- 
ible. We also assume that KG^ EC (A) 
outputs uniform i from the index 
set I\ and that we have a pub- 
lic hash function with specifica- 
tion /i S PEc : I\ ^ I\, acting 

on this set. Then we construct a 
subversion-resistant A OWP family 
Eval^p E c) defined as follows: 



Fig. 3. New specification Evalf P 
Q with specification Q S pec •= (KG! 


Q 

SPEC 1 


Function index generation i KGf PEC , where KG^ PEC is given by: 

Sample i <— KGgp EC (A); output i. 

- Function evaluation y <— Evalf PEC (i, x), where Eval^ PEC is given by: 

Upon receiving inputs (i,x), compute %' = h SPEC (i ) and compute y = 
Eval^ EC (i / , x); output y. See also the pictorial illustration for Eval^ PEC in Fig. 3. 


Remark 2. Note that the specification of the hash function is “part of” of the 
specification of the evaluation function. In fact, an interesting property of the 
construction above is that it is secure even if the (subverted) hash function is 
not separately provided to watchdog. 6 


Security analysis. Roughly, the proof relies on the following two arguments: 
(1) any particular adversary can only invert a sparse subset of the one-way per- 
mutations; otherwise, such an adversary could successfully attack the (classical) 
security of the specification OWP. Thus, randomizing the function index will 
map it to a “safe” index, destroying the possible correlation with any particular 
backdoor. (2) The Eval IMPL (having the hash function h lMPP built in) is a deter- 
ministic function that is only called on fixed public input distributions (X x W, 
where X is the output distribution of KG IM pl and U is the uniform distribution 
over the input space, and both of them are known to the watchdog). Following 
Lemma 1 of Sect. 2, the watchdog can ensure that Eval^ PL is consistent with its 
specification an overwhelming probability when inputs are generated according 
to X x U. We remark that on all inputs for which the hash implementation (run- 
ning inside Eval^ PL ) is consistent with h SPEC , random oracle queries have to be 
made. 

6 In general, development of secure primitives in the complete subversion model would 
presumably be easier if the watchdog can separately “check” the implementation of 
h even though we do not need this for the above construction. 
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Theorem 1 . Assume h SPEC is random oracle , and T with specification tF SPEC is 
a OWP. Then Q with specification £/ S pec defined above is a OWP A in the offline 
watchdog model. 

Proof. Suppose that Q is not subversion-resistant A . Then for any watchdog W, 
there is a PPT adversary Ag so that the detection probability P)etw,Ag is neg- 
ligible and the advantage Adv^ g is non-negligible, say S. We will construct an 
adversary At which will break the one-way security of P S pec : = (KG J EC , Eva I J EC ) 
with non-negligible probability. In particular, we define a simple watchdog algo- 
rithm that samples a uniform input x, and compares whether Evalf PEC (i # , x) = 
Eval^pL^.,#), where i m is the public parameter chosen by the adversary Ag. 
(Note that the evaluation of Eval SPEC may involve querying random oracle.) 

Construction of At- Suppose (i*,y*) are the challenges that At receives from 
the challenger Ct (the challenger for one way security of *F S pec ) 5 where y* = 
Eval^Ec (i*> x *) for a randomly selected x*. At simulates a copy of Ag. In addi- 
tion At simulates the subversion-resistant A OWP game with Ag. 

Before receiving the function index i m and the implementation Eval^ PL from 
Ag , the adversary A? (also acting as the challenger in the OWP A game playing 
with Ag) operates as follows: First, note that h SPEC is random oracle; whenever 
Ag wants to evaluate h SPEC on some points (or implementing the component 
for Eval^ PL that is consistent with h SPEC for those points), Ag has to make 
random oracle queries. Without loss of generality, assume Ag asks q random 
oracle queries H, . . . ,i q where q = poly (A). Here At randomly chooses a bit b 
to decide whether to embed i* in the answers of random oracle queries at this 
stage. If b = 0, At randomly selects an index t G {1 and sets i* to the 
answer for h SPEC (i t ); for all others j G {l,...,g}\{t}, At uniformly samples i'- 
from the index set / and sets h SPEC (ij) = i' . If b = 1, for all j G {1 the 

adversary A? uniformly samples i'- from the index set I and sets h SPEC (ij) = i'-. 

After receiving i # ,Eval^ PL from Ag, if b = 1 the adversary Ajr sets i* to 
h s p E c(^»); otherwise, it chooses a random value and sets that to h SPEC (i 9 ). Next, 
Ajr gives y* to Ag as the challenge and receives an answer x' from Ag. Note that 
in this phase, whenever Ag makes random oracle queries on i, if i G {i\ . . . , i q } U 
{i.}, it is provided the previous response as answer; otherwise, i' is randomly 
chosen in the index set / and is returned as the answer. 

Last, Ajr checks whether b = 0 Ai. 7 ^ i t , or b = 1 Ai, G {H, . . . ,i q } (in those 
cases, At fails to embed i* into the right value); if yes, At aborts; otherwise, 
At submits x' to challenger Ct as his answer. 

Probabilistic analysis. Now we bound the success probability of At- Suppose 
x * is the random input chosen by Ct] let W denote the event that At aborts, 
W\ the event that b = 0 A i 7 ^ it, and W 2 the event that b = 1 A i G {H, . . . , i q }. 
Recall that Py[x' = x*] = Pr[x' = x * | W] Pr[VF]. Let Q M {i\ . . . , i q }. 
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We first bound Pr [W]. Note that Pr[W] = 1 — Pr [W], and Pr[W] = Pr[W\ V 
W 2 ] < Pr[Wi] + PrfWb] • Assuming Pr[i # G Q\ = 77, it follows that: 

Pr[Wi] = Pr[6 = 0 A i 9 / i t \ = Pr[6 = 0] • Pr[i. / i t \ 

= (l/2)(Pr[i. ^ i t | i. G Q] Pr [i. gQ]+ Pr [i. / i t \ i. / Q] Pr [i. 0 Q]) 
= (V 2 ) [(1 - (V?)) • + (1 - ry)] = (1/2) (1 - 7j/q) . 

While Pr[W 2 ] = Pr [6 = 1] • Pr[i G Q\ = 77 / 2 , we have: Pr[VF] < (1/2) (1 — (rj/q) 
+ v) = (1/2)(1 + 77(1 - 1/g)) < (1/2) (1 + 1 - (1 - 1 /q)) = 1 - 1/(2 q). Thus we 
can derive that Pr[FF] > l/(2q). 

Next, we bound Pr[x' = x*|VF]. From the assumption that Ag breaks the 
security of Q, we have the following two conditions: (1) the detection probability 
Det>v 5w 4 g is negligible; (2) the advantage Adv^ g is non-negligible S. 

From condition (1), we claim: Pr[Eval^ PL (i., x) = Evalf PEC (z # , x)\ > 1 — 
negl(A). The probability is over the choices of x from uniform distribution over 
the input space. If not, the portion of inputs that Eval^ PL deviates from its 
specification is non-negligible (say, 5i) in the whole domain. The watchdog W 
we defined (that simply samples an x and tests if the values Eval^ PL (i # , x) and 
Evalf PEC (i.,x) are equal) satisfies that Pr[W EvallMPL (l A , i.) = 1] = 1 — Si. On the 
other hand, Pr[W EvalsPEC (l A , i) = 1] = 1. This implies that Detyy;^ is Si, which 
contradicts condition (1). Conditioned on W, the equalities: 

y* = Eval spEc(**> a: *) = Ev al^ EC (/i S p E0 (*.), x*) = Evalfp EC (i.,a:*) = Evalf MPL (*., x*) 

hold with an overwhelming probability. That said, conditioned on W, from Ag’s 
view, the distribution of y* is identical to what she expects as a challenge in the 
subversion-resistant A game. 

Recall now from condition (2) the advantage Adv^ g is non-negligible S; this 
means Ag inverts challenge y* = Eva\f UPh (i., x*) and returns a correct x' = x* 
with probability S. Combining the above, we can conclude that: 

Pr[a/ = x*] > <5(1 - negl(A))P = ^ - negl(A) 

which is non-negligible; note that q = poly (A). Thus A? breaks the security of 
JF S pec , which leads to a contradiction. □ 


3.3 Constructing Subversion- Resistant SP OWP/TDOWP 

We can define the notion of subversion-resistant 0 TDOWP similar as OWP°. 
(Note that a subvertible TDOWP means that the adversary can invert the 
TDOWP using a backdoor which may have no relation to the regular trapdoor.) 
We defer the formal definition to the full version [22]. 
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Indices (names) of a OWP family may have structure. For example, for OWPs 
based on discrete logarithm, f g , p (x) = g x modp, the function index consists of 
an algebraically meaningful pair (p, g), where p is a prime and g a random 
generator. Applying the immunization strategy above would then require a hash 
function that respects this algebraic structure, mapping meaningful pairs (g,p) 
to meaningful pairs ( g',p Furthermore, for a TDOWP, we must assume there 
is a public algorithm that can map between (public key, trapdoor) pairs. 

To address these difficulties, we propose a practical split-program model in 
which every function generation algorithm (and, in general, any randomized 
algorithm) is composed of two components: a “random string generation algo- 
rithm” RG that outputs a uniform £-bit string r, and a deterministic function 
index generation algorithm dKG that transforms the randomness r into a func- 
tion index i. In this model, dKG is deterministic and is coupled with a known 
public input distribution (the output distribution of RG). Following Lemma 1 
and the elaboration in Sect. 3.1, a watchdog can ensure that the implementation 
dKG IMPL is “almost consistent” with dKG SPE c (the specification) over this input 
distribution, i.e., Pr [dKGiMPL^) = dKG SPEC M • r RG IM pl] ~ 1. Morally, this 
forces the adversary to concentrate his malicious efforts on subverting RG. 

Since we already demonstrated how to analyze the immunizing strategy for 
OWP, in this section we present results for TDOWP SP . It is straightforward to 
adapt the construction and analysis to OWP SP . The standard TDOWP defi- 
nitions can be easily adapted in the split-program model, where the challenge 
index is generated by running dKG SPEC on a uniform string r generated by RG SPE c- 
It is easy to see that a standard TDOWP is also a TDOWP in the split program 
model. For detailed definition, we refer to the full version [22]. 

Next we define the notion of a subversion-resistant TDOWP in the split- 
program model by simply augmenting Definition 3. It is easy to see the same 
method applies to OWP SP as well. For detailed discussions of OWP SP , we defer 
to the full version. 

Generic construction of TDOWP SP . Consider a TDOWP family T with 

specification J~ $p E c • (^Gg PE c dKG SPEC , Eval SPEC , l^v SPEC ), where KG SPEC out- 
puts uniform bits. Assuming a public hash function with specification h SPEC : 
{0, 1}* — ► {0, 1}*, we construct a TDOWP SP family Q with specification 
0SPEC (RG spec , dKG SPEC , Eval SPEC , I nv f PEC ), defined below: 

- Randomness generation r <— RG^ PEC : RG^ PEC is the same as RG^ EC . That is, 
RGf PEC runs RGf PEC to get r and outputs r. 

- Index/trapdoor generation algorithm (i,U) <— dKG^ PEC (r): Upon receiving 
inputs r, it computes r <— h SPEC (r), and outputs (i,U) dKG^ EC (f). 
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EvalgpEC; ^ V SPEC 


are the same as Eval^ EC , lnv^ EC . 7 



(Mi) 


Fig. 4. New specification dKGf PE 


See also the pictorial description for dKG£, EC in Fig. 4: 

Security analysis. The secu- 
rity of OWP sp /TDOWP sp is 
more subtle than it looks. Ran- 
domizing the function index r - 
directly indeed destroys any 
backdoor structure; however, 
simply randomizing the ran- 
dom coins for generating the 
function index might lead the 
adversary to another index/ 
backdoor pair. It will be crit- 
ical in the split-program model that, with an offline watchdog, the output of 
RG IM pl is unpredictable even to the adversary who implements it. 

A few words about the security proof: Recall that in the OWP A proof, the 
reduction tries to “program the random oracle” so that the challenge of the 
specification can be embedded into the challenge to the adversary. In the split- 
program model, however, the reduction can directly embed the challenge if out- 
puts of RG are unpredictable to the adversary; in this case, from the view of the 
adversary, any random index as challenge is possible to appear in the TDOWP SP 
game. Therefore, we here do not need to program the random oracle. We defer 
the full proof to the full version [22]. 

Theorem 2. Assume h s PE c is random oracle , and T with specification Pspec is 
a TDOWP. Then Q with specification £/ S pec defined above is a TDOWF® v in the 
offline watchdog model. 


4 Subversion-Resistant Signatures 

In this section, we consider the challenge of designing digital signature schemes 
secure against kleptographic attacks. Previously results [1,4] suggest that a 
unique signature scheme [13, 17] is secure against subversion of the signing algo- 
rithm assuming it satisfies the verifiability condition : every message signed by the 
sabotaged Sign IMPL should be verified via Verify SPEC . As mentioned in the intro- 
duction, in these constructions the key generation and verification algorithms 
are assumed to be faithfully implemented while, in practice, all implementations 
normally come together. Thus, our goal in this section is to construct a signature 
scheme secure in the complete subversion model. 

7 We remark that in the split-program model, the hash function applies to the ran- 
dom bits, and the hash function is implemented by the adversary inside Eval^PL- The 
specification of the hash function can be modeled as a random oracle so that replac- 
ing the random oracle with an explicit function like SHA256 may be heuristically 
justified. 
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We emphasize that, in general, bringing a reduction between two primitives 
in the classical cryptographic world into the kleptographic world turns out to 
be highly non-trivial. We will see that the well-known reduction for full domain 
hash does not go through in the kliptographic setting when we try to build a 
subversion-resistant 0 signature from a TDOWP 0 . (See Remark 3 and the proof 
of Theorem 3 for more details). 

Following our general framework, it is easy to derive a definition for 
subversion-resistant signature scheme. As pointed out in [1], it is impossible 
to achieve unforgeability without the verifiability condition. Using our terminol- 
ogy, it is impossible to construct a subversion-resistant signature scheme with 
just an offline watchdog, even if only the Sign algorithm is subverted. So we will 
work in the online watchdog model where the watchdog can check the transcripts 
generated during the game between C and Al. 8 Next we define the security for 
digital signature schemes in the complete subversion model where all algorithms 
are implemented by the adversary, including the key generation algorithm. 

Definition 5. The specification IJ S PE c = (KG SPEC , Sign SPEC , Verify SPEC ) of a sig- 
nature scheme is subversion- resistant 0 in the online watchdog model if there 
exists a ppt watchdog W such that: for any ppt adversary A playing the follow- 
ing game (Fig. 5) with the challenger C , either the detection probability Detyy^ 
is non-negligible, or the advantage Adv^ is negligible. 

Here the detection probability of the watchdog W with respect to A is defined 
as 

Detw^fP) = |Pr[W 77lMPL (l A ,r) = 1] - Pr[W 77sPEC (l A , f) = 1]| , 
and the advantage of the adversary A is defined as 

Adv^t(l A ) = Pr [(A(1 A ) C n,MPL (l A )) = 1] , 

where r is the transcript that generated when the challenger uses iI IM PL and r is 
the transcript generated when the challenger uses 77 SPEC . 

Discussion. To extend previous results to the complete subversion model, the 
main challenge is to protect the (randomized) key generation algorithm against 
subversion attacks. While the subliminal channel attacks of Bellare et al. [4] 
apply to arbitrary sabotaged randomized algorithms, we observe that the key 
generation algorithm will be run only once (as in the security definition) which 
provides some hope that the subliminal channel can be controlled. 

Next, we will prove that a variant of the widely deployed full domain hash 
scheme [5,8] can achieve the security in the complete subversion model. More con- 
cretely, in this variant, the signing algorithm needs to hash m together with pk; we 
remark that this modification is critical for the security reduction (see Remark 3) . 


8 Note that, for digital signature schemes, it seems far preferable to adopt an online 
watchdog rather than an omniscient watchdog as in [4,9]. Due to the nature of sig- 
nature schemes, transcripts consist of message-signature pairs which could arguably 
be publicly verified, and an online watchdog is sufficient. 
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c/yy 


run (pk, sk) <(- KGi MPL (1 A ) 


KG IM PL,Sign IMPL ,Verify IMPL 

pk 


A 

prepare KGimpl, Sign IMPL , 
and Verify IMPL 


run cq <- Sign IMPL (sk,raO 


m l 

CTi 


query for q times 


be := 1 if Verify(vk, m* , cr*) = 1 A m* 0 {mi, . . . , m q } 
be '■= 0 otherwise 

yyKG IM PL,Sign IMPL , Verify 

IMPL 


Fig. 5. Subversion-resistant 0 Signature Game, where r := (pk, {mi, ai} iE [ q ] , m* , a*) 


When instantiating its key generation with our subversion-resistant TDOWP c , 
this variant gives a subversion-resistant signature scheme. 

Constructing signature schemes with an online watchdog. Given a 
TDOWP c , with specification .F S pec := (KGfp EC , Eval J EC , lnv^ EC ), and a public 
hash function with specification h SPEC : VIC x M. — > At, where VJC is the public 
key space and A4 is the message space, we construct a subversion-resistant 0 

P Q P P P P 

signature scheme SS with specification SS SPE c := ( KG spec> Sigrw, Verify SPEC ) 
as follows: 

- Key generation (pk, sk) KG^ ec (A), where KG^ ec is given by: 

Compute KG^ ec (A), and set pk := i and sk := U; 

- Signature generation cr <— Sign^ EC (pk, sk, ra), where Signf PEC = (h s PEC , l nv fp EC ) 
is given by: Upon receiving message m, compute m = h SPEC (pk, m), and a = 
l nv spEc(P k,sk, ra), where pk = i,sk = U- 

- Verification algorithm b <— Verifyf PEC (pk, m, cr), where Verifyf PEC = ( h SPEC , 

Eva IgpEc ) given by: Upon receiving message-signature pair (m, cr), if 

Eval^Ec(P^ 5 a ) = ^spEc(pk, m) then set b := 1, otherwise set b := 0; here 

pk = i. 


Remark 3. We emphasize here that the specification of the Sign algorithm defines 
the hash and the inversion function separately, thus the adversary has to provide 
the implementation for each of them to the watchdog. Verify is treated similarly. 

We also stress that using the full domain hash directly (without adding pk 
into the hash) results in the possibility that the random oracle query for ra* is 
asked before the implementations are prepared. In this case, the simulator has 
not yet received y* from the TDOWP challenger, and the simulator has no way 
to embed y* into the target. Including the pk in the hash essentially renders any 
random oracle queries made before the implementations are provided essentially 
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useless (as they will be unrelated to any of the signatures), since the adversary 
cannot predict the actual value of pk. We defer the detailed proof to the full 
version [22]. 

Theorem 3. Assume h SPEC is random oracle , and T with specification JF SPEC 
is a TDOWP° in the offline watchdog model. Then the signature scheme SS 
with specification <S<S SPEC constructed above is subversion-resistant c in the online 
watchdog model. 

5 Subversion-Resistant Pseudorandom Generators 

Having studied the fundamental building blocks (OWPs and TDOWPs) in the 
complete subversion model, we now attempt to mimic the classical program of 
constructing richer cryptographic primitives from OWP/TDOWPs. We proceed 
in two different ways. The first is to carry “black-box” construction, the second 
is to generalize the immunizing strategy to broader settings. We remark that 
typical “black-box” constructions and reductions may not survive in the clip- 
tographic model (indeed, even such basic features as the presence of multiple 
calls to a randomized algorithm can significantly affect security [4].) We begin 
by focusing on pseudorandom generators (PRG). 

We first review the basic notions of PRG under subversion and then provide 
a specific construction that mimics the classical Blum-Micali PRG construction 
in this cliptographic context. We then examine how to extend the applicability 
of our general sanitizing strategy for OWP/TDOWPs to more general settings, 
demonstrating a strategy of public immunization for PRGs. Note that an impos- 
sibility result was shown in [10] that no public immunizing strategy is possible 
if it is applied to the output of the backdoored PRG, so a solution involves 
some trusted randomness is proposed. We also remark that all algorithms in our 
backdoor-free PRG construction — including the sanitizing function (which can 
be part of the KG algorithm in the specification) — can be subverted. Thus we 
provide the first PRG constructions secure in the complete subversion model. 

We remark that since we follow the formalization of [10], the stretching algo- 
rithm is deterministic and stateful. In this case, the input distribution is evolving 
and not fixed, a universal watchdog cannot exhaust all those distributions. For- 
tunately, in the case of PRG stretching algorithm, we can still establish such a 
result, see security analysis of Theorem 4. 


5.1 Preliminaries: The Definition of a Subversion-Resistant A PRG 

We adopt the definition from [10]: a pseudorandom generator consists of a pair 
of algorithms (KG, PRG), where KG outputs a public parameter pk and PRG : 
{0, 1}* x {0, 1 } £ — ► {0, 1 } £ x {0, 1 } £ takes the public parameter pk and an Gbit 
random seed s as input; it returns a state Si G {0, 1} £ and an output string 
ri G {0, 1 } £ . PRG may be iteratively executed; in the i-th iteration, it takes the 
state from the previous iteration as the seed and generates the current state 
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Si and output r*. We use q — PRG to denote the result of q iterations of PRG 
with outputs ri,...,r q (each r* G {0, 1}^ ). 

They then define the notion of a backdoored PRG [10]: the adversary sets up 
a public parameter pk and may keep the corresponding backdoor sk. The output 
distribution PRG (pk,U) must still look pseudorandom to all algorithms that do 
not hold the backdoor sk (e.g., it fools the watchdog), where U is the uniform 
distribution; however, with sk, the adversary is able to distinguish the output 
from a uniform string, breaking the PRG. 

The definition of a backdoored-PRG [10] is closely related to the subversion- 
resistant A definition in our definitional framework, as the adversary is empow- 
ered to choose the “index” pk. Although there are several variants that all appear 
meaningful and interesting for PRG in the cliptographic settings, we will ini- 
tially focus on the subversion-resistant A PRG as the striking real world example 
of DuaLEC subversion is indeed in this model. Additionally, from Lemma 3, we 
remark that any PRG A is a PRG C . 

We first reformulate the definition of [10] in the subversion-resist ant A clipto- 
graphic framework: There exist “specification” versions of the algorithms and an 
offline watchdog. The parameter generation algorithm KG SPE c has the require- 
ment that the distribution of the adversarially generated public parameter must 
be indistinguishable from the output distribution of KG SPE c- Additionally, as the 
PRG algorithm is deterministic, and its input distribution is public, an offline 
watchdog can ensure that it is consistent with its specification PRG spec on an 
overwhelming fraction of the inputs. The formal definitions are as follows: 

Definition 6. We say that a PRG (with the specification (KG SPEC , PPG spec )^ is 
g-subversion-resistant A in the offline watchdog model if , there exists a ppt 
watchdog W such that: for any ppt adversary A playing the following game 
(Fig. 6) with the challenger C, either the detection probability Detw,^ is non- 
negligible, or the advantage Adv^ is negligible. 

Here the detection probability of the watchdog W with respect to A is defined 
as 


Detw,^(l A ) = |Pr[W PRG,MPL (l A ,pA;.) = 1] - Pr[W PRGspEC (l\pA;) = 1]| 
and the advantage of the adversary A is defined as 


Adv^(l A ) = 


Pr [(A(1 A ) O C PRGmn (l x ,pk.)) = l] — - 


where pk KG SPEC (1 A ), and PRGi MP l,P^» are chosen by the adversary. 

We say that such PRG is a PRG A to stress that the public parameters are 
generated by the adversary. 


5.2 Constructing q- PRG A from a OWP A 

In this section, we provide constructions of a PRG A based on a OWP A . We start 
with a construction based on a (simplified) Blum-Micali PRG, and then extend 
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TEST PHASE 

W 

pkm , PRGimpl 

bw <- W PRG,MPL (l\pfc.) 

A 

. prepare pk,, PRG M pl 

EXECUTE PHASE 

c 

sample s <— {0, 1 Y 
sample yo {0, 1} £ q 

choose b <— {0, 1} 

run yi := PRC IMPL (p^. , .s) ^ b ^ 

A 

b' 


be := 1 if b = b' 
be := 0 otherwise 



Fig. 6. Subversion-resist ant A PRG Game 


it to a full-fledged solution. We remark that a similar reduction can be used 
to construct a subversion-resistant 0 PRG from a subversion-resistant 0 OWP 
(where the challenger queries KGimpl to choose a public parameter). 

Before describing the details of our construction, we recall the classic generic 
construction of Goldreich-Levin (GL), yielding a hardcore predicate [12] for any 
OWF /. We suppose the input x of / is divided into two halves x = (aq, £ 2 ) and 
define the bit B{x) = (aq,^); B{pc) is hard to predict given aq, /(aq), assuming 
that / is one-way. Moreover, if there is a PPT algorithm that predicts B{x) with 
significant advantage S given aq,/(aq), then there is a PPT algorithm I that 
inverts / with probability poly (5). 


Basic construction. We will show that given a subversion-resistant A one-way 
permutation (OWP) family T with specifications and implementations ^spec : = 
(KGfpEc, ^val^ EC ) and (KGjr, Evaljr) respectively, the classic Blum-Micali PRG [6] 
(using the GL hardcore predicate) is 1-subversion-resistant A . Our basic construc- 
tion Q with the specification t/ SPEC •= (KG^ PEC , PRG^ pec ) is as follows: 


- Parameter generation algorithm pk <— KGf PEC (A): compute i <— KG^ ec (A) 
and set pk := i\ 

- Bit string generation algorithm (s', b) <— PRG^ PEC (pA:, s): upon receiving s 
and pk , where pk = i, s = si||s2 an d \si\ = \s 2 \ = £, compute the following: 
si := Si, s ' 2 := Eval^ EC (i,s 2 ), and s' = si||s' 2 , b := (s 1 ,s 2 ). 


Security analysis. We can show in the lemma below that, with a specification 
designed as above, the basic construction above is a 1-subversion-resistant PRG. 
The intuition is that in the (simplified) Blum-Micali PRG, a distinguisher can be 
transformed into an OWP inverter (following the GL proof); thus an adversary 
who can build a backdoor for this PRG violates the subversion-resistance of T . 
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We present the lemma for its security, while due to lack of space, we refer the 
detailed proof to the full version [22] . 

Lemma 5. If J u with specification P$ PEC is a OWP A in the offline watchdog model, 
then Q with specification Q S pec constructed above is a l-subversion-resistant A PRG 
in the offline watchdog model. 

Full-fledged PRG a . We can easily adapt our basic construction to the full- 
fledged PRG a construction via the iteration as the BM-PRG and argue the 
security following the classic hybrid lemma. We refer the details of the construc- 
tion and analysis to the full version [22]. 

5.3 A General Public Immunization Strategy for PRG A 

An impossibility result concerning public immunization of a PRG (to yield a 
PRG a ) was presented in [10]. However, we observe that this impossibility result 
only applies to an immunization procedure that operates on the output of the 
PRG a . The general construction of OWP A shown above inspires us to consider 
an alternate general immunizing strategy for (potentially subvertible) PRGs. 
We establish that — similar to the procedure above for eliminating backdoors in 
OWPs — one can randomize the public parameter to sanitize a PRG. 9 

The intuition for this strategy to be effective in the setting of PRG is similar: 
considering a specification KG SPE c that outputs a uniform pk from its domain, no 
single backdoor can be used to break the security for a large fraction of public 
parameter space; otherwise, one can use this trapdoor to break the PRG security 
of the specification. As above, while the adversary can subvert the hash function, 
an offline watchdog can ensure the hash function is faithful enough to render it 
difficult for the adversary arrange for the result of the hashed parameter to be 
amenable to any particular backdoor. 

Consider a (potentially subvertible) PRG with specification .F SPEC = (KG^ EC , 
PRG^ ec ); we assume that KG^ EC outputs a uniform element of its range PP. 
Consider hash function with specification h SPEC : PP — > PP. Then we construct 
a PRG a Q with its specification t/ SPEC : = (KG^ PEC , PRG^ pec ): 

- Parameter generation algorithm^ <— KGf PEC : Compute KG^ ec , resulting in 
the output pk ; 

- Bit string stretch algorithm (s', r) <— PRG^ PEC (p£;, s) which is given by: Upon 
receiving a random seed s and public keys pk as inputs, it computes pk = 
h SPEC (pk) and it computes PRGfp EC (pk,s) and obtains s' ,r as outputs, where 
r would be the actual output, while s' would be used as the seed for next 
iteration. See also the pictorial illustration for PRG^ pec in Fig. 7. 

9 To interpret this results, the solution of [10] is in a semi-private model which requires 
a trusted seed/key generation, thus part of the PRG algorithms can not be subverted. 
It follows that the construction of PRG in the complete subversion model was still 
open until our solution. In contrast, our sanitizing strategy does not require any 
secret, and even the deterministic hash function can be implemented by the adversary 
as part of the KG algorithm. 
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(pk, s ) 



(s',r) 


Fig. 7 . Public immunization strategy for PRG. 


Security analysis. If the above PRG only iterates once, the security analy- 
sis would be very similar to that of Theorem 1; since any potential backdoor 
embedded in the public parameter is now destroyed, and the stretch algo- 
rithm is a deterministic algorithm with a public input distribution, thus an 
offline watchdog can already ensure it to be (essentially) consistent with its 
specification. 

Things become trickier when the PRG may be iterated with arbitrary num- 
ber of times. For example, suppose the watchdog checks only for t iterations, 
PRGimpl might deviate from the t + l-th iteration. This might be indeed problem- 
atic for general deterministic algorithms. Fortunately, for this particular example 
of PRG, the watchdog simply checks for one uniform input and compares the 
output with that generated by the specification is enough to ensure almost- 
every where consistency. To see this, the adversary can create a subset of inputs 
S = {s}, such that: PRG IM pl(p&, s) ^ PRG SP ec (pk,s), where pk is the adversari- 
ally generated public parameter. Observe that the probability that a randomly 
chosen input s falls in S would be negligible. Otherwise the watchdog can detect 
with a non-negligible probability. While the difference with a stateful stretching 
algorithm is that it offers the adversary more chances to hit the bad set S because 
of the iterations. Note that when PRGimpl {pk, s) = PRG SPE c (pk,s) for some ran- 
domly chosen s, then the output s' would also be pseudorandom; iterating on 
this input, the stretching algorithm yields a polynomially many pseudorandom 
strings, thus the probability of any of those hit the bad set S would be still 
negligible. With this observation, we can still claim that with an overwhelming 
probability, PRGi MPL will be consistent with PRG SPE c even after arbitrary number 
of iterations (polynomially bounded). We defer the proof to the full version. 

Theorem 4. Assume h s PEC is random oracle, and T with specification Pspec = 
(KGf PE0 , PRGf PEC ) is a pseudorandom generator, where KG J EC outputs pk ran- 
domly from its range. Then Q with specification t/ SPEC i n the above construction 
yields a q- subversion-resistant PRG A for any polynomially large q. 

Remark 4- If the public parameter contains only random group elements, e.g., 
the DuaLEC PRG, we may simply encode them into bits and use a regular hash 
function like S HA-256, and convert the resulting bits back to a group element; 
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Abstract . Cryptographic accumulators allow to succinctly represent a set 
by an accumulation value with respect to which short (non-) membership 
proofs about the set can be efficiently constructed and verified. Tradition- 
ally, their security captures soundness but offers no privacy: Convincing 
proofs reliably encode set membership, but they may well leak information 
about the accumulated set. 

In this paper we put forward a strong privacy-preserving enhance- 
ment by introducing and devising zero -knowledge accumulators that 
additionally provide hiding guarantees: Accumulation values and proofs 
leak nothing about a dynamic set that evolves via element inser- 
tions/deletions. We formalize the new property using the standard real- 
ideal paradigm, namely demanding that an adaptive adversary with 
access to query/update oracles, cannot tell whether he interacts with 
honest protocol executions or a simulator fully ignorant of the set (even 
of the type of updates on it). We rigorously compare the new primitive 
to existing ones for privacy-preserving verification of set membership (or 
other relations) and derive interesting implications among related secu- 
rity definitions, showing that zero-knowledge accumulators offer stronger 
privacy than recent related works by Naor et al. [TCC 2015] and Derler 
et al. [CT-RSA 2015]. We construct the first dynamic universal zero- 
knowledge accumulator that we show to be perfect zero-knowledge and 
secure under the g- Strong Bilinear Diffie- Heilman assumption. 

Finally, we extend our new privacy notion and our new construction to 
provide privacy-preserving proofs also for an authenticated dynamic set 
collection — a primitive for efficiently verifying more elaborate set oper- 
ations, beyond set-membership. We introduce a primitive that supports 
a zero -knowledge verifiable set algebra : Succinct proofs for union, inter- 
section and set difference queries over a dynamically evolving collection 
of sets can be efficiently constructed and optimally verified, while — for 
the first time — they leak nothing about the collection beyond the query 
result. 
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1 Introduction 

A cryptographic accumulator is a primitive that offers a way to succinctly rep- 
resent a set of elements A by a single value acc referred to as the accumulation 
value. Moreover, it provides a method to efficiently and succinctly prove (to a 
party that only holds acc) that an element x belongs to A, by computing a 
constant-size proof w, referred to as witness. The interaction is in a three-party 
model, where the trusted owner of the set runs the initial key generation and 
setup process to publish the accumulation value. Later an untrusted server han- 
dles queries on the set issued by clients , providing membership answers with 
publicly verifiable witnesses. 

Accumulators were originally introduced by Benaloh and del Mare in [4]. 
Numerous constructions have been proposed since, operating in various 
models [2,3,7,9-12, 19, 23, 44,54] 1 . Most notably, the primitive was extended 
to support non-membership witnesses [2,19,41], and efficient updates [2,11], 
introducing the notion of universal and dynamic accumulators , respectively. 
At the same time, accumulators found numerous other applications in the con- 
text of public-key infrastructure, certificate management and revocation, time- 
stamping, authenticated dictionaries, set operations, authenticated database 
queries, anonymous credentials, and more. 

Traditionally in the literature, the security property associated with accu- 
mulators is soundness (or collision- freeness), expressed as the inability to forge 
a witness for an element, i.e., if x A, it should be hard to prove x G A 
(and vice-versa for universal accumulators). No notion of privacy was considered 
until recently [20,23], e.g., “does the accumulation reveal anything about the 
elements of A” or “what can an adversarial client, that asks queries and is pre- 
sented with the accumulation and witnesses, learn about the set A” . It is clear 
that such a property would be attractive, if not — depending on the application — 
crucial. For example, in the context of securing the Domain Name System (DNS) 
protocol by accumulating the set of records in a zone, it is crucial to leak no 
information about values in the accumulated set while responding to queries. 2 
As additional examples, Miers et al. [49] developed a privacy enhancement for 
Bitcoin, that utilizes the accumulator from [11], while Hanser and Slamanig [35] 
used accumulators to build randomizable polynomial commitments for anony- 
mous credentials. In such a context, it is very important to minimize what is 
leaked by accumulation values and witnesses in order to achieve anonymity (for 
individuals and transactions). 

In this work, we propose the notion of zero -knowledge for cryptographic accu- 
mulators. We define this property via an extensive real/ideal game, similar to 

1 We refer interested readers to [23] for a comprehensive review of existing schemes. 

2 See for example, https://tools.ietf.org/html/rfc5155. 
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that of standard zero-knowledge [34] . In the real setting, an adversary is allowed 
to choose his challenge set and to receive the corresponding accumulation. He is 
then given oracle access to the querying algorithm as well as an update algorithm 
that allows him to request updates in the set (receiving the updated accumula- 
tion value every time). In the ideal setting, the adversary interacts with a sim- 
ulator that does not know anything about the set or the nature of the updates, 
other than the fact that an update occurred. Zero-knowledge is then defined as 
the inability of the adversary to distinguish between the two settings. 

We provide the first zero-knowledge accumulator construction and prove its 
security. Our construction builds upon the bilinear accumulator of Nguyen [53] 
and achieves perfect zero-knowledge. Our scheme falls within the category of 
dynamic universal cryptographic accumulators: It allows to prove both mem- 
bership and non-membership statements (i.e., one can compute a witness for 
x qL X), and supports efficient updates in the accumulation value due to inser- 
tions and deletions in the set. It satisfies soundness under the g- Strong Bilin- 
ear DifHe- Heilman assumption (g-SBDH), introduced in [6]. In order to provide 
non-membership witness computation in zero-knowledge, we had to deviate from 
existing non-membership proof techniques for the bilinear accumulator [2,19]. 
We instead use the set- disjoint ness technique of [56], appropriately enhanced for 
privacy. From an efficiency perspective, we show that introducing zero-knowledge 
to the bilinear accumulator comes at an insignificant cost: Asymptotically all 
query overheads are either the same or within a poly-logarithmic factor of the 
construction in [53] that offers no privacy. 

Zero-knowledge vs. indistinguishability . Recently, de Meer et al. [20] and Derler 
et al. [23] introduced an indistinguishability property for cryptographic accumu- 
lators. Unfortunately, the definition of the former was inherently flawed, as noted 
in [23]. 3 The accumulator definition in [23], while meant to support changes in the 
accumulated set (i.e., element insertion or deletion), did not protect the privacy 
of these changes. In particular, any adversary suspecting a particular modifi- 
cation in the set could easily check the correctness of his guess. Our notion of 
zero-knowledge differs from the privacy notion of [23] , by protecting not only the 
originally accumulated set but also all subsequent updates. In fact, we formally 
prove that, for cryptographic accumulators, zero-knowledge is a strictly stronger 
property than indistinguishability. 

Relation to zero-knowledge sets. Our privacy notion is reminiscent of that of zero- 
knowledge sets [14,15,43,48,58] where set membership and non- membership 
queries can be answered without revealing anything else about the set. Zero- 
knowledge accumulators can be seen as a relaxation of zero-knowledge sets in an 
“honest-committer” setting. In Sect. 3.2 we discuss this relation in more detail, 
also looking into the dynamic setting, comparing with existing work on updat- 
able zero-knowledge sets [45]. 


3 Subsequently, the definition was strengthened in [61], but it is still subsumed by that 
of [23]. 
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Relation to zero -knowledge authenticated data structures. A cryptographic accu- 
mulator can be viewed as a special case of an authenticated data structure 
(ADS) [51,63], where the supported data type is a set. Likewise, the zero- 
knowledge accumulator we introduce here, falls within the framework of zero- 
knowledge authenticated data structures (ZKADS) introduced recently in [29]. 
We discuss the relation in detail in Sect. 3.2. 

Beyond set-membership. One question that arises naturally is how to build a 
“set-friendly” ZKADS with a supported functionality beyond set-membership. 
In particular, given multiple sets, we are interested in accommodating more 
elaborate set-operations: set union, intersection and difference. 4 We introduce 
the primitive of zero-knowledge authenticated dynamic set collection for the fol- 
lowing setting. A party that owns a database of sets outsources it to an untrusted 
server that is subsequently charged with handling queries, expressed as set oper- 
ations among the database sets, issued by multiple clients; at any point, the 
owner can make updates to the outsourced sets. We present the first scheme 
that provides not only integrity of computations but also privacy for the queried 
set (i.e., the provided proofs leak nothing beyond the answer). The basic build- 
ing block is our zero-knowledge accumulator, together with a carefully deployed 
accumulation tree [57]. We note that if we restrict the security properties only to 
soundness — as is the case in the traditional literature of ADS — there are existing 
schemes (specifically for set-operations) by Papamanthou et al. [56] for the single- 
operation case, and by Canetti et al. [12] and Kosba et al. [40] for the case of 
multiple (nested) operations. However, none of these constructions offers privacy, 
thus our scheme is a natural strengthening of their security guarantees, while 
maintaining the same efficient performance. Preserving efficiency while maintain- 
ing integrity and zero-knowledge privacy turned out to be quite challenging. In 
particular, answering union and set difference queries for set collections required 
new techniques to be developed. At a high level, the efficiency of the proof tech- 
niques in [56] strongly relies on revealing much of the non-queried information 
and hence could not be extended to support privacy-preserving queries. 

Contributions. Our contributions can be summarized as follows: 

- We introduce the property of zero-knowledge for cryptographic accumulators 
and show that it is strictly stronger than existing privacy notions for accumu- 
lators. 

- We give an overview of the connection between zero-knowledge accumulators 
and related cryptographic primitives in the area (e.g., we show that zero- 
knowledge accumulators imply primary-secondary-resolver systems proposed 
in [52]). 

- We provide the first construction of a zero-knowledge dynamic universal 
accumulator. Our scheme is perfect zero-knowledge and secure under the 
g-SBDH assumption; it achieves these security properties with only a small 


4 We stress that, in the computational setting, these operations form a complete set 
algebra. 
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(or no) overhead. We compare efficiency with the accumulator of [53] in Fig. 3 
in terms of number of cryptographic operations performed. 

- Using our zero-knowledge accumulator as a building block, we construct the 
first protocol for zero-knowledge outsourced set operations. Our scheme is 
non-interactive and offers secure and efficient subset, intersection and union 
operations under the g-SBDH assumption. For set-difference queries, our con- 
struction is secure under g-SBDH assumption as well, but proof construction 
entails a Sigma protocol thus requiring interaction. This secure set-difference 
protocol can also be made non-inter active, albeit in the random oracle model, 
(in which case the construction is in the Common Reference String model). 
Our construction (except for the update cost) is asymptotically as efficient as 
the previous state-of-the-art construction from [56], that offered no privacy 
guarantees. 


1.1 Other Related Work 

Existing works (e.g., [2, 11,41,53]) equip some accumulators with zero-knowledge 
proof-of-knowledge protocols, such that a party that knows that value x is (or is 
not) in T can efficiently prove it to a third-party arbitrator, without revealing 
the value. While hiding x, all existing constructions trivially expose the accumu- 
lation value as part of the proven statement. This may itself reveal information 
about set X . Our privacy goals are therefore different, yet the techniques are 
compatible. Developing zero-knowledge proof-of-knowledge protocols for mem- 
bership and non- membership, that can work with a zero-knowledge accumulator 
will yield a strong tool that leaks nothing about either the set or the particular 
element in the proof. 

Most widely-used accumulator constructions — including ours — are in the 
trusted-setup model, i.e., the party that generates the scheme parameters orig- 
inally, holds some trapdoor information that is not revealed to the adver- 
sary. E.g., for the RSA-based constructions, any adversary that knows the 
factorization of the modulo can trivially cheat. An alternative body of work 
aims to build trapdoorless accumulators (also referred to as strong accumula- 
tors) [7,9,44,54,55,62], where the owner is entirely untrusted (effectively the 
owner and the server are the same entity). Unfortunately, the earlier of these 
works are quite inefficient for all practical purposes, while the more recent ones 
either yield witnesses that grow logarithmically with the size of X or rely on alge- 
braic groups that are not yet well-studied in cryptography. A straight-forward 
way to construct a strong accumulator is via a black-box reduction from zero- 
knowledge sets (with corresponding efficiency caveats) . While a scheme without 
the need for a trusted setup is clearly more attractive in terms of security, it is 
safe to say that we do not yet have a practical scheme with constant-size proofs, 
based on standard security assumptions. 

Recently, Naor et al. [52] introduced primary-secondary-resolver membership 
proof systems, a primitive that is also a relaxation of zero-knowledge sets in the 
three-party model, and showed applications in network protocols [33]. While our 
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definitions have similarities, in Sect. 3.2 we show that zero-knowledge accumula- 
tors are a stronger primitive than primary-secondary-resolver systems. 

Regarding related work for set operations, the focus in the cryptographic 
literature has been on the privacy aspect with a very long line of works (see for 
example, [5,27,36,37,39]), some of which focus specifically on set-intersection 
(e.g., [17,18,24,38]). The above works fit in the secure two-party computation 
model and most are secure (or can be made with some loss in efficiency) also 
against malicious adversaries, thus guaranteeing the authenticity of the result. 
However, this approach typically requires multi-round interaction or larger com- 
munication cost than our construction. On the other hand, our two security 
properties are “one-sided” : Only the server may cheat with respect to soundness 
and only the client with respect to privacy; in this setting we achieve non- 
interactive solutions with optimal proof-size. There also exist works that deal 
exclusively with the integrity of set operations, such as [50] that achieves linear 
verification and proof cost, and [64] that only focuses on set-intersection but can 
be combined with an encryption scheme to achieve privacy versus the server. 

Another work that is related to ours is that of Fauzi et al. [25] that presents an 
efficient non-interactive zero-knowledge argument for proving relations between 
committed sets. Conceptually this work is close to zero-knowledge sets, allowing 
also for more general set operation queries. From a security viewpoint, it is in 
the stronger two-party model and, from a functionality viewpoint, it works for 
(more general) multi-set operations. However, its security relies on non-falsifiable 
knowledge assumptions, and the construction trivially leaks an upper-bound on 
the committed sets. Moreover, it cannot be efficiently generalized for operations 
on more than two sets at a time and it does not explicitly support efficient 
modifications in the sets. 

We also note that recently other instantiations of zero-knowledge authenti- 
cated data structures have been proposed, including lists, trees and partially- 
ordered sets of bounded dimension [29,32]. 

2 Preliminaries 

We denote with A the security parameter and with z/(A) a negligible function. 
A function /(A) is negligible if for each polynomial function poly(X) and all 
large enough values of A, /(A) < l/(poly(X)). We say that an event can occur 
with negligible probability if its occurrence probability can be upper bounded 
by a negligible function. Respectively, an event takes place with overwhelming 
probability if its complement takes place with negligible probability. The symbol 
$ 

<— X denotes uniform sampling from domain X. We denote the fact that a party 
Adv (instantiated as Turing machine) is probabilistic and runs in polynomial- 
time by writing PPT Adv. 

Bilinear pairings. Let G be a cyclic multiplicative group of prime order p, 
generated by g. Let also G t be a cyclic multiplicative group with the same order 
p and e : G x G — > G t be a bilinear pairing with the following properties: 
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(1) Bilinearity: e(P a ,Q b ) = e(P,Q) ah for all P,Q G G and a, b G (2) Non- 
degeneracy: e(g,g) ^ 1g t ; (3) Computability: There is an efficient algorithm 
to compute e(P, Q ) for all P, Q G G. We denote with pub := (p, G, Gt, e, g) the 
bilinear pairings parameters, output by a randomized polynomial-time algorithm 
Gen Para ms on input 1 A . For clarity of presentation, we assume for the rest of the 
paper a symmetric (Type 1) pairing e. We note though that both our construc- 
tions can be securely implemented in the (more efficient) asymmetric pairing 
case, with straight-forward modifications (see [16] for a general discussion on 
pairings). Our security proofs make use of the ^-Strong Bilinear Diffie- Heilman 
(g-SBDH) assumption over groups with bilinear pairings introduced in [6]. 

Assumption 1 (^-Strong Bilinear Diffie- Heilman). For any PPT adver- 
sary Adv and for q being a parameter of size polynomial in A, there exists negli- 
gible function v(\) such that the following holds: 

I" pub <- GenParams(l A );s Z*; 1 m 

r [( Z ,V e Z* x G t <- Mv(jpub, (g s ,...,g s9 )) : e(g,g) ipz+s '>)\ ~ ^ 

Complexity model. For ease of notation, we measure the asymptotic perfor- 
mance of our schemes by counting numbers of operations and group elements, 
ignoring a, poly- logarithmic in A, factor (e.g., an operation in G takes one unit 
time). 

Characteristic polynomial. A set X = {aq,...,x n } with elements Xi G 7L V 
can be represented by a polynomial following an idea introduced in [27]. The 
polynomial Chx{z) = YYi=i{ x i + z ) from Z p [z], where z is a formal variable, is 
called the characteristic polynomial of T. In what follows, we will denote this 
polynomial simply by Ch^ and its evaluation at a point y as Ch x(y)- Charac- 
teristic polynomials enjoy a number of homomorphic properties w.r.t. set opera- 
tions. We use the following characterization of set intersection of the sets: Given 
a collection of sets X ix , . . . X ik and their characteristic polynomial representation, 
we summarize a characterization of the intersection of the sets in the following 
lemma. 

Lemma 1 ([56]). A set answer that is a common subset of sets . . . Xi k , 
is their intersection if and only if there exist polynomials q\ [z ] , . . . qk [z] such 
that J2je[ii,i k ] qA z \Pj[z\ = 1 where P A Z \ = Ch^-VanswerH- Computing poly- 
nomials qj[z\ where j G [i\, /;■] has 0(N log" N log log N) complexity where 
N = J2je[h,i k ] n i and n i = \ X i\- 

The following two lemmas characterize the efficiency of computing the charac- 
teristic polynomial of a set -note that there is no requirement for the existence 
of an n-th root of unity in 7L V for such an algorithm to exist- and the probability 
that two polynomials are equivalent at a randomly chosen point. 

Lemma 2 ([59]). Given a set X = xi, ...,x n G Z™, its characteristic polynomial 
Chx := Y^i=Q c i z% ^ %p[ z ] can be computed with O(nlogn) operations by FFT 
interpolation. 
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Lemma 3 (Schwartz— Zippel— DeMillo— Lipton). Let p[z],g[z] be two d- 

degree polynomials from Z p [z\ with p[z\ / q[z], Then for w <— Z p , the probability 
that p(w) = q(w) is at most d/p, and the equality can be tested in time 0(d). 

If p G 0( 2 A ), it follows that the above probability is negligible, if d is poly(X). 

Accumulation tree. Given a collection of sets § = {Xi, X 2 , . . . , X m }, let 
acc (X/) be a succinct representation of X{ using its characteristic polynomial. 
We describe an authentication mechanism that does the following. A trusted 
party computes m hash values hi := h(acc(Xi)) (using a collision resistant cryp- 
tographic hash function) of the m sets of S. Then given a short public digest 
information of the current set collection §, the authentication mechanism pro- 
vides publicly verifiable proofs of the form u hi is the hash of the i th set of the 
current set collection A popular authentication mechanism for such proofs 
are Merkle hash trees [47] based on a single value digest can provide logarith- 
mic size proofs and support updates. An alternative mechanism to Merkle trees, 
(specifically in the bilinear group setting) are accumulation trees [57]. Intuitively, 
an accumulation tree can be seen as a “fiat” version of Merkle trees. In this work, 
we use our extension (for batch updates) of the accumulation tree in [56]. The 
detailed construction can be found in the full version. 

3 Zero-Knowledge Universal Accumulators (ZKUA) 

A dynamic universal accumulator (DUA) consists of five probabilistic polyno- 
mial time algorithms (Gen Key, Setup, Witness, Verify, Update). It represents a 
set X , with elements from domain X, by an accumulation value acc G A. It 
supports queries of the form “is x G XT for x G X and updates to the current 
set (e.g., using “insert x” or “remove x v operations). The algorithms of DUA, 
as described below, are run between three parties: the owner, the server and 
the client. We follow the definitional style of [23,26] where the accumulator is 
described as a tuple of algorithms. In the full version we provide a discussion 
regarding our chosen definitional style. 

Definition 1 (Dynamic Universal Accumulator) . A dynamic universal 
accumulator is a tuple of five PPT algorithms, DUA = (GenKey, Setup, 
Witness, Verify, Update) defined as follows: 

( sk,vk ) <— GenKey(l A ) 

This probabilistic algorithm takes as input the security parameter and outputs 
a (public) verification key vk that will be used by the client to verify query 
responses and a secret key sk that is kept by the owner. 

(acc, ek , aux) Setup (sk, X) 

This probabilistic algorithm is run by the owner. It takes as input the source 
set A and produces the accumulation value acc that will be published to both 
server and client, and an evaluation key ek as well as auxiliary information 
aux that will be sent only to the server in order to facilitate proof construction. 
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(5, w) <— Witness(acc, T, x, ek , aux) 

This algorithm is run by the server. It takes as input the evaluation key and 
the accumulation value ek , acc generated by the owner , the source set T, a 
queried element x, as input. It outputs a boolean value b indicating whether 
the element is in the set and a witness w for the answer. 

(accept/reject) Verify(acc, x, 5, w, vk) 

This algorithm is run by the client. It takes as input the accumulation value 
acc and the public key vk computed by the owner , a queried element x, a bit 
b, the witness w and it outputs accept/ reject. 

(acc', ek' , aux') <— Update(acc, X, x, sk , aux, upd) 

This algorithm takes as input the current set with its accumulation value and 
auxiliary information, as well as an element x to be inserted to X if upd = 1 
or removed from X if upd = 0. If upd = 1 and x e X, (likewise if upd = 0 
and x x ) the algorithm outputs A and halts, indicating an invalid update. 
Otherwise, it outputs (acc', ek' , aux') where acc' is the new accumulation value 
corresponding to set XU{x} or X\{x} (to be published), ek' is the (possibly) 
modified evaluation key, and aux' is respective auxiliary information (both to 
be sent only to the server). 

To update existing witnesses efficiently (i.e., not recomputing them from scratch) 
after a change of the accumulation value, we define the WitUpdate functionality. 

(upd, w') <— WitUpdate(acc, acc', x, w, y , ek' , aux, aux', upd) 

This algorithm is to be run after an invocation of Update. It takes as input 
the old and the new accumulation values and auxiliary informations, the eval- 
uation key ek' output by Update ; as well as the element x that was inserted 
or removed from the set, according to the binary value upd (the same as in 
the execution of Update ). It also takes a different element y and its existing 
witness w (that may be a membership or non-membership witness). It outputs 
a new witness w' for y, with respect to the new set X' . The output must be 
the same as the one computable by running Witness(acc', X' , y, ek' , aux'). 

We point out that the ability to update membership witnesses is inherently more 
important than that of non- membership witnesses. The former corresponds to 
the (polynomially many) values in the set whereas the latter will be exponentially 
many (or infinite). A server that wants to cache witness values and update them 
efficiently can thus benefit more from storing pre-computed positive witnesses 
than negative ones (that are less likely to be used again). 

Untrusted vs. trusted setup. The way we formulated our definition, Setup and 
Update require knowledge of sk , Witness requires ek and Verify takes only vk. 
From a practical point of view, the owner is the party that is responsible for 
maintaining the accumulation value at all times (e.g., signing it and posting it 
to a public log); all changes in X should, in a sense, be validated by him first. 
On the other hand, in most popular schemes (e.g., the RSA construction of [11] 
and the bilinear accumulator of [53]), setup and update can be run by the server 
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(without trapdoor sk) and the only distinction is that the owner can achieve this 
much faster. The same holds for our construction, but in the security definitions 
we adopt the more general framework where the adversary is given oracle access 
to these algorithms. It should be noted that for our construction, all security 
properties hold even if sk is empty -only the complexity analysis changes. 


3.1 Zero-Knowledge Accumulators: Security Properties 

The first property we require from a cryptographic accumulator is completeness, 
i.e., a witness output by any sequence of invocations of the scheme algorithms, 
for a valid statement (corresponding to the state of the set at the time of the 
witness generation) is verified correctly with all but negligible probability. 

Definition 2 (Completeness). Let Xi denote the set with elements from X, 
constructed after i invocations of the Update algorithm (starting from a set Xq) 
and likewise for e/^,aux^. A dynamic universal accumulator is complete if for 
all sets Xq where |Tq| and l > 0 are polynomial in X and for all X{ G X, for 
0 = 1 there exists a negligible function v( A) such that: 


Pr 


(sk, vk ) <— GenKey(l A ); (eko, acco, auxo) <— Setup (sk, To); 

{(acQ+i, efe+i, auxj+i) <— Update(acQ, Xi, xi, sk, aux;, upd J}o<i<z 
(b, w) <— Witness(acQ, Xi, x, eki, auxj) : Verify (acQ, x, b, w, vk) — accept 


> 1—1/ (X) 


where the probability is taken over the randomness of the algorithms. 

In the above we purposely omitted the WitUpdate algorithm that was introduced 
purely for efficiency gains at the server. In fact, recall that we restricted it to 
return the exact same output as Update (run for the corresponding set and 
element) hence the value w in the above definition might as well have been 
computed during an earlier update and subsequently updated by (one or more) 
calls of WitUpdate. 

The second property is soundness which captures that fact that adversarial 
servers cannot provide accepting witnesses for incorrect statements. It is formu- 
lated as the inability of Adv to win a game during which he is given oracle access 
to all the algorithms of the scheme (except for those he can run on his own using 
ek, aux -see discussion on private versus public setup and updates above) and is 
required to output such a statement and a corresponding witness. 


Definition 3 (Soundness). For all PPT adversaries Adv running on input 1 A 
and all l polynomial in X, the probability of winning the following game, taken 
over the randomness of the algorithms and the coins of Adv is negligible: 

Setup. The challenger runs (sk,vk) GenKey(l A ) and forwards vk to Adv. 
The latter responds with a set To. The challenger runs (eko, acco, auxo) «— 
Setup(s&, Tq) and sends the output to the adversary. 
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Updates. The challenger initiates a list C and inserts the tuple (acco,Ao). 
Following this, the adversary issues update X{ and receives the output of 
Update(acq, Xi,X{, sk , aux^, updj from the challenger, for i = 0, . . . , /. After 
each invocation of Update, if the output is not _L, the challenger appends the 
returned (acq+i, X i+1 ) to C. Otherwise, he appends (acq, Xf). 

Challenge. The adversary outputs an index j , and a triplet (x*,6*,w*). Let 
C[j } be (acq, Aj). The adversary wins the game if: 

Verify (accj, x* , b* , w*, vk) = accept A ((x* G Xj A 6* = 0) V (x* ^ Xj A 6* = 1)) 

A discussion on the winning conditions of the game is due at this point. This 
property (also referred to as collision-freeness) was introduced in this format 
in [41] and was more recently adapted in [23] with slight modifications. In partic- 
ular, Adv outputs set T* and accumulation value acc* as well as the randomness 
used (possibly) to compute the latter (to cater for randomized accumulators). It 
is trivial to show that the two versions of the property are equivalent. 

An alternative, more demanding, way to formulate the game is to require 
that the adversary wins if he outputs two accepting witnesses for the same 
element and with respect to the same accumulation value (without revealing 
the pre-image set): a membership and a non-membership one. This property, 
introduced in the context of accumulators in [7], is known as undeniability and 
is the same as the privacy property of zero-knowledge sets. Recently, Derler 
et al. [23] showed that undeniability is a stronger property than soundness. 
However, existing constructions for undeniable accumulators are in the trapdoor- 
less setting (with the limitations discussed in Sect. 1.1); since our construction 
is in the three-party setting, we restrict our attention to soundness. This should 
come as no surprise, as undeniability allows an adversary to provide a candidate 
accumulation value, without explicitly giving a corresponding set. In a trusted- 
setup setting, the accumulation value is always maintained by the trusted owner; 
there is no need to question whether it was honestly computed (e.g., whether he 
knows a set pre-image or even whether there exists one) hence undeniability in 
this model is an “overkill” in terms of security (see also the related discussion 
in Sect. 3.2). 

The novel property we introduce here is zero-knowledge. Informally, this 
property ensures that an adversarial party (i.e., the client) that sees the accumu- 
lation value as well as all membership and non-membership witnesses exchanged 
during the protocol execution, and has the ability to issue arbitrary queries, 
learns nothing about the set, not even its size. Zero-knowledge guarantees that 
nothing can be learned from the protocol except for the answer to a query itself. 
In other words, explicitly querying for an element is the only way to learn whether 
it appears in the set or not. We formalize this in a way that is very similar to 
zero-knowledge sets (e.g., see the definition of [15]) appropriately extended to 
handle not only queries but also updates issued by the adversary. In particu- 
lar, we want the proofs to be ephemeral, i.e., proofs generated before an update 
should be invalidated after an update. We require that there exists a simulator 
such that no adversarial client can distinguish whether he is interacting with the 
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algorithms of the scheme or with the simulator that has no knowledge of the set 
or the element updates that occur, other than whether a queried element is in 
the set and whether requested updates are valid. This information is given to the 
simulator as the output of a function D that checks the validity of a requested 
operation 5 . 

Definition 4 (Zero-Knowledge). Let D be a binary function defined as 
follows. For queries , D( query, x,T)) = 1 iff x G T. For updates ^(update, 
x,c,X)) = 1 iff (c = 1 A x £ X) or (c = 0 A x G X). Let ReaUdv 
(1 A ), ldealAdv,Sim(l A ) be games between a challenger , an adversary Adv and a 
simulator Sim = (Simi,Sim 2 ) ; defined as follows: 

Real A dv(l A ): 

Setup. The challenger runs ( sk,vk ) <— GenKey(l A ) and forwards vk to Adv. 
The latter chooses a set Xq with |To| G poly (A) and sends it to the chal- 
lenger who in turn runs Setup(s£;, T 0 ) to get (acco, efco, aux 0 ). He then 
sends acco to Adv and sets (X, acc, ek, aux) <— (To, acco, efco, auxo). 

Query. Fori = 1,...,Z ; where l G poly(A), Adv outputs (op ,Xi,cfi) where 
op G {query, update} and Ci G {0, 1}: 

If op = query: The challenger runs (6, v\q) Witness(acc, T, ek, aux) 
and returns the output to Adv. 

If op = update: The challenger runs Update(acc, T, Xi, sk, aux, cf). If 
the output is not _L he updates the set accordingly to get X i7 sets 
(T, acc, e/c, aux) <— (Xi, acc^, eki, aux^) and forwards acc to Adv. Else, 
he responds with _L. 

Response. The adversary outputs a bit d. 
ldeal A dv(l A ): 

Setup. The simulator Simi, on input 1 A , outputs a vk which he forwards to 
Adv. The adversary chooses a set Xo with \Xq\ G poly (A). Si mi (without 
seeing X 0 ) responds with acco and maintains state states . Finally, let 
(T, acc) ^ (T 0 , acc 0 ). 

Query. Fori = 1 ,...,/ Adv outputs (op ,Xi,cfi) where op G {query, update} 
and Ci G {0, 1}: 

If op = query: The simulator runs (6, v\q) <— Sim2(acc,x^, 

states, D(query, x^, X)) and returns the output to Adv. 

If op = update: The simulator runs Sirri 2 (acc, states, ^(update, 
Xi,Ci, T)). If the output of D (update, Xi,Ci, X) is 1, let X <—XiUxi 
in the case c\ = 1 and X <— X{\xi in the ease c\ = 0 — i.e., X is a 
placeholder variable for the latest set version at all times according to 
valid updates, that is however never observed by the simulator. The 
simulator responds to Adv with acc'. If the response acc' is not _L then 
acc acc'. 

5 Instead of using D with different arguments for checking the validity of query and 
update, we could make D work only for queries, i.e., T>(query, . . .), and express the 
validity of a requested update as D (query, . . .) ® q. We chose to use the former 
notation because we feel it is cleaner. 
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Response. The adversary outputs a bit d. 

A dynamic universal accumulator is zero-knowledge if there exists a PPT simu- 
lator Sim = (Simi,Sim2) such that for all adversaries Adv there exists negligible 
function v such that: 

| Pr[Real A dv(l A ) = 1] - Pr[ldeal Adv (l A ) = 1]| < t'(A). 

If Adv is PPT, then this defines computational zero -knowledge; perfect and 
statistical zero-knowledge can be defined similarly. 

Observe that, even though Adv may be unbounded (in the case of statistical or 
perfect zero-knowledge) the size of the set is always polynomial in the security 
parameter as in [15]; in fact it is upper bounded by \Xq\ + Z. This ensures that we 
can have polynomial-time simulation, matching the real-world execution where 
all parties run in polynomial-time. Having computationally unbounded adver- 
saries is still meaningful; such a party may, after having requested poly normally 
many updates, spend unlimited computational resources trying to distinguish 
the two settings. 

As already observed in [20,21,23], when formulating a notion of privacy for 
cryptographic accumulators the fact that the accumulation value computation 
must be randomized becomes evident. If Setup (and similarly, Update) is a deter- 
ministic algorithm, then each set has a uniquely defined accumulation value 
(subject to particular sk) that can be reproduced by any adversary with oracle 
access to the algorithm. 

In our definition, the server holds the evaluation key ek that is used to pro- 
duce witnesses, and that is not available to the client. This is not a restriction 
of the model, but should rather be seen as a generalization, in order to capture 
zero-knowledge in all settings; if ek does not leak any information about the 
set, it may be included in the public vk. Specifically for our construction from 
Sect. 4, if we choose to make ek public, then what is leaked is an upper-bound on 
the set size, formally captured by the notion of functional zero-knowledge [52]. 

3.2 Relation to Other Primitives 

There exist various cryptographic primitives that address the problem of secure 
set (non-) membership, in the same or related models, and it is imperative to 
compare the primitive of zero-knowledge accumulators with these. 

We present a mapping of the research literature for the construction of cryp- 
tographic proofs for set-membership and non- membership, which has attracted 
significant attention lately; proofs can be found in the full version. This is far 
from a complete presentation of results in the area; we focus on the relation 
between those primitives that are most closely related to the problem, avoiding 
general approaches (e.g., general-purpose zero-knowledge protocols) or related 
models that address similar problems (such as group signatures, e.g., [1]). The 
overall picture for the static case (i.e., without assuming changes in the set) can 
be seen in Fig. 1. Arrows denote implication; an arrow from A to B translates 
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to “ B can be built in black-box manner from A”. Double-sided arrows denote 
equivalence of definitions, i.e., both can be constructed in a black-box manner 
from each other. 

The most prominent such primitive is zero-knowledge sets [14,15,43,48]. 
There, queries can be answered without revealing anything about the set, albeit 
at a stronger setting where the server and the owner are the same (untrusted) 
entity. In the same setting, we also discussed trapdoorless (or strong) accumula- 
tors (see Sect. 1.1). Zero-knowledge sets are a stronger primitive than accumu- 
lators; they satisfy the same soundness property with trapdoorless accumulators 
but they additionally offer privacy. Hence all other primitives in our mapping 
can be built from them. Additionally, if a scheme is a trapdoorless accumulator 
it is secure with an untrusted setup execution, therefore (and quite trivially) it 
is also secure with a trusted setup, hence it is a also an accumulator. 

As a mental exercise, let 
us now try to define the 
privacy-preserving counterparts 
of trapdoorless accumulators, 
i.e., trapdoorless zero -knowledge 
accumulators 6 . Quite informally, 
the completeness and zero- 
knowledge definitions remain 
the same but the soundness 
property is replaced by the, 
strictly stronger, property of 
undeniability (see, e.g., [44] for 
a concrete definition), which is 
the same as the soundness prop- 
erty of zero-knowledge sets: By 
“merging” the existing sound- 
ness guarantee of trapdoorless 
accumulators with our zero- 
knowledge property (which, for the static case, is identical to that of zero- 
knowledge sets) we -quite unsurprisingly- ended up with zero-knowledge sets. 
We stress that the latter exist in the common reference string model (or the 
trusted parameters model) hence this must also be true for trapdoorless zero- 
knowledge accumulators (e.g., a trusted authority runs the key-generation algo- 
rithm and publishes the result as a common reference string). On the contrary, 
this is not necessary for trapdoorless accumulators (without privacy) since the 
security game there is one-sided; the client can perform key-generation himself. 
As a final note, we point out, that zero knowledge (trapdoorless) accumulators 
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Fig. 1 . Relations among cryptographic primitives 
for proof of membership and non-membership 
(static case). ZKS: zero-knowledge sets, T- 
ACC: trapdoorless accumulators, ACC: accumu- 
lators, T-ZKACC: trapdoorless zero-knowledge 
accumulators, ZKACC: our zero-knowledge accu- 
mulators (circled), PSR: primary-secondary- 
resolver membership proof systems. 


6 It should be noted that, in the accumulators literature, the trapdoor refers to a secret 
value possibly used for efficiency purposes when computing accumulation values and 
witnesses by the trusted owner. This should not be confused with the trapdoor 
typically used in zero-knowledge protocols for simulation purposes. 
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imply (trapdoorless) accumulators since the former satisfy a strict superset of 
the security properties of the latter. 

This equivalence of zero-knowledge sets and trapdoorless zero-knowledge 
accumulators can be useful in two ways: (i) more efficient (e.g., with smaller 
proof sizes) zero-knowledge sets may be achievable with techniques borrowed 
from the accumulators literature, and (ii) an impossibility result in one of the 
two models is translatable to the other. This holds, for example, in the case of 
the batch- update impossibility for accumulators of [8]. We want to stress that 
our construction in Sect. 4 is not trapdoor less; to the best of our knowledge, the 
best known way to construct trap door less zero-knowledge accumulators is via a 
black-box reduction from zero-knowledge sets. 

Another related primitive is primary-secondary-resolver proof systems 
(PSR), introduced by Naor et al. [52]. Their privacy notion is a relaxation of 
zero-knowledge defined as functional zero -knowledge, i.e., the simulator may be 
allowed to learn some function of the set (typically its size). Also, the games in 
the PSR definition are non-adaptive in the following sense: Adv needs to declare 
its cheating set before he even receives the corresponding keys (efc, vk for sound- 
ness and only vk for zero-knowledge -using our terminology) 7 . For the above 
reasons, while it is trivial that zero-knowledge accumulators imply PSR (where 
the leaked function is void), the other direction is generally not true. We stress 
that the above distinction between adaptive and selective security does not hold 
in the dynamic setting. There an adversary may declare a cheating set origi- 
nally, receive the keys, and then modify his choice via a series of update calls 
(see, however, our discussion for this setting in the next paragraph). 

Our results here are complementary to the relations proven in [52]. There, 
the authors prove that PSR systems exist, if and only if, one-way functions exist, 
which in turn implies that zero-knowledge sets cannot be built in a black-box 
manner from PSR. 

Dynamic setting. Once we move to the dynamic setting, where there exist effi- 
cient algorithms for modifications in the set, the relations are largely the same as 
in Fig. 1, but some clarifications are in order. The first work addressing updatable 
zero-knowledge sets was by Liskov [45] , where two notions of privacy were intro- 
duced: opacity and transparency. Constructions of the latter form were presented 
in [13,45]. The above relations between definitions hold with respect to opacity. 
A construction for efficiently updatable opaque zero-knowledge sets (from stan- 
dard assumptions) remains an open problem. However, when restricted to the 
three-party model (i.e., with trusted setup), it can be shown that our construc- 
tion from Sect. 4 (with minor modifications) satisfies the opacity property. On 
the other hand, transparency is a weaker form of privacy, as it trivially leaks 


7 One could possibly modify the PSR model -and the security games- significantly to 
make them adaptive, by separating the key generation and setup algorithms. Indeed, 
to the best of our knowledge, the PSR construction of [33] would probably satisfy 
such a modified definition, assuming it was instantiated with an adapt ively-secure 
signature scheme and an adapt ively-secure verifiable random function. 
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whether a particular element, that has been previously queried, was affected by 
an update (but it otherwise allows parties to maintain cached witnesses). 

Regarding the relation between zero-knowledge accumulators and PSR, mat- 
ters are also straight-forward as the latter are explicitly defined only for the static 
case. In [52], the authors recommend the usage of techniques from certificate- 
revocation lists [51], as an additional external mechanism to accommodate 
updates. Contrary to this, our definitional approach is to make update-handling 
mechanisms explicitly part of the scheme. In this sense, zero-knowledge accumu- 
lators are a natural definitional extension of PSR in the dynamic setting. That 
said, we explicitly require that clients can at all times access the latest accu- 
mulation value, which would not be the case following the revocation scheme 
approach. We stress however that this does not necessitate active authenti- 
cated channels between owner and clients; in practice it is achievable with a 
“timestamp-sign-and-publish” from the owner. 

We note that recently [42] introduced the general notion of functional com- 
mitments (which can capture accumulators as a special case). However, their 
construction handles only subset queries and it does not support updates on the 
committed set. On the other hand, [60] introduced the notion of asynchronous 
accumulators in a distributed setting and does not consider privacy. 

Relation to zero-knowledge authenticated data structures. Another 
important observation is the relation of zero-knowledge accumulators with the 
framework of zero-knowledge authenticated data structures (ZKADS), recently 
introduced in [29]. 8 ZKADS extend the well-known primitive of authenticated 
data structures (ADS) adding an additional zero-knowledge property. The set- 
ting is the standard three-party model but now the supported type may be 
any kind of data structure. The choice of data structure defines the kind of 
data stored and the type of supported queries. In [29,31,32], the authors pro- 
vided constructions for various types of data structures, in particular for a zero- 
knowledge authenticated list (i.e., a data structure that supports “insert-after”, 
“delete” operations, as well as “order” queries), a tree, and a partially-ordered set 
(poset) of bounded dimension and range queries. Consequently, a zero-knowledge 
accumulator is a type of ZKADS where the data structure is a set of elements 
supporting -unordered- insertions and deletions, and (non-) membership queries. 

The above constructions are the only ZKADS instantiations in the litera- 
ture so far. One natural way to extend zero-knowledge authenticated sets to 
accommodate more elaborate query types is by allowing for set-operations beyond 
(non-) membership. In particular, consider a data structure, called set collection, 
that consists of a collection of sets and accommodates operations among (an arbi- 
trary selection among) them. We stress that a construction that accommodates 
set unions, intersection and differences, allows for a complete set algebra. 9 In the 

8 Though [29] uses the term Privacy- Preserving Authenticated Data Structures, we 
use ZKADS to fit our notation. 

9 In the computationally-bounded setting, a negation operation is infeasible unless the 
element domain is of polynomial size in the security parameter. In that case, a negation 
can be instantiated as a set difference from the set that contains the entire domain. 
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full version we provide a definition of zero-knowledge authenticated set collection , 
in the style of [29] , and the corresponding construction (which naturally uses our 
zero-knowledge authenticated set construction from Sect. 4 as a building block). 


3.3 Zero-Knowledge Implies Indistinguishability (for Accumulators) 

The notion of zero-knowledge defined here is a strengthening of the indistin- 
guishability property introduced in [23]. There the authors introduce a notion 
similar to ours that also requires the accumulation value produced by Setup to 
be randomized. If we restrict our attention to static accumulators, the effect of 
both notions is the same, i.e. , the clients see a randomized accumulation value 
and corresponding “blinded” witnesses. 

However, while the indistiguishability game entails updates, it inherently 
does not offer any privacy for the elements inserted to or removed from the 
set, as the Update algorithm is deterministic. At a high level, that notion only 
protects the original accumulated set and not subsequent updates. We believe 
this is an important omission for a meaningful privacy definition for accumula- 
tors, as highlighted by the following example. Consider, a third-party adversary 
that observes the protocol’s execution before and after an insertion (or deletion) 
update. If the adversary has reasons to suspect that the inserted (or deleted) 
value may be y , he can always test that. A very realistic example of this behavior 
is a setting where the accumulator is used to implement a revocation list. In that 
case an adversary may want to know if his fake certificate (value y in the above 
case) has been “caught” yet. We provide the following result 10 . 

Theorem 1 . Every zero -knowledge dynamic universal accumulator is also 
indistinguishable under the definition of [23], while the opposite is not always 
true. 

Proof. We first show that every scheme that is zero-knowledge is also indistin- 
guishable. Then we show that the construction of [23] is not zero-knowledge. 

ZK => IND: We prove this direction by contradiction. Assume there exists an 
accumulator that is zero-knowledge but not indistinguishable. Then, there 
exists a PPT adversary Adv that wins the indistinguishability game. Adv 
gives two sets Xq ,X\ to a challenger who flips a coin b and provides oracle 
access to Adv for the algorithms with respect to X\>. By assumption, Adv can 


10 In [23] the indistinguishability definition assumes that the adversary is also given 
access to the Setup algorithm arbitrarily many times. This makes sense in their 
model, since they explicitly require that Setup is randomized whereas Update is 
deterministic. Here this requirement is redundant since both processes may be ran- 
domized; any setup response can be emulated by a series of update calls that shape 
the required set. To simplify the process, we assume that the indistinguishability 
adversary only makes Update and Witness calls. We stress that this is not a limitation 
of the reduction. We could alternatively have chosen to define our zero-knowledge 
game giving the adversary access to Setup and the result would still hold. 
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output a bit b' correctly guessing b with non- negligible advantage e over 1/2. 
The (natural) constraint is that Adv cannot issue a query (or update request) 
that is trivially revealing the chosen set (e.g., if x G Xq and x ^ X }, Adv is 
not allowed to query for x). We defer interested readers to [23] for a formal 
definition of the indistinguishability game. 

We will now construct a PPT adversary Adv 7 that breaks the zero-knowledge 
property of the scheme as follows. Adv 7 on input 1 x ,vk runs Adv with the 
same input and receives sets Xq , X\ . He then forwards X\ as the challenge 
for the zero-knowledge game and receives accumulation value acco, which he 
forwards to Adv. Consequently, he responds to all messages of Adv (queries 
and updates) with calls to the zero-knowledge game interface and forwards 
all responses back to Adv. Finally, he outputs the output bit b' of Adv. 

First, observe that Adv' is clearly PPT, since Adv is PPT. Now let us argue 
about his success probability in distinguishing between real and ideal inter- 
action. Observe that, if Adv 7 is interacting with the algorithms of the scheme 
(i.e., is playing the real game), the interface he is providing to Adv is a perfect 
simulation of the indistinguishability game for b = 1. On the other hand, if 
he is interacting with Sim, the view of the latter during this interaction is 
exactly the same independently of whether the set chosen by Adv 7 is X 0 or 
X\. Hence, the view offered to Adv is the same in both cases, and therefore 
Pr[6' = 1] = Pr[6' = 0] = 1/2. Let E be the event that the Adv 7 is play- 
ing the real game (and likewise for the complement E c ). From the above 
analysis (recall that Adv 7 outputs the bit b' returned by Adv), it holds that 
Pr[b' = 1 1^7] > 1/2 + e and Pr[6' = 1\E C ] = 1/2. This implies that Adv 7 
can distinguish between the two executions with non-negligible probability, 
breaking the zero-knowledge property of the scheme. The claim follows by 
contradiction. 

IND /=> ZK: The main observation for this part of the proof is that in the con- 
struction of [23], given the accumulation acc of set T, the new accumulation 
value after inserting or deleting an element is computed via a deterministic 
algorithm. Assume now an adversary Adv that operates as follows when play- 
ing the zero-knowledge game against the scheme of [23]. He initially plays 
the setup phase of Definition 4 choosing a set Xq and receiving acco from the 

challenger. Then he chooses e <— {0,1}. If e = 0 then Adv chooses x uni- 
formly from \ {Xq} and sends to the challenger first (update, x, 1), receiv- 
ing acci, and then (update, x, 0), receiving acc2- Else, if e = 1 he chooses 
x,y uniformly from 7L V \ {Xq} with / x, and sends to the challenger first 
(update, x, 1), receiving acci, and then (update, y, 1), receiving acc2- Finally, 
if (acc 2 = acco A e = 0) or (acc 2 ^ acco A e = 1), he outputs d = 1. In all 
other cases he outputs d = 0. 

Observe first that Adv is clearly PPT as all algorithms of the scheme are run 
in polynomial time. Regarding his success probability, we argue as follows. 
If Adv is playing the real game versus the challenger running the algorithms 
of [23], then we identify the following two probabilities Pr[acc2 = acco|e = 0] 
and Pr[acc2 = acco|e = 1]. The first probability is equal to 1 whereas the 
second one is negligibly small; as explained above, the updates of the scheme 
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are deterministic therefore adding and removing the same element will result 
in the same accumulation value, whereas adding two elements will always 
result in a different accumulation value, unless the latter happens to be the 
multiplicative inverse of the former. On the other hand, if Adv is playing 
the ideal game against the simulator, the latter is only given access to the 
information that two updates occurred (not even the nature of the update 
operations). Therefore, the simulator’s view is the same, independently of 
the value of e, and Pr[acc 2 = acco|e = 0] = Pr[acc 2 = acco|e = 1] = 1/2. 
Let E be the event that the Adv 7 is playing the real game (and likewise for 
the complement E c ). From the above analysis it follows that Pr[d = 1| E] = 
1 — v( A), whereas Pr[d = 1\E C ] = 1/2 therefore Adv distinguishes the two 
games with non-negligible probability and the accumulator of [23] is not zero- 
knowledge. | 

Other privacy notions. The indistinguishability property of [23] is a strengthen- 
ing of a that of [20]. The latter was the first work to formally define a privacy 
property for cryptographic accumulators, however their definition had inherent 
problems, e.g., it was easy to prove that deterministic accumulators -that clearly 
were not private- satisfied it. Another technique for providing privacy to cryp- 
tographic accumulators was proposed earlier in [41], without a formalization. 
The idea is to simply produce a randomized accumulation value for a set X 
by choosing at random an element x from the elements universe during Setup 
and outputting the accumulation of set X U {x}. This generic mechanism will 
work for any static accumulator, but will also not protect updates. Moreover 
it weakens soundness as an adversary could potentially produce a membership 
witness for the element x 0 X . Out approach does not suffer from this as there 
is no additional element accumulated and the randomness r used to blind the 
accumulation value during Setup is explicitly given to the server without com- 
promising soundness. Finally, Theorem 1 implies that our construction from 
Sect. 4, is also the only known algebraic construction of a universal indistin- 
guishable accumulator. The two schemes of [23] are a black-box reduction from 
the stronger primitive of zero-knowledge sets, and a construction similar to ours 
that only offers membership witnesses. 

4 A Zero-Knowledge Universal Accumulator 
Construction 

In this section we present our construction for a zero-knowledge dynamic univer- 
sal accumulator. It builds upon the bilinear accumulator of Nguyen [53], adopting 
some of the techniques of [23] that we further expand to achieve zero-knowledge. 
It supports sets with elements from \ {s} where p is prime and p E 0( 2 X ) 
and s is the scheme trapdoor. Note that, the fact that the elements must be of 
logp bits each, is not a strong limitation of the scheme; one can always apply 
a collision-resistant hash function that maps arbitrarily long strings to Z p . We 
now make several observations about our ZKUA construction in Fig. 2. 
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Notation: The notation q[z] denotes polynomial q over undefined variable z and q(s) is the 
evaluation of the polynomial at point All arithmetic operations are performed mod p. N 
is a variable maintained by the owner. 

Key Generation (sk,vk) <— Gen Key (1^) 

Run Gen Para ms(l^) to receive bilinear parameters pub= (p,G,Gr,e,g). Chooses 
Z* . Return sk = s and vk = ( g s , pub ). 

Setup (acc,ek, aux) <— Setup(sk,X) 

Choose r Z*. Set value N = \X\. Return acc = g r ' c M 5 ), ek = (g,g s ,g s2 ,. . . ,g sN ) 
and aux = (r,N). 

Witness Generation (b, w) Witness(acc, X,x,ek,aux) 

If x EX compute w = (acc) = g r ' Ch -AW ( s ) and return (1, w). 

Else, proceed as follows: 

- Using the Extended Euclidean algorithm, compute polynomials q\ [z],q2 [z] such 
that qi[z]Ch x [z] +q 2 [z]Ch {x y[z] = 1. 

- Pick a random y e- Z* and set q[[z] = qi[z]+y- Ch{ x }[z] and q' 2 [z] =qi[z]- J- 
Ch x [z]. 

- Set W\ := g q '^ r 1 , W 2 = g q 2 ( 5 ) and w := (W\, W 2 ). Return (0, w). 

Verification (accept/reject) <— Verify (acc, w, vk) 

If b = 1 return accept if e(acc,g) a» e(w,g* • g s ), reject otherwise. If b = 0 do the 
following: 

- Parse w as (W \ , W 2 ). 

- Return accept if e(Wi,acc)e(W 2 ,g x ■ g s ) = e(g,g), reject otherwise. 

Update (acc 7 , ek', aux') Update(acc,A,x,s^, aux, upd) 

Parse aux as (r,A). If (upd = 1 Ar G X) or (upd = 0 Ax ^ X) output _L and halt. 

Choose r' Z*. If upd = 1: 

- Compute acc' = acc^ +x ^ r/ . 

- If \X\ + 1 > N , set N = \X\ + 1 and compute ek 7 ss g sN . 

Else, compute acc' = acc^ and ek' = 0. In both cases, set aux' := ( r-r',N ) and return 
(acc', ek’ 1 aux'). 

Witness Update (upd,w r ) <— WitUpdate(acc,acc / ,x,w,y,eA: / ,aux, aux', upd) 

Parse aux, aux' to get r, r'. 

- If w is a membership witness: 

, . 1 / 

If upd = 1 output (l,w ; = (acc-w x ~y ) r ). Else, output (0,w' = acc ^ • w (*-?) ). 

- If w is a non-membership witness: 

Let X' be the set produced after the execution of Update for element v (i.e., the 
current set). Run Witness(acc / , X' ,y,ek' , aux') and return its output. 


Fig. 2. Zero-knowledge dynamic universal accumulator construction. 


The main property of our construction is that the algorithms do not reveal 
anything about the set in the units sent to the client. The key vk published from 
the key-generating algorithm reveals nothing about the set. The accumulation 
value produced by Setup is the standard bilinear accumulation value of [53] 
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which is now blinded by a random value r, also revealed to the server. Witness 
generation also utilizes this randomness r. 

For membership queries, the process is the same as in [19,53] with one addi- 
tional exponentiation with r for privacy purposes. This technique proves that 
an element x G X iff the degree-one polynomial x + z divides Ch x[z\. The 
major deviation occurs in the non-membership case. As previously discussed, 
there are existing works [2,19] that enhance the bilinear accumulator to provide 
non-membership witnesses. Their technique is a complement of the one used 
for the membership case. At a high level, it entails proving that the degree-one 
polynomial x + z does not divide Ch^z], by revealing the scalar (i.e., zero- 
degree polynomial) remainder of their long division. Unfortunately, using this 
approach here entirely breaks the zero-knowledge property: It reveals r (mul- 
tiplied by an easily computable query- specific value) to any client. Instead, we 
adopt an entirely different approach. Our scheme uses the set-disjointness test, 
first proposed in [56]. In order to prove that x 0 X , the server proves the state- 
ment X fl {x} = 0. The different nature of the proved statement allows us to 
use fresh query-specific randomness 7 together with r to prove non-membership 
in zero-knowledge. As a consequence, the verification for membership and non- 
membership is also different, but always efficient. 

Finally, the way updates are handled is especially important as it is another 
strong point of divergence from previous schemes that seek to provide privacy. 
After each update, a fresh randomness r' is used to blind the new accumula- 
tion value. This re-randomization technique perfectly hides the nature of the 
change in X and lets us achieve zero- knowledge. Observe that, at all times, the 
owner maintains a variable N which is the maximum set-cardinality observed 
up to that point (through the original setup and subsequent insertions). If an 
insertion increases N (at most by one), the owner provides the server with an 
additional ek component that can be used by the server for subsequent witness 
generation. This is a slight deviation from our notation in Sect. 3 where the new 
key produced from Update replaces the previous ek. Instead the new evaluation 
key must be set to ekUek' . This has no meaningful impact to the security of our 
scheme; we could always have Update output the entire old key together with 
the additional element. From an efficiency perspective though, that overly naive 
approach would require Update to run in time linear to N -the same holds for 
WitUpdate. Regarding witness updates, for the (more meaningful, as discussed 
in Sect. 3) case of membership witnesses there indeed exists a fast method. On 
the other hand, for non-membership witness updates, our scheme resorts to re- 
computation from scratch. 

We can now present our main result. We give the proof of security below and 
defer the asymptotic analysis to the full version [30]. 

Theorem 2. The algorithms {KeyGen, Setup, Witness, Verify, Update, Wit 
Update} constitute a zero-knowledge dynamic universal accumulator with per- 
fect completeness, soundness under the q-SBDH assumption (with q = N 
set to the maximum set size observed during the soundness game) and per- 
fect zero-knowledge. Let N be the cardinality of the set. Then, the runtime 


88 


E. Ghosh et ah 


of Gen Key is 0(poly(X)) where X is the security parameter , the complexity of 
Setup is O(N), that of Witness is 0(N log N) for membership witnesses and 
0(N log 2 TV log log N) for non-membership witnesses, that of Verify is 0(1), that 
of Update is 0(1), and that o/WitUpdate is 0(1) for membership witnesses and 
0(N log 2 IV log log N) for non-membership witnesses. Finally, witnesses consist 
of 0(1) bilinear group elements. 

Proof. Completeness follows by close inspection of the algorithms’ execution. 
We proceed to prove soundness and zero-knowledge. 

Proof of Soundness. Assume there exists PPT adversary Adv that on input 
1 A breaks the soundness of our scheme with non- negligible probability. We will 
construct a PPT adversary Adv that breaks the g-SBDH assumption for q = N , 
running as follows: 

N » 

1 . On input (pub, (g s , ... ,g s )), run Adv on input (g s , pub, 1 A ). 

2 . Upon receiving set Xo, choose ro <— Z*. Use ro and (g s ,...,g s ) to 
compute acco = g r °' Ch W s ) = g( Ch W s )) r ° and respond with (efco = 
(g, g s , . . . , g slX ° l ),BCCo,ro). Initiate list C and insert triplet (acco,Ao,ro) as 
£[0] (i.e., the first element of the list). The notation £[i]j denotes the first 
part of the i- th element of the list (e.g., £[0]o = acco). Also set n = \Xq\. 

3. Initiate update counter i = 0. While i < l proceed as follows. Upon receiving 
update upd i ,Xi, check whether this is a valid update for Xi = C[i\ i- If it is 
not, respond with _L and re-append acci = £[i\o,Xi,ri to C. Otherwise, pick 

r' <— Z* and set 7444 = n • r f . Update Xi according to upd i ,Xi to get Xi+ 1 . 
If |d^ + i| > n, set n = |A^ + i| and eki+i = g sn . Else, = 0. Use 74+ 1 

and (g s ,...,g sN ) to compute acQ + i = ^ ri + 1 ' ChA 'i+A s ) = ^,( Ch ^+i( s )) 4+1 anc [ 
respond with (efc^+i, acQ+i, r^+i). Append triplet (acq+i, X i+ i, r^+i) to C. 
In both cases, increase i by 1. 

4. Upon receiving the j - th challenge with triplet (x* , b* , w*) proceed as follows: 

- If 6* = 1, then x* 0 Xj yet Verify (accj, x* , 1 ,vk) accepts. Compute poly- 
nomial q[z\ and scalar c such that Ch Xj[z\ = (x* + z)q[z\ + c. Output 

[x* , (e(w* , g) r i e(g ,g~ q{s) )) c ']. 

- If 6 * = 0, then x * G Xj yet Verify (accj, x* , 0, vk) accepts. Parse w* as 
{Wf, Wf). Compute polynomial q[z\ such that Ch^. [z\ = (x * + z)q[z\. 
Output [x*, (e(W?,g r ri(s))e(WZ,g))}. 

First of all observe that Adv 7 perfectly emulates the challenger for the DUA 
security game to Adv. This holds since all accumulation values and witness are 
computable without access to trapdoor sk in polynomial time. All the necessary 
polynomial arithmetic can be also run efficiently hence Adv 7 is PPT. Regarding 
its success probability, we argue for the two cases separately as follows: 

b* = 1 Since x* 0 Xj, it follows that (x* + z) /Ch#. [z\ which guarantees the 
existence of q[z\,c. Also observe that c is a scalar (zero-degree polynomial) 
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since it is the remainder of the polynomial division and it must have degree 
less than that of (x* + z). Since verify accepts we can write 


e(w \<f* -g s )=e(^,g)^ +s) = e(accj,g) = e{g r ^ {s \g) = e(g, 9 p«**+*)«W+c) 

from which it follows that: 

e(W\s) r '“ 1 < a! * + ' ) = e(g,g) {x " +s)q{s)+c 
e(w *,g) r ^ =e(g,g) q ^+^ x ' + ^ 
e(w = e(g, 5 ) c/ ^ +s) 

[e(w *,g) r i 1 e(g,g)- q{s) ] c 1 = e(g, g) 1/{x * +s \ 


b* = 0 Since x* G Aj, it follows that (x* + z)\Chx d [z] which guarantees the 
existence of q[z\. Since verify accepts we can write: 

e {Wi , accj)e(Wf , g x * • g s ) = e(g, g) 
e{W^g r ^ hx ^)e{W^g^ +s) ) = e(g,g) 
e(Wl } g r ^ +s ^)e(WZ,g {x ' +s) ) = e(g,g) 
[e(W;,g r i-*U)e(W;,g)]( x ' + '> = e(g,g) 

[e(W;,g r i-«W)e(W;,g)] = e( 5 , 5 ) 1 /(-*+^) 


Observe that in both cases the left hand of the above equations is efficiently 
computable with access to pub , (g s , . . . , g s ) , rj , Xj , x* , w* . Hence, whenever Adv 7 
succeeds in breaking the soundness of our scheme, Adv' outputs a pair breaking 
the g-SBDH assumption for q = N. By assumption the latter can happen only 
with negligible probability, and our claim that our scheme has soundness follows 
by contradiction. | 


Proof of Zero-Knowledge. We define simulator Sim = (Simi,Sim2) as follows. At 
all times, we assume states contains all variables seen by the simulator this far. 

- Simi runs GenParams to receive pub. He then picks s Z* and sends g, g s ,pub 

to Adv. After Adv has output his set choice A', Si mi picks r <— Z* and responds 
with acc = g r . Finally, he stores r and initiates empty list C. 

- For i = 1 , . . . , l upon input (op, 27, cf)'. 

• Ifop = query, the simulator checks if 27 G C. 

* If Xi C, then if i}(query, 27, X ) = 1, he computes k = r • (27 + s) -1 
and responds with (b = l,w = g K ). Else, if D(query, 27, X) = 0 he 

computes q i, ^2 such that q\ * r + q2 • (27 + s) = 1, picks 7 <— Z* and 
responds with (b = 0, w = (W\ = g q i+7(®*+s), W 2 = g q2 ~ ir )). In both 
cases, the simulator appends (27, 6, w) to C. 

* If Xi G C he responds with the corresponding entries 6,w from C. 
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• If op = update then the simulator proceeds as follows. If D(update, 07, 
d, A?) = 0 then he responds with JL Else, he picks r' <— Z* and responds 
with acc = g r . Finally he sets r <— r' and C 0. 

The simulator Sim = (Simi, Sim 2 ) produces a view that is identically distributed 
to that produced by the challenger during ReaUdv- Observe that random values 
r are chosen independently after each update (and initial setup) in both cases. 
Once s, r are fixed then for any possible choice of X there exists unique r* E Z* 
such that g r = g r *- Ch *( s ). follows that the accumulation values in ReaUdv 
are indistinguishable from the (truly random) ones produced by Sim. For fixed 
s,r, given a set-element combination (X,Xi) with X{ E X , in each game there 
exists a unique membership witness w that satisfies verification. For negative 
witness w = (Wi, W2), given a set-element combination (X,Xi) with Xi 0 A, for 
each possible independently chosen value of 7, in both games there exists only 
one distinct corresponding pair W\ , W 2 that satisfies the verifying equation. It 
follows that the distributions in Definition 4 are identical and our scheme is 
perfect zero-knowledge. | 

Efficiency comparison with the bilinear accumulator of [53]. Here we 
compare the efficiency of our accumulator with the bilinear accumulator of [53] 
-as extended in [2]- which is secure under the same assumption, but does not 
offer privacy. In Fig. 3, we show the number of necessary cryptographic opera- 
tions for the constructions. We denote by ADD, MUL point addition and scalar 
multiplication in the elliptic curve group G, by ADD^ point addition in G t and 
by PAIR a bilinear pairing computation. We stress that we do not measure the 
number of “non-cryptographic” operations, i.e., additions and multiplications 
modulo p. 

As can be seen, our construction requires the same number of cryptographic 
operations for setup and membership witness construction and verification. 



[53] 

This paper 

Setup 

nMUL 

nMUL 

Update 

1MUL 

2MUL 

Witness (Member) 

wMUL + (n— 1)ADD 

nMUL + (n-l)ADD 

Witness (Non-Member) 

nMUL + (n— 1)ADD 

(rc+l)MUL + (rc — 1)ADD 

Verify (Member) 

1(MUL + ADD + PAIR) 

1(MUL + ADD + PAIR) 

Verify (Non-Member) 

2(M UL + ADD + PAIR) 

1(MUL + ADD + ADD r ) + 2PAIR 

Witness Update (Member) 

1(MUL + ADD) 

2MUL+1ADD 

Witness Update (Non-Member) 

2MUL+1ADD 

(rc+l)MUL + (rc — 1)ADD 


Fig. 3. This table compares the number of cryptographic operations involved in each 
operation between our construction and that of [53] as extended in [2]. ADD, MUL 
denote point addition and scalar multiplication in the elliptic curve group G, ADDt 
point addition in G t and PAIR a pairing computation, whereas n is the size of the set. 
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For all other algorithms, the additional number of operations is only a con- 
stant (at most one) highlighting that zero-knowledge is achieved in practice with 
only a very small overhead 11 . The only notable exception is the update of non- 
membership witnesses in which case our construction resorts to re-computation 
from scratch. 

Proving (non-) membership in batch. Another important property of our 
construction is that it allows the server to efficiently prove statements in batch. 
Consider the case when a client wants to issue a query on every element of 
a set ( 7 / 1 5 . . . , 2/m)- One way to achieve this would be to provide a separate 
membership/non- membership witness. This approach would yield a proof that 
consists of 0(m) group elements. Instead, with our construction the server can 
produce a single membership witness for all yi G X and a single non-membership 
witness for those 0 X . We will use this technique for our construction in Sect. 5. 

5 Zero-Knowledge Authenticated Set Collection 
(ZKASC) 

Zero-knowledge accumulators, as presented so far, can be viewed as zero- 
knowledge authenticated sets where authenticated zero-knowledge 
membership/non- membership queries are supported on an outsourced set. In 
this section, we generalize the problem of zero-knowledge authentication from 
a set to a collection of sets to support outsourced set algebra operations: is- 
subset, intersection, union and set difference. We refer to this primitive as zero- 
knowledge authenticated set collection (ZKASC) since it falls in the general model 
of zero-knowledge authenticated data structures [29]. 

We consider a dynamic collection § of m sets X\, . . . , X m , with elements from 
X, that is remotely stored with an untrusted server. § has two types of operations 
defined on it: immutable operations QQ and mutable operations UQ. Q(S,q ) 
takes a set algebra query q (wrt the indices of S) as input and returns an answer 
and a proof and it does not alter S. U(S>,u) takes as input an update request 
and changes § accordingly. An update u = (x, upd,i) is either an insertion (if 
upd = 1) of an element x into a set Xi or a deletion (if upd = 0) of x from Xi. 

ZKASC is a tuple of six probabilistic polynomial time algorithms ZKASC = 
(KeyGen, Setup, Update, UpdateServer, Query, Verify). Informally, ZKASC lets the 
owner outsource § and some auxiliary information and an evaluation key ek to 
the server (using KeyGen, Setup) and publish a verification key vk and public 
digest for S. Then, the client can query § by sending queries to the server. For 
each query, the server generates answer and prepares its proof (using Query). 
The owner can also update his set collection and make corresponding changes 

11 Note however, that computing the coefficients of the polynomials that will be 
encoded in the exponents of the witnesses requires different types of polynomial 
arithmetic operations. In our construction the server runs an Extended Euclidean 
algorithm on input two polynomials of degree n and 1 respectively whereas in [2] he 
runs a polynomial division on the same inputs. 


92 


E. Ghosh et ah 


to digest (using Update) and the changes are propagated by the server to his 
copy of S and auxiliary information and ek (using UpdateServer). The client 
verifies the query answer against proof and the digest corresponding to the latest 
update using vk (in Verify). The security properties of ZKASC are: completeness, 
soundness and zero-knowledge. They are similar to those of ZKUA as described 
in Sect. 3, since both follow definition of ZKADS [29]. 

In the rest of the section we informally introduce our efficient construction of 
ZKASC, present the main theorem and compare the asymptotic complexity of 
the algorithms of our ZKASC scheme with that of [56] in Fig. 4. Our construction 
makes use of zero-knowledge dynamic universal accumulator introduced in Sect. 3 
and accumulation tree described in Sect. 2. For the detailed algorithms and their 
security analysis we refer the reader to the full version. 

5.1 Setup and Update Algorithms 

The construction uses pub = (p, G, G t, e, g) as in Sect. 4. The owner runs Setup 
algorithm with the secret key s, the verification key (g s , pub) (after generating 
them using KeyGen) and the set collection § as input and generates a short 
public digest for the client, the evaluation key ek and some authentication infor- 
mation of § for the server. The algorithm computes acc(A^) (zero-knowledge 
accumulation using Setup algorithm of Sect. 4) for each set Xi E §. It then 
builds an accumulation tree on acc(Ai) . . . acc(A m ) and publishes the root of 
this tree as the public digest of S. It sets the evaluation key to (p, g s , . . . , g s ) 
where N = m\ 1^1- The auxiliary information for the server contains the 

randomness used for computing each acc(A^). 

Update algorithm takes as input an update string u and updates the corre- 
sponding set in the set collection (using the Update algorithm in Sect. 4) and 
accordingly updates the authentication path in the accumulation tree and the 
auxiliary information, (possibly) the evaluation key and the public digest. As 
described so far, the update does not guarantee zero-knowledge. If a client queries 
wrt some set j ^ i before and after u was performed, and sees that acc {Xj) has 
not changed, then he learns that Xj is not affected by the update. This will also 
imply that the proofs that the client holds wrt Xj between updates are still valid. 
To achieve zero-knowledge, we require Update to re-randomize all the accumu- 
lation values that the client has seen (due to queries) since the last update. The 
update involves changes to authentication information stored with the server. To 
this end, the server runs UpdateServer algorithm to propagate owner’s update 
on the set collection and authentication information. This algorithm updates 
the relevant set and updates all the authentication paths in the accumulation 
tree corresponding to the sets whose accumulation value has been changed or 
refreshed by the owner. 
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5.2 Set Algebra Query and Verify Algorithms 

Query and Verify algorithms let the server construct a proof of a response to a set 
operation query and the client verify it, respectively. Since ZKASC supports several 
set operations, we describe each algorithm in terms of modular subroutines. 

Is-subset query: A subset query q = (A, i) is parametrized by a set of elements 
A and an index i of a set collection. Given g, the subset query returns answer = 1 
if A C Xi and answer = 0 if A ^ X{. This query is an efficient generalization 
of Witness (Sect. 4) where membership/non- membership query is supported for 
a batch of elements instead of a single element. The proof technique is similar 
to the membership and non- membership proof generation for a single element 
using Witness algorithm. 

Set intersection query: Set intersection query q = (ii, . . . , ik) is parameterized 
by a set of indices of the set collection. The answer to an intersection query 
is a set of elements which we denote as answer and a simulatable proof of the 
correctness of the answer. If the intersection is computed correctly then answer = 
X ix D X i2 D . . . fl X ik . We express the correctness of intersection with the two 
following conditions as in [56]: 

Subset condition: answer C X^ A ... A answer C X{ k . This condition ensures 
that the returned answer is a subset of all the queried set indices, i.e., every 
element of answer belongs to each set in the query. 

Completeness condition: (X^ — answer) D . . . D ( Xi k — answer) = 0. This ensures 
that answer indeed contains all the common elements of i.e., 

none of the elements have been omitted from answer. 

To prove the first condition, we will use subset query as a subroutine. Proving 
the second condition is more tricky; it relies on the fact that the characteristic 
polynomials for the sets Xj — answer, for all j E [ii,i&], do not have common 
factors. In other words, these polynomials should be co-prime and their GCD 
should be 1 (Lemma 1). Since the proof units should be simulatable, we can- 
not directly use the technique as in [56]. To this end, we randomize the proof 
units by generalizing the randomization technique in Sect. 4 used to prove non- 
membership in a single set. The technique essentially adds noise in the exponent 
for each unit of the intersection proof such that they cancel out when used by 
the client in the bilinear map equality check. 

Set union query: Set union query q = (ii,...ifc) is parameterized by a set 
of indices of the set collection. The answer to a union query contains a set of 
elements, denoted as answer = X^ U Xi 2 U . . . U and a simulatable proof of 
the correctness of the answer. We introduce a technique for checking correctness 
of union operation based on the following conditions: 

Superset condition: X; Ll C answer A X{ 2 C answer A ... A Xi k C answer. This con- 
dition ensures that no element has been excluded from the returned answer. 
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Membership condition: answer C U where U = X ix l±) X i2 l±) . . . l±) X ik . l±) denotes 
multiset union of the sets, i.e., I±l preserves the multiplicity of every element 
in the union. This condition ensures that every element of answer belongs 
to at least one of the sets X { ± , . . . , X { k . We note that the trivial way (used 
in [56]) of proving this condition is to prove that each element of answer is a 
member of Xj for j G [ii,ik\- This technique obviously does not support zero 
knowledge as it reveals which set the element comes from. 

The first condition can be checked by using the subset proof as a subroutine. 12 
The second condition should be proved carefully and not reveal (1) whether an 
element belongs to more than one of the sets in the query, and (2) which set an 
element in the union comes from. For example, returning U in the clear trivially 
reveals the multiplicity of every element in answer. Instead, we request the server 
to return acc (U) which equals g Ch u( s ) blinded with randomness in the exponent. 
In order to prove that the server computed acc (U) correctly, we introduce a 
union tree. 

A union tree (UT) is a binary tree computed as follows. Corresponding to 
the k queried indices, acc(A ^ 1 acc(X ik ) are the leaves of UT. The leaves 
are computed bottom up. Every internal node v is computed as follows. Let 
Vi and V 2 be its two children. The (multi) set associated with v is the multiset 
M = Mi l±) M 2 where Mi and M 2 are (multi) sets for v\ and V 2 respectively. Let 
r\ and r 2 be the blinding factors used in computing the accumulation values of 
v\ and ^ 2 , respectively. Then the node v stores value a(v) = g r ^ Ch M(s) ^ pi na py 5 
the server constructs a proof of subset for answer in U. 

The client can verify the correctness of each node of UT bottom up using 

? 

a bilinear map as follows: e(a(v),g) = e(a(tq), a^)), where g is a part of the 
verification key. The membership proof verification of Xj C answer, \/j G [ii,k], 
and answer C U is done using subset verification subroutine. 

Set difference query: Set difference query q is parameterized by two set indices 
of the set collection g = (U, 22)- The answer to a set difference query is answer = 
Xi x — Xi 2 and a proof of correctness of the answer. We express the correctness 
of the answer using the following statement: (answer = Xi % — Xi 2 ) Xi 1 \ 

answer = Xi 1 n Xi 2 . It ensures two conditions: ( 1 ) all the elements of answer 
indeed belong to X i± and (2) all the elements of X i± that are not in X i2 are 
contained in answer. In other words, the union of answer and the intersection 
/ = Xi ± fl Xi 2 equals X il . 

The second condition is tricky to prove for the following reasons. The server 
can reveal neither X \ t — answer nor X^ D X{ 2 to the client, since this reveals more 
than the set difference answer the client requested for (hence, breaking our zero- 
knowledge property). 13 Hence, we are required to provide blinded accumulators 
corresponding to these sets. Unfortunately, the blinded version of X ix \ answer = 

12 We note that even the security proof does not assume the security proof for subset 
in a blackbox fashion since here it is the superset rather than the subset that is the 
known answer. 

13 We note that the sets are revealed to the client in [56] where privacy is not a concern. 
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Xi x n Xi 2 , even if the server computed them correctly, would be different. This 
is caused by different blinding factors used for these accumulators, even though 
the exponent that corresponds to the elements of the sets is the same. We use 
the latter fact and require the server to prove that the non-blinded exponents are 
the same. For this we use standard Schnorr proofs that can be made NIZKPoK 
in the Common Reference String model using standard techniques [22,28,46]. 
We describe the properties of a particular NIZKPoK protocol for discrete log in 
the full version [30]. We can now state the following result. The security proof 
and an efficiency analysis can be found in [30]. 

Theorem 3. The scheme ZKASC = (KeyGen, Setup, Update, UpdateServer, 
Query, Verify) has perfect completeness, soundness under the q-SBDH assump- 
tion ( with q set to the sum of maximum set sizes produced during the soundness 
game) and perfect zero-knowledge. Let § = {X\, . . . , X m } be the original set col- 
lection. Define M = Jf iern \%i\, fij = \Xj\, and N = Yhjeln i k \ n F ^ e ^ ^ ^ e ^ e 
number of group elements in the query input (for the subset query, it is the car- 
dinality of a queried subset, and for the rest of the queries it is the number of set 
indices). Let p be the size of a query answer, L be the number of sets touched by 
the queries between updates u t - 1 and u t , and 0 < e < 1 be a constant chosen at 
the time of setup. We have: 

- KeyGen has complexity 0(1); 

- Setup has complexity 0(M + m); 

- Update and UpdateServer have complexity O(L); 

- Query and Verify have the following complexity: 

• For is-subset, the complexity is 0(N log 2 TVloglog N + m e logra). The 
proof size is 0(k) and the verification has complexity 0(k). 14 

• For set intersection, the complexity is 0(N log 2 N log log N + km e log m) . 
The proof size is 0(p + k) and the verification has complexity 0(p + k). 

• For set union, the complexity is 0{kp log p + N log N log k + km e log m) . 
The proof size is 0(p + k) and the verification has complexity 0(p + k). 

• For set difference, the complexity is 0(N log 2 N log log N -\-m e log m) . The 
proof size is O(p) and the verification has complexity O(p). 

5.3 Efficiency Comparison with the Scheme of [56] 

We compare the asymptotic complexity of the algorithms of our ZKASC scheme 
with that of [56] in Fig. 4, which provides only authenticity and trivially reveals 
information about the set collection. We show that only update algorithms are 
more expensive compared to that of [56]. The extra cost is to achieve zero- 
knowledge, which requires all the proofs be ephemeral, i.e., proofs should not 
hold good between updates. We defer a more detailed comparison to the full 
version. 


14 


Note that if the subset query is of the form: is set at index i a subset of the set at 
index j, then the proof complexity can be made constant. 
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[56] \ This paper 

Setup 

M -\-m 

Update 

Owner 

1 \L 

Server 

1 \L 

Subset 

Query 

N log 2 N log log N + m £ log m 

Verify/Proof size 

k 

Instersection 

Query 

N log 2 N log log N + km E log m 

Verify/Proof size 

p + k 

Union 

Query 

kN log N + knf log m 

Verify/Proof size 

p + k 

Difference 

Query 

N log 2 N log log N + m £ log m 

Yerify/Proof size 

P 


Fig. 4. This table compares the asymptotic complexity of each operation with that of 
[56]. When only one value appears in the last column, it applies to both constructions. 
We note that the complexity of Union Query was originally mistakenly reported as 
0(iV log N) in [56]. Notation: m = |S|, M = J2 ie m \ X A> n i = \ X A, N = T,je[n,i k \ n i’ 
k is the number of group elements in the query input (for the subset query it is the size 
of a queried subset A and for the rest of the queries it is the number of set indices), p 
is the size of the answer, L is the number of sets touched by queries between updates 
ut-i and ut, and 0 < e < 1 is a constant chosen during setup. 


6 Conclusion 

In this work, we introduced the property of zero-knowledge for cryptographic 
accumulators. This is a strong privacy property, requiring that witnesses and 
accumulation values leak nothing about the accumulated set at any given point 
in the protocol execution, even after insertions and deletions. We showed that 
zero-knowledge accumulators are located between zero-knowledge sets and the 
recently introduced notion of primary-secondary-resolver membership proof sys- 
tems, as the they can be constructed (in a black-box manner) from the former 
and they can be used to construct (in a black-box manner) the latter. We also 
presented a construction of an accumulator that achieves computational sound- 
ness and perfect zero-knowledge. Using this construction as a building block, we 
have designed a zero-knowledge authenticated set collection scheme that han- 
dles set-related queries that go beyond set (non-) membership. In particular, 
our scheme supports set unions, intersections, and differences, thus offering a 
complete set algebra. Future directions in the area include developing construc- 
tions that support efficient witness update, constructions based on constant-size 
assumptions (such as RSA) and constructing an efficient non-interactive set- 
difference protocol that does not rely on NIZKPoK’s. Another interesting future 
direction is to equip zero-knowledge accumulators with zero-knowledge proofs of 
knowledge for membership /non- membership. 
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Abstract. Group encryption (GE) is the natural encryption analogue of 
group signatures in that it allows verifiably encrypting messages for some 
anonymous member of a group while providing evidence that the receiver 
is a properly certified group member. Should the need arise, an opening 
authority is capable of identifying the receiver of any ciphertext. As intro- 
duced by Kiayias, Tsiounis and Yung (Asiacrypt’07), GE is motivated by 
applications in the context of oblivious retriever storage systems, anony- 
mous third parties and hierarchical group signatures. This paper provides 
the first realization of group encryption under lattice assumptions. Our 
construction is proved secure in the standard model (assuming interac- 
tion in the proving phase) under the Learning- With- Errors (LWE) and 
Short-Integer- Solution (SIS) assumptions. As a crucial component of our 
system, we describe a new zero-knowledge argument system allowing to 
demonstrate that a given ciphertext is a valid encryption under some hid- 
den but certified public key, which incurs to prove quadratic statements 
about LWE relations. Specifically, our protocol allows arguing knowledge 
of witnesses consisting of X G Z™ Xn , s G ZJ and a small-norm e G Z m 
which underlie a public vector b = X • s + e G Z™ while simultane- 
ously proving that the matrix X G Z™ Xn has been correctly certified. 
We believe our proof system to be useful in other applications involving 
zero-knowledge proofs in the lattice setting. 


Keywords: Lattices • Zero-knowledge proofs • Group encryption • 
Anonymity 


1 Introduction 

Since the pioneering work of Regev [49] and Gentry, Peikert and Vaikuntanathan 
(GPV) [23], lattice-based cryptography has been an extremely active research 
area. Not only do lattices enable powerful functionalities (e.g., [22,26]) that have 
no viable realizations under discrete-logarithm or factoring-related assumptions, 
they also offer a number of advantages over conventional number-theoretic tech- 
niques, like simpler arithmetic operations, their conjectured resistance to quan- 
tum attacks or a better asymptotic efficiency. 
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The design of numerous cryptographic protocols crucially relies on zero- 
knowledge proofs [25] to prove properties about encrypted or committed values 
so as to enforce honest behavior on behalf of participants or protect the privacy 
of users. In the lattice settings, efficient zero-knowledge proofs are non-trivial to 
construct due to the limited amount of algebraic structure. While natural meth- 
ods of proving knowledge of secret keys [31,40,42,44] are available, they are only 
known to work for specific languages. When it comes to proving circuit satisfi- 
ability, the best known methods are designed for the LPN setting [30] or take 
advantage of the extra structure available in the ring LWE setting [10,54]. Hence, 
these methods are not known to readily carry over to standard (i.e., non-ideal) 
lattices. In the standard model, the problem is even trickier as we do not have a 
lattice-based counterpart of Groth-Sahai proofs [28] and efficient non-interactive 
proof systems are only available for specific problems [48]. 

The difficulty of designing efficient zero-knowledge proofs for lattice-related 
languages makes it highly non-trivial to adapt privacy-preserving cryptographic 
primitives in the lattice setting. In spite of these technical hurdles, a recent 
body of work successfully designed anonymity-enabling mechanisms like ring sig- 
natures [2,31], blind signatures [50], group signatures [9,27,35,36,38,41,45] or, 
more recently, signature schemes with companion zero-knowledge protocols [37]. 
A common feature of all these works is that the zero-knowledge layer of the 
proposed protocols only deals with linear equations, where witnesses are only 
multiplied by public values. 

In this paper, motivated by the design of advanced privacy-preserving proto- 
cols in the lattice setting, we construct zero-knowledge arguments for non-linear 
statements among witnesses consisting of vectors and matrices. For suitable para- 
meters q,n,m G Z, we consider zero-knowledge argument systems whereby a 
prover can demonstrate knowledge of secret matrices X G Z™ xn and vectors 
s G ZJ, e G Z m such that: (i) e G Z m has small norm; (ii) A public vector 
b G ZJ equals b = X • s + e mod q ; (iii) The underlying pair (X, s) satisfies 
additional algebraic relations: for instance, it should be possible to prove pos- 
session of a signature on some representation of the matrix X. In particular, 
our zero-knowledge argument makes it possible to prove that a given cipher- 
text is a well-formed LWE-based encryption with respect to some hidden, but 
certified public key. This protocol comes in handy in the design of group encryp- 
tion schemes [33], where such languages naturally arise. In this paper, we thus 
construct the first construction of group encryption under lattice assumptions. 

Group Encryption. As suggested by Kiayias, Tsiounis and Yung [33], group 
encryption (GE) is the encryption analogue of group signatures [19], which allow 
users to anonymously sign messages on behalf of an entire group they belong 
to. While group signatures aim at hiding the source of some message within 
a crowd administered by some group manager, group encryption rather seeks 
to hide its destination within a group of legitimate receivers. In both cases, a 
verifier should be convinced that the anonymous signer /receiver indeed belongs 
to a purported population. In order to keep users accountable for their actions, 
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an opening authority (OA) is further empowered with some information allowing 
it to un-anonymize signatures/ciphertexts. 

Kiayias, Tsiounis and Yung [33] formalized GE schemes as a primitive allow- 
ing the sender to generate publicly verifiable guarantees that: (1) The ciphertext 
is well-formed and intended for some registered group member who will be able 
to decrypt; (2) the opening authority will be able identify the receiver if nec- 
essary; (3) The plaintext satisfies certain properties such as being a witness for 
some public relation or the private key that underlies a given public key. In the 
model of Kiayias et al. [33] , the message secrecy and anonymity properties are 
required to withstand active adversaries, which are granted access to decryption 
oracles in all security experiments. 

As a natural application, group encryption allows a firewall to filter all incom- 
ing encrypted emails except those intended for some certified organization mem- 
ber and the content of which is additionally guaranteed to satisfy certain require- 
ments, like the absence of malware. 

GE schemes are also motivated by natural privacy applications such as anony- 
mous trusted third parties, key recovery mechanisms or oblivious retriever stor- 
age systems. In optimistic protocols, GE allows verifiably encrypting messages 
to anonymous trusted third parties which mostly remain off-line and only come 
into play to sort out conflicts. In order to protect privacy-sensitive information 
such as users’ citizenship, group encryption makes it possible to hide the identity 
of users’ preferred trusted third parties within a set of properly certified trustees. 

In cloud storage services, GE enables privacy-preserving asynchronous trans- 
fers of encrypted datasets. Namely, it allows users to archive encrypted datasets 
on remote servers while convincing those servers that the data is indeed intended 
for some anonymous certified client who paid a subscription to the storage 
provider. Moreover, a judge should be able to identify the archive’s recipient 
in case a misbehaving server is found guilty of hosting suspicious transaction 
records or any other illegal content. 

As pointed out by Kiayias et al. [33] , group encryption also implies a form of 
hierarchical group signatures [53] , where signatures can only be opened by a set 
of eligible trustees operating in a very specific manner determiner by the signer. 

Related work. Kiayias, Tsiounis and Yung (KTY) [33] formalized the notion 
of group encryption and provided a modular design using zero-knowledge proofs, 
digital signatures, anonymous CCA- secure public-key encryption and commit- 
ment schemes. They also gave an efficient instantiation using Paillier’s cryptosys- 
tem [46] and Camenisch-Lysyanskaya signatures [15]. 

Cathalo, Libert and Yung [18] designed a non-interactive system in the stan- 
dard model under non-interactive pairing-related assumptions. El Aimani and 
Joye [3] suggested various efficiency improvements with both interactive and 
non-interactive proofs. 

Libert et al. [39] empowered the GE primitive with a refined traceability mech- 
anism akin to that of traceable signatures [32] . Namely, by releasing a user-specific 
trapdoor, the opening authority can allow anyone to publicly trace ciphertexts 
encrypted for this specific group member without affecting the privacy of other 
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users. Back in 2010, Izabachene, Pointcheval and Vergnaud [29] considered the 
problem of eliminating subliminal channels in a different form of traceable group 
encryption. 

As a matter of fact, all existing realizations of group encryption or similar 
primitives rely on traditional number theoretic assumptions like the hardness 
of factoring or computing discrete logarithms. In particular, all of them are 
vulnerable to quantum attacks. For the sake of not putting all one’s eggs in the 
same basket, it is highly desirable to have instantiations based on alternative, 
quantum-resistant foundations. 

Our results and techniques. We put forth the first lattice-based realization 
of the group encryption primitive and prove its security under the Learning- 
With-Errors (LWE) [49] and Short-Integer-Solution (SIS) [4] assumptions. As in 
the original design of Kiayias, Tsiounis and Yung [33], the security analysis of 
our scheme stands in the standard model if we avail ourselves of interaction 
between the prover and the verifier. In the random oracle model [8], the Fiat- 
Shamir paradigm [21] readily provides a non-interactive solution based on the 
same hardness assumptions. 

As a core ingredient of our GE scheme, we develop a new technique allow- 
ing to prove that a given ciphertext is a valid LWE-based encryption under 
some hidden but certified public key. Via a novel extension of Stern-like zero- 
knowledge arguments [31,52] in the lattice setting, we provide a method of prov- 
ing quadratic relations between a secret certified matrix and a secret vector 
occurring in LWE-related languages. We believe our zero-knowledge arguments 
to be of independent interest as they find applications in other protocols involv- 
ing zero-knowledge proofs in lattice-based cryptography. 

It was shown by Kiayias et al. [33] that, in order to design a GE scheme, 
three ingredients are necessary: we need digital signatures, anonymous (i.e., key- 
private [7]) public-key encryption and zero-knowledge proofs. While the first two 
ingredients are available in lattice-based cryptography, suitable zero-knowledge 
proof systems are currently lacking. The underlying proof system should allow 
the sender to prove that the ciphertext is well-formed and is decryptable by some 
certified group member without betraying the latter’s identity. Such statements 
typically involve equations of the form b = X • s + e mod q , for which given 
integers n, m, q and vector b E Z™, the prover has to demonstrate possession of 
a certified matrix X E Z™ xn , vector sGZJ and small-norm error vector e G Z m 
satisfying the equation. Existing mechanisms of proving relations appearing in 
lattice-based cryptosystems belong to two main classes. The first one, which uses 
“rejection sampling” techniques for Schnorr-like protocols [51], was introduced 
by Lyubashevsky [42]. The second class, which was initiated by Ling et al. [40], 
appeals to “decomposition-extension-permutation” techniques in lattice-based 
extensions [31] of Stern’s protocol [52]. These techniques mainly deal with linear 
equations , where each term is a product of a public matrix with a secret vec- 
tor, which possibly satisfies some additional constraints (e.g., smallness) to be 
proven. Here, we are presented with quadratic equations where some terms X • s 
are products of two secret witnesses X E Z™ xn and sGZJ which are involved 
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in other equations. Proving such quadratic equations thus requires new ideas. 

To overcome the above hurdle, we employ a divide-and-conquer strategy. 
First, we consider the binary representations of X and s, and view the product 
X-s as a bunch of bit-wise products {xi • Now, although these bit-wise 

products still admit a quadratic nature, but to prove that each of them is well- 
formed, it suffices to demonstrate in zero-knowledge that Xi • Sj belongs to the 
set B = {0 • 0, 0 • 1, 1 • 0, 1 • 1} of cardinality 4. This can be done with a Stern-like 
sub-protocol, using the following extending-then-permuting technique. We first 
extend Xi • Sj to vector ext {x^Sj) = f (x{ • Sj,Xi • Sj,xi • Sj,xi • Sj) T G {0, l} 4 
whose entries are elements of B (here, c denotes the bit 1 — c). We then employ 
a special permutation, determined by two random bits b x and 6 S , to the entries 
of ext (xi,Sj), such that the permuted vector is exactly the correct extension 
ext {xi ® b x , Sj 0 b s ), where ® denotes the addition modulo 2. Seeing that a per- 
mutation of ext (xi, Sj) has entries in the set F>, the verifier should be convinced 
that Xi -Sj G B. Meanwhile, the bits b x and b s act as one-time pads that perfectly 
hide Xi and Sj. Furthermore, to prove that the same bits Xi and Sj are involved in 
other equations, we establish similar extending-then-permuting mechanisms for 
their other appearances, and use the same one-time pads b x and b s , respectively, 
as those places. 

Having settled the problem of proving quadratic relations, we are able to 
realize the desired zero-knowledge layer by combining our proof system with the 
techniques of [37,41]. These help us demonstrate possession of a signature on 
the user’s public key while proving that this key is encrypted under the OA’s 
public key. Since users’ public keys consist of a matrix By G Z™ xm , we actually 
encrypt a hash value of this matrix under the OA’s public key while the sender 
proves knowledge of a signature on the binary decomposition of By. By using a 
suitable lattice-based hash function [24], the Stern-like protocols of [37,41] make 
it possible to prove that the hashed matrix encrypted under the OA’s public key 
coincides with the one for which the sender knows a certificate and which served 
as a public key to encrypt the actual plaintext. 

The last issue to sort out is to determine the appropriate encryption 
schemes to work with in the two public-key encryption components. The CCA2- 
secure cryptosystem implied by the Agrawal-Boneh-Boyen (ABB) identity-based 
encryption (IBE) scheme [1] via the CHK transformation [16] is a natural choice 
as it is one of the most efficient LWE-based candidates in the standard model. 
For technical reasons, we chose to use a variant of the ABB cryptosystem based 
on the trapdoor mechanism of Micciancio and Peikert [43] because it allows dis- 
pensing with zero-knowledge proofs of public key validity. Indeed, the Kiayias- 
Tsiounis-Yung model [33] mandates that certified public keys be valid public 
keys (for which an underlying private key exists). This requirement is easier to 
handle using Micciancio-Peikert trapdoors [43] since, unlike GPV trapdoors [23], 
they are guaranteed to exist for any public matrix. 
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2 Background and Definitions 

2.1 Lattices 

In our notations, all vectors are denoted in bold lower-case letters while bold 
upper-case letters will be used for matrices. If b G M n , its Euclidean norm and 
infinity norm will be denoted by ||b|| and HbHoo respectively. The Euclidean norm 
of matrix B G M mxn with columns (b^< n is denoted by ||B|| = max^< n ||b*||. 
If B is full column-rank, we let B denote its Gram-Schmidt orthogonalization. 

When S' is a finite set, we denote by U(S ) the uniform distribution over S 
and by x D the action of sampling x according to the distribution D. 

A (full-rank) lattice L is the set of all integer linear combinations of some 
linearly independent basis vectors (b^< n belonging to some M n . We work with 
q- ary lattices, for some prime q. 

Definition 1. Let m > n > 1 , a prime q > 2 and A G Z™ xm and u G Z™ ; 
define A q ( A) : ={e G Z m | 3s G Z™ s.t. A T • s = e mod q} as well as 

A) := {e e Z m | A • e = 0” mod q}, A"( A) := {e e Z m | A • e = u mod q} 

For any t G A“(A), A“(A) = A^(A) + 1 so that A“( A) is a shift of A^( A). 

For a lattice L, a vector c G M n and a real a > 0, define p a?c (x) = 
exp(— 7r||x — c 1 1 2 / cr 2 ). The discrete Gaussian distribution of support L, para- 
meter a and center c is defined as DL i(TjC (y) = p a ,c{y) / Pa,c{L) for any y G L. 
We denote by y) the distribution centered in c = 0. We will extensively 

use the fact that samples from Dl ?a are short with overwhelming probability. 

Lemma 1 ([6, Lemma 1.5]). For any lattice LCM n and positive real num- 
ber a > 0, we have Fy^^Dl^ [||b|| < y/ncr) > 1 — 

As shown in [23] , Gaussian distributions with lattice support can be sampled 
from efficiently, given a sufficiently short basis of the lattice. 

Lemma 2 ([14, Lemma 2.3]). There exists a PPT (probabilistic polynomial- 
time) algorithm GPVSample that takes as inputs a basis B of a lattice L C Z n and 
a rational a > ||B||-i?(\/logn) ; and outputs vectors b G L with distribution Dl ,<t- 

Lemma 3 ([5, Theorem 3.2]). There exists a PPT algorithm TrapGen that 
takes as inputs l n , l m and an integer q > 2 with m > Q(n\ogq), and outputs 
a matrix A G Z^ xm and a basis Ta of Aq (A) such that A is within statistical 

distance to U( Z q xrn ), and ||Ta|| < 0(y/n logg). 

Lemma 3 is often combined with the sampler from Lemma 2. Micciancio and 
Peikert [43] recently proposed a more efficient approach for this combined task, 
which should be preferred in practice but, for the sake of simplicity, we present 
our schemes using TrapGen. 

We rely on a basis delegation algorithm [IT] which extends a trapdoor for A G 
ZJ xm into a trapdoor of any B G ZJ xm whose left n x m submatrix is A. 
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Lemma 4 ([17, Lemma 3.2]). There exists a PPT algorithm ExtBasis that 
takes as inputs a matrix B G Z™ xm whose first m columns span and a 
basis Ta of (A) where A is the left n x m submatrix of B ; and outputs a 
basis T b ofA^(B) with ||T^|| < ||tI||. 

Like [11,13], we use a technique due to Agrawal, Boneh and Boyen [ 1 ] that 
realizes a punctured trapdoor mechanism [ 12 ]. Analogously to [43], we will use 
such a mechanism in the real scheme and not only in the proof. 

Lemma 5 ([1, Theorem 19]). There exists a PPT algorithm SampleRight that 
takes as inputs matrices A G Z™ xm , C G Z™ xm ; a low-norm matrix R G Z mxm , 
a short basis T c G Z mxm of A^(C), a vector u G Z™ and a rational a such 

that a > 1 1 Tc|| • f2(y/\ogn), and outputs a short vector b G Z m+m such that 
[A | A-R + C] • b = u mod q and with distribution statistically close to Dl :(J 
where L denotes the shifted lattice M“([A | A • R + C]) . 


2.2 Computational Problems 

The security of our schemes provably relies on the assumption that both algo- 
rithmic problems below are hard, i.e. , cannot be solved in polynomial time with 
non-negligible probability and non-negligible advantage, respectively. 

Definition 2. Let m, g, (3 be functions of a parameter n. The Short Integer Solu- 
tion problem SIS n ,m, q ,f3 is as follows: Given A U{ Z™ xm ) ; find x G A^-(A) 
with 0 < ||x|| < /3. 

If q > a Jnf3 and m, /3 < poly (n), then SIS n?m?g? /3 is at least as hard as standard 
worst-case lattice problem SIVP 7 with 7 = 0(/3y/n) (see, e.g., [23, Sect. 9]). 

Definition 3. Let n,m > 1, q > 2, and let x be a probability distribution on Z. 
For s G Z let A s?x be the distribution obtained by sampling a U( Z^) and 
e x> an d outputting (a, a T • s + e) G ZJ x Z g . The Learning With Errors 
problem l_WE n?(LX asks to distinguish m samples chosen according to A s , x (for 
s U(Zq)) and m samples chosen according to U{ Ttf x Z q ). 

If q is a prime power, B > nuj(\ogn ), 7 = 0{nq/B ), then there exists 
an efficient sampleable LLbounded distribution x A outputs samples with 
norm at most B with overwhelming probability) such that LWE n?g?x is as least 
as hard as SIVP 7 (see, e.g., [14,47,49]). 


2.3 Syntax and Definitions of Group Encryption 

We use the syntax and the security model of Kiayias, Tsiounis and Yung [33]. 
The group encryption (GE) primitive involves a sender, a verifier, a group man- 
ager (GM) that manages the group of receivers and an opening authority (OA) 
which is capable of identifying ciphertexts’ recipients. In the syntax of [33], a GE 
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scheme is specified by the description of a relation 1Z as well as a tuple GE = 
(SETUP, JOIN, (Q r , 7£, sample-^), ENC, DEC, OPEN, (V, V)) of algorithms or pro- 
tocols. In details, SETUP is a set of initialization procedures that all take (implic- 
itly or explicitly) a security parameter 1 A as input. We call them SETU Pinit (1 A ) 5 
SETUPcivi(parani) and SETUPoA(parani). The first one of these procedures gen- 
erates a set of public parameters pa ram (like the KTY construction [33], we rely 
on a common reference string even when using interaction between provers and 
verifiers). The latter two procedures are used to produce key pairs (pk GM ,sk G M), 
(pk 0A , skoA) for the GM and the OA. In the following, param is incorporated in the 
inputs of all algorithms although we sometimes omit to explicitly write it. 

JOIN = (Juser, Jgm) is an interactive protocol between the GM and the prospec- 
tive user. After the execution of JOIN, the GM stores the public key pk and its 
certificate cert p k in a public directory database. As in [34], we will restrict this 
protocol to have minimal interaction and consist of only two messages: the first 
one is the user’s public key pk sent by J user to Jgm and the latter’s response is 
a certificate cert p k for pk that makes the user’s group membership effective. We 
do not require the user to prove knowledge of his private key sk or anything else 
about it. In our construction, valid keys will be publicly recognizable and users 
will not have to prove their validity. By avoiding proofs of knowledge of private 
keys, the security proof never has to rewind the adversary to extract those pri- 
vate keys, which allows supporting concurrent joins as advocated by Kiayias and 
Yung [34]. If applications demand it, it is possible to add proofs of knowledge of 
private keys in a modular way but our security proofs do not require rewinding 
the adversary in executions of JOIN. 

Algorithm sample^ allows sampling pairs (x,w) E 7 Z (made of a public value 
x and a witness w) using keys (pk^,sk^) produced by (? r (l A ) which samples 
public/secret parameters for the relation 7 Z. Depending on the relation, sk^ 
may be the empty string (as in the scheme [33] and ours which both involve 
publicly samplable relations). The testing procedure 7 Z(x,w) uses pk^ to return 
1 whenever (x, w) E 7 Z. To encrypt a witness w such that (x, w) E TZ for some 
public x, the sender fetches the pair (pk, cert p k) from database and runs the 
randomized encryption algorithm. The latter takes as input re, a label L, the 
receiver’s pair (pk, cert p k) as well as public keys pk GM and pk 0A . Its output is 
a ciphertext ENC(pk GM , pk 0A , pk, cert p k, re, L). On input of the same ele- 

ments, the certificate cert p k, the ciphertext and the random coins coins & that 
were used to produce the non-interactive algorithm V generates a proof tt# 
that there exists a certified receiver whose public key was registered in database 
and who is able to decrypt ^ and obtain a witness w such that (x,w) E 7 Z. The 
verification algorithm V takes as input pk GM , pk 0A , tt# and the description of 
7 Z and outputs 0 or 1. Given <F, L and the receiver’s private key sk, the output of 
DEC is either a witness w such that (x, w) E TZ or a rejection symbol J_. Finally, 
OPEN takes as input a ciphertext /label pair (lF, L ) and the OA’s secret key skoA 
and returns a receiver’s public key pk. 

The model of [33] considers four properties termed correctness, message secu- 
rity, anonymity and soundness. 
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3 Warm-Up: Decompositions, Extensions, Permutations 

This section introduces the notations and techniques that will be used through- 
out the paper. Part of the covered material appeared (in slightly different forms) 
in recent works [20,37,38,40,41] on Stern-like protocols [52]. The techniques that 
will be employed for handling quadratic relations (double-bit extension ext(-, •), 
expansion expand®^, •) of matrix- vector product and the associated permuting 
mechanisms) are novel contributions of this paper. 


3.1 Decompositions 

For any B G Z + , define the number 5b := |_l°g 2 + 1 = fl°g 2 (-^ + 1)1 and 
the sequence Hi, . . . , Bs b , where Bj = [ B+ 2 2 / — J, Vj G [1 ,5b]- As observed 
in [40], the sequence satisfies Yfj=i^j = B and any integer v G [0, B] can be 

decomposed to idee b(v) = . . . , t;^ b )) t g {0, 1} 6b such that YfjZ i Bj' v j = v - 

We describe this decomposition procedure in a deterministic manner: 

1. v' := v 

2. For j = 1 to 5b do: 

(i) If v' > Bj then := 1, else := 0; 

(ii) v' ~ v' — Bj • v^\ 

3. Output idecs(^) = . . . , v ( Sb ^ t . 

Next, for any positive integers m, H, we define the decomposition matrix: 


H m r := 


B \ . . . B$ e 


B \ . . . Bs e 


B \ . . . Bs e 


gz 


m x xtiSb 


(i) 


and the following injective functions: 


(i) vdec • [0, H] m — > {0, l} m5s that maps vector v = (vi , . . . , ^ m ) T to vector 
(idec jB (^i) T || • • • ||idec jB (v m ) T ) . Note that H ■ vdec m5jB (v) = v. 

(ii) vdec^ B : [— H,H] m — > { — 1, 0, l} m<5s that maps vector w = (wi , . . . , rc m ) T 

to vector (a(wi) • idec j e('^i) T || . . . \\a(w m ) • idece(r(; m ) T ) , where for each 
i = 1, . . . , m: <j(wi) = 0 if Wi = 0; cr(wi) = —1 if Wi < 0; cr(wi) =w 1 if Wi > 0. 
Note that H m? # • vdec^ B (w) = w. 

We also define the following matrix decomposition procedure. For positive 
integers n,ra,g, define the injective function mdec n?mj(? : Z™ xn — ► {0, l} mn<5(?_1 
that maps matrix X = [xi| . . . |x n ] G Z™ xn , where x 1? . . . , x n G Z™, to vector 


mdec„ )mj 9 (X) = (vdec m)g _i(xi) T || . . . vdec m> 9 _i(x n ) T ) T 

(^1,1 5 * • * j *^1 ,mk i *^2,1 5 • • • 5 5 • • • 5 1 5 ^ "{t 1 1} , 
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where, for each (i,j) G [n\ x [rafc], Xij G { 0 , 1 } denotes the j-th bit of the 
decomposition of the i-th column of X. 

Looking ahead, when proving knowledge of witnesses (X, s) G Z™ xn x Z™ 
satisfying b = X-s + e mod g, we will have to consider terms of the form Xij-Sij, 
where s = (si, . . . , s n ) T G Z™ and (s^ i, . . . , Si^) T = idec g _i(8i) for each i G [n\. 

3.2 Extensions and Permutations 

We now introduce the extensions and permutations which will be essential for 
proving quadratic relations. 

- For each c G { 0 , 1 }, denote by c the bit 1 — c G { 0 , 1 }. 

- For ci, C2 G { 0 , 1 }, define the vector 

ext(ci,c 2 ) = (ci • c 2 ,ci • c 2 ,ci • c 2 ,ci • c 2 ) T e {0, l} 4 . 

- For 61,62 £ { 0 , 1 }, define the permutation T^ 1? ^ 2 that transforms vector v = 
(fo, 0,v 0 , i,fi, 0,^1, i) T e Z 4 to vector (tVb2>%,& 2 >'%,& 2 >% ) & 2 ) T - 

Note that, for all ci, C2, 61, 62 G { 0 , 1 }, we have the following: 

z = ext(ci,c 2 ) T bu b 2 {z) = ext(ci ® 61, c 2 ® 6 2 ), (2) 

where ® denotes the bit-wise addition modulo 2. 

Now, for positive integers n, m, &, and for vectors 

x = (^1,1, . . ■ ,X ltmk ,X 2 ,l, . . .,X 2 ,mk, ■ ■ ■ , X n ,l , X n ,mk) T £ { 0 , \} nmk 

and So = (sip, . . . , si,fc, s 2 ,i, . . . , s 2 ,k, • • • , s n , 1, • • • , Sn,fe) T € { 0 , l} nk , we define 
the vector expand® (x, so) € {0, l} 4nmfe2 as 

expand ®(x, s 0 ) = (ext T (a: 1 , 1 , si,i)||ext T si, 2 )|| . . . ||ext T (a;i i i, si, fc )|| 

||ext T (a;i >2 ,si i i)||ext T (a;i >2 ,si >2 )|| . . . ||ext T (a;i >2 , si, fc )|| . . . 
||ext T (a;i >?n ft, si,i)||ext T (a;i >m fe, si )2 )|| . . . ||ext T (;ri 

,mk i s l,k) || 

||ext T (:r 2j i, s 2j i)||ext T (a; 2> i, s 2j2 )|| . . . ||ext T (ar 2>i , s 2>fe ) || . . . 
||ext T (a; 2im A:,S2,l)ll extT ( :r 2,mfe,S2,2)|| • • • ||ext T (x 2 ,mk, S 2 ,k) || • • • 
||ext T (a; ni i,s ni i)||ext T (x ni i,s ni2 )|| . . . ||ext T (:r rai i, s„,jfc)|| . . . 
||ext T (a; nimfc ,s ni i)||ext T (a; n)mfe ,s ra)2 )|| . . . ||ext T , s„, fe )) T . 

That is, expand® (x, So) is obtained by applying ext to all pairs of the form 
(xi,j,s itt ) for (i, j,t) € [n] x [mk\ x [k]. 

Now, for b = (b 1 ) i,...,b ltm k,b2,i,.-.,b 2 ,mk,---,bn,i,K,mk) r € { 0 , l} nmk 
and d = (dip, . . . ,di >fc ,d 2j i, • • • ,d 2yk , ■ ■ ■ ,4,i, • • • ,d n ,k) T € {0, l} nk we define 
the permutation Pb,d that transforms vector 

v = ( ( v M,lH ' ' ' KlblK-LlH • • • ll V L,fc)ll • • • ll( V Pmfe,lll • • • ll v Pmfc,fc)ll 

(vbpll • • • llvbPIKv^pll . . . ||v 2 y ife )|| . . . j| (vj mfcil || . . . ||v 2 T mfe)fc )|| 

( v l,l,l II • • • II II ( V L,1 II • • • II' v n, 2 ,k) II • • • II ( v lmM II • • • II v lmfe,/=)) T e Z 4nmfe2 , 
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consisting of nmk 2 blocks of length 4, to vector Pb,d(v) of the form 


(( w M,l II ’ • 

•ll w M,fe)IK w M,ill" 

• ll w b,*) II • ■ 


• 11^1 ,mk,k') II 

( w 4i,ill - • 

•Il w ll ) fe)ll( w l2,lll" 



• \\ W 2,mk,k)\\ 

I- 8 
£ 

•• ll w ll,fe)ll( W «,2,ll] • 

•• ll w I,2,fc)ll • 


• • II W n,m/c,/c)) 


where for each G [n] x [mk\ x [k]: w iijjt = T b .^ dit (w i:jd ). 

Observe that, for all b G {0, l} nm/ q d G {0, l} n/c , we have: 

z = expand 0 (x, s 0 ) <<=> Pb,d(z) = expand®(x ® b, s 0 0 d). (3) 

Next, we recall the notations, extensions and permutations used in previous 
Stern-like protocols [20,37,40,41] for proving linear relations. 

For any positive integer £, denote by S t the symmetric group of all permu- 
tations of t elements, by B 2 1 the set of all vectors in {0, l} 2t having Hamming 
weight £, and by B 3 1 the set of all vectors in { — 1 , 0 , l} 3t having exactly t coordi- 
nates equal to j, for each j G { — 1,0,1}. Note that for any 0 G <S 2 t and ijj G <S 3 t, 
we have the following equivalences: 

x G B 2t 0(x) G B 2 £ and y G B 3t ^(y) G B 3t . (4) 

The following extending procedures are defined for any positive integers t. 

- ExtendTwot : { 0 , l} t — > B 2 t. On input vector x with Hamming weight re, it 
outputs x' = (x T ||p-™||O w ) T . 

- ExtendThree t : { — 1, 0 , l} t — > B 3t . On input vector y containing rij coordinates 
equal to j for j G { — 1, 0, 1}, output y' = (y T ||l t_ni ||0 t_n ° ||(— l) t_n_1 ). 

We also use the following encodings and permutations to achieve fine-grained 
control over coordinates of binary wit ness- vectors. 

- For any positive integer £, define the function encodet that encodes vector x = 
(aq, . . . , x t ) T G {0, 1 Y to vector encode t (x) = (izq, aq, . . . , x t , x t) T G {0, l} 2t . 

- For any positive integer t and any vector c = (ci, . . . , Ct) T G {0,1}*, define the 

permutation Fc ^ that transforms vector v = (^°\ . . . , v[°\v^) T G Z 2 * 

into vector Fc^(v) = (v[ Cl \v[ Cl \ . . . ,v[ Ct \v{ Ct ^) T . 

Note that the following equivalence holds for all £, c: 

y = encodet (x) F^\y) = encodet (x 0 c). (5) 

To close this warm-up section, we remark that the equivalences observed 
in (3), (4) and (5) will play crucial roles in our zero-knowledge layer. 
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4 The Supporting Zero-Knowledge Layer 

In this section, we first demonstrate how to prove in zero-knowledge that a given 
vector b is a correct LWE evaluation, i.e., b = X • s + e mod q , where the hidden 
matrix X and vector s may satisfy additional conditions. This sub-protocol, 
which we believe will have other applications, is one of the major challenges in 
our road towards the design of lattice-based group encryption. We then plug this 
building block into the big picture, and construct the supporting zero-knowledge 
argument of knowledge (ZKAoK) for our group encryption scheme (Sect. 5). 

4.1 Proving the LWE Relation with Hidden Matrices 

Let n, m, g, (3 be positive integers where /3 <C g, and let k = [log 2 g] . We identify 
Z q as the set {0, 1, . . . , g — 1}. We consider a zero-knowledge argument system 
allowing prover V to convince verifier V on input b E Z ™ that V knows secret 
matrix X E Z™ xn , and vectors s E Z™, e E [— /3,/3] m such that: 

b = X • s + e mod q. (6) 

Moreover, the argument system should be readily extended to proving that X 
and s satisfy additional conditions, such as: 

- The bits representing X are certified by an authority, and the prover also 
knows that secret signature-certificate. 

- The (secret) hash of X is correctly encrypted to a given ciphertext. 

- The LWE secret s is involved in other linear equations. 

Let gi , . . . , qk E Z q be the sequence of integers obtained by decompos- 
ing q — 1 using the technique recalled in Sect. 3.1, and define the row vector 
g = (gi, . . . ,g/c). Let X = [xi| . . . |x n ] E Z™ xn and s = (s u . . . ,s n ) T . For each 
index i E [n\, let us consider vdec m? g_i(xi) = (pc^ i, . . . , 2^, m /c) T E {0, l} m/c . Let 
vdec n?g _i(s) = (5i ? i,...,5i ? / c , < s 2 ,i,...,52,/c,...,s n? i,...5 n?/c ) T E {0, l} nk and 
observe that Si = g • \dec q -i(si) = g • (s^i, . . . , Si^) T for each i E [n\. We 
have: 


n n 

X ' S = Z x * ‘ Si = Z 1 ' vdec m,9— 1 ( x i) • s i 

i= 1 i= 1 

n 

= H m ,q_i • ( - Si,..., Xi !mk ■ Si) T ) mod q. 

i= 1 

Observe that, for each i E [n\ and each j E [mk\, we have 

%i,j ‘Si — ^i,j ’S’ 5 ■ • • 5 — (^ 1 5 • • • i Qk) ’ (%i,j i • • • •> %i,j ’ 

We now extend vector (gi, g 2 , . . . , g^) to g / = (0, 0, 0, gi, 0, 0,0, g 2 , . . . , 0, 0,0, qk) E 
Zf . For all (i,j) E [n\ x [rafc], we have: 


Xi,j ■ Si = g' ■ (ext T (a; iii ,s ii i)|| ... || ext T , s i)ft )) T . 
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Let us define the matrices 


Qo • — Im/c ® § 


e Z 


rnkx4rnk 

Q 


2 


n times 

and Q = [Qo | • • • | Qo] € Z™ fex4nmfe2 . For each i £ [n], define 


( 7 ) 


y* = (ext T (a; ii i,s ii i)|[ . . . ||ext T (a; ii i,s iifc )) T ||ext T (a; i) 2 ,s ii i|| . . . ||ext T (x ii2 , s» ife ) 

II • • • ||ext T (xj )m fe,Sj j i|| . . . \\ext T (x itmk , s itk )) T £ {0, l} 4mfc2 . 

Then, for all i E [n], we have: (a® i • s*, . . . , Xi jm k • Si) T = Qo • y*. Now, we note 
that 

M II • • • l|yI) T = expand 0 (mdec n , TO)9 (X), vdec„ >g _i(s)), 

and 


n 

^ ^ (^,1 • • • 5 3Ci,mk ' ^i) 

i= 1 

n 

= ^2Qo-yi = Q- expand 0 (mdec njm5<? (X), vdec n?<? _i(s)). (8) 

i=l 

Letting Q = • Q E Z™ x4nrnk2 and left-multiplying (8) by 

we obtain the equation: 

X s = Q expand 0 (mdec n?m? g(X), vdec n? g_i(s)) mod q. 

This means that the task of proving knowledge of (X, s, e) E Z™ xn x Z™ x 
[—/3,/3] m such that b = X • s + e mod q boils down to proving knowledge of 
z E {0, l} 4nm/c2 5 x E {0, l} nm/c , so E {0, l} nk and a short e E Z m such that 

b = Q z + I m emodg and z = expand 0 (x, so). 


As the knowledge of small-norm e can easily be proved with Stern-like pro- 
tocol (e.g., [40]), the challenging part is to prove in ZK the constraint of 
z = expand 0 (x, so). To this end, we will use the following permuting tech- 
nique inspired by the equivalence of Eq. (3). We sample uniformly random 
da, E {0, l} nm/c and d s E {0, l} n/c , send x' = x ® da, and s' = So ® d s to the 
verifier, and let the latter check that Pda.,d a ( z ) = expand 0 (x', s'). This will be 
sufficient to convince the verifier that the original vector z satisfies the required 
constraint. The crucial point is that no additional information about x and So is 
leaked, since these binary vectors are perfectly hidden under the “one-time pad” 
da, and d s , respectively. 

In the framework of Stern’s protocol, the idea of using “one-time-pad” per- 
mutations further allows us to prove that x and So satisfy additional conditions, 
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i.e., they appear in other equations. This is done by first setting up an equiv- 
alence similar to (3) in the places where these objects appear, and then, using 
the same “one-time pad” for each of them in all appearances. We will explain in 
detail how this technique can be realized in the next subsection. 


4.2 The Main Zero-Knowledge Argument System 

The zero- knowledge argument of knowledge used in our group encryption scheme 
(Sect. 5) will involve a system of 10 modular equations: 


Vi = Mi 5 i • Wi + Mi j2 • W 2 + . . . + Mips • w i5 mod q , 
v 2 = M 2 ,1 • w i + M 2 ,2 • W 2 + . . . + M 25 15 • w i5 mod g, 


v io = Mio,i • w i + Mio ,2 • W 2 + . . . + Mio,i5 • W 15 mod g, 

where {Mij}^j) e [ 10 ] x [i 5 ], { v i}ze[io] are public matrices and vectors (which are 
possibly zero). Our goal is to prove knowledge of vectors wi,...,wis, such 
that (9) holds, and that these vectors have the following constraints. 

1. wi G {0, l} nm/c , w 2 G {0,1}"* and w 3 = expand‘d (wi, w 2 ) G {0, l} 4nm/c2 . 
(Note that these vectors are obtained via the techniques of Sect. 4.1.) 

2. W 4 ,w 5 ,W 6 ,W 7 are {0,1} vectors. 

3. Vectors w 8 , . . . , w i4 have bounded infinity norms. 

4. Vector w i5 has the form ( dj” |] dj || t[1]- dj II • • • II dj ) , for some vectors 
di,d 2 € [—(3,(3] m and r = ( r [ l ], . . . , t[£]) t e (0, 1} € . 

Towards achieving the goal, we employ a 4-step strategy. 

1. The first step transforms all the secret vectors with infinity norm larger than 1 
into vectors with infinity norm 1. This is done with the decomposition tech- 
nique of Sect. 3.1. 

2. The norm-1 vectors is then encoded or extended into vectors whose con- 
straints are invariant under random permutations. This is done with the 
techniques described at the end of Sect. 3.2. The public matrices {M^ }^ 
are transformed accordingly to preserve the equations. 

3. The third step unifies all the equations into one of the form M x = v mod g, 
where x is a concatenation of the newly obtained wit ness- vectors. 

4. In the final step, we run a Stern-like protocol to prove the unified equation 
M x = v mod g, where a composed permutation is employed to prove the 
constraints of vector x. 

Our strategy subsumes the central ideas underlying recent works on Stern- 
like protocols [37,40,41] for lattice-based relations: preprocessing secret witness- 
vectors to make them provable-in-zero-knowledge with random permutations, 
unifying them into just one vector for the sake of convenience, and then running 
Stern’s protocol in a classical manner. 
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The first step is applicable to vectors wg, . . . , W 14 and W 15 . Suppose that w i 
has dimension rrii and infinity norm bound fy, for i G [8, 14]. Then we compute 
vector w' = vdec m . ? / 3 . (w i) G { — 1, 0, l} m ^i . Note that • w' = w im To 

decompose W 15 , we compute d' = \zdec m ^(dj) G { — 1,0, l} m<5/3 , for j = 1,2. 
The second step performs the following encodings and extensions. 

- Encode wi and w 2 : Let w" = encode^/- (wq) and w 2 = encode^ (w 2 ). Note 
that to prove knowledge of w" and w 2 , we will employ the “one-time pad” 
permuting technique implied by (5). The same one-time pads are used to prove 
that W 3 = expand® (wi, w 2 ), as discussed in Sect. 4.1. 

- Extend vectors W 4 , . . . , W 7 , w§, . . . , w' 14 and d{, d^, r. 

For i G [4,7], suppose that the binary vector has dimension m^. Then 
we extend it to w" = ExtendTwo m . (wj) G B 2m .. For i G [8,14], we extend 
w- to w" = ExtendThree m .yg. (w-) G B 3 m .^.. It follows from (4) that, the 
knowledge of vectors {w ' / }{^ 4 can be proved in zero-knowledge using random 
permutations. 

Meanwhile, we need a more sophisticated treatment for the components of 
vector wi 5 . For j = 1,2, we let d" = ExtendThree^^ (d' ) G B 3m ^. We also 
extend r to r" — ExtendTwo^(r) = (r[l], . . . , t[£],t[£ + 1], . . . , r[2£]) T G B 2 ^. 
Then we form the vector: 

W 15 = ( K) T II (d , 2 , ) T II r[l](d") T II ... II T[£](d") T II ... II r[2^](d") T ) T . 

Next, we define CorMix as the set of all vectors in { — 1 , 0, i}( 2 ^+ 2 ) 3 m< 5 / 3 , that 
have the form (z{~ \\zj || p[ l]zj || ... || p[2^]zj ) T for some zi,z 2 G and 

P £ B 2€ . Clearly, w '/ 5 G CorMix. Furthermore, as shown in [37,41], this set 
is closed under a special composition of 3 permutations 0i G , 02 £ 

^3771(5/3,03 £ <$ 2 ^, which we denote by 3 . That is, we have the equiva- 

lence: 


w '/ 5 G CorMix (w'/g) G CorMix. (10) 

- As we have changed the dimensions of the witness-vectors, we also have to 
transform the public matrices accordingly to preserve the equations. 

In short, this can be done through right-multiplying by the decomposition 
matrices (if needed), and then inserting zero-columns at suitable positions. 
We denote the transformed public matrices by 

At the end of the second step, we are presented with the following system of 
equations, which is equivalent to (9). 


vi = ^ • w" + M" 2 • W2 + . . . + M" 15 • w'/g mod g, 
v 2 = MJj'i • w'/ + M' 2 ' 5 2 • w£ + . . . + M " 15 • wi ' 5 mod g, 


V10 = M'{ 01 • w'/ + Mi' 0j2 • W^' + . . . + M'/q 15 • w '/ 5 mod q. 


( 11 ) 
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The third step involves only basic linear algebra. Let 


M 


M 'i'i 

M'i' 2 


Mi' 15 \ 

£ 

to ^ 

M£ i2 







VM'i'oa 

Mi' 0 , 2 


Mi'o, 15 / 


x = 


( w" \ 

; v = 

/ v i \ 
V2 

V W 15 / 


\vio/ 


then we obtain the unified equation M x = v mod q. 

Given the above preparations, we now comes to the final step where we formally 
present our protocol. Let D be the dimension of vector x. Denote by VALID the 
set of all vectors in { — 1, 0, 1 } D , that have the form z = (zj || . . . HzTs) 1 ” , where: 

1. Zi = encode n m fc (yi), z 2 = encode nfe (y 2 ) and z 3 = expand® (yi,y 2 ), for some 
yi e {0, \} nfhk and y 2 e {0, l} nk . 

2. For i e [4, 7], vector z* e B 2mi . For i e [8, 14], vector z* e B 3mi s 0 ,. 

3 . Vector z 15 G Cor Mix. 


It can be seen that our vector x is an element of this tailored set VALID. By 
construction, the task of proving knowledge of vectors wi,...,wis that have 
the required constraints, and that satisfy system (9) has boiled down to proving 
the possession of vector x G VALID such that M • x = v mod q. We will fulfill 
this task with a Stern-like zero-knowledge protocol, in which we hide x from the 
verifier’s view by a random permutation and a random masking vector. 

Let us determine the type of permutations to be applied for x. Let 

S = {0, l} nfhk X {0, l} nk X S 2m4 X . . . xS 2 m 7 X S 3 m 8 S^ X . . . 

... X S 3 m 14 (5 ( g 14 X X S 2 £. 

We associate each element 7 r = (tq, h 2 , 04 , . . . , ^14, 0 { 5 , </>f 5 ) G S with the 

permutation r n that transforms vector z = ( z 7 II • • • ll z 7 5 ) T G where the 
length of block z i equals to that of w-' for all i G [15], into vector 

^tt(z) = (F^ mfe) ( z 1 )||F^y ) ( z 2 )||P bl> b 2 (z3)||04(z4)|| ••• 

• • • ||^14(zi4)||70i 5! 02 5 ^3 5 (zi 5 )). 

It is implied by the equivalences given in (3), (4), (5) and (10) that the following 
holds for all 7r G <S: 


xG VALID /^(x) G VALID. 

Additionally, if x G VALID and 7 r is uniformly random in 5, then IA(x) is 
uniformly random in VALID. In the framework of Stern’s protocol, these facts 
allow us to prove in zero- knowledge the knowledge of x G VALID. 

Furthermore, proving that equation M • x = v mod q holds can be done by 
sampling a uniformly random masking vector r x G and demonstrating to 
the verifier that M • (x + r x ) — v = M • r x mod q. 
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The interaction between prover V and verifier V is described in Fig. 1 . Prior to 
the interaction, both parties obtain matrix M and vector v from the public input, 
while V construct witness- vector x from his secret input, as described above. 
The protocol employs the statistically hiding and computationally binding string 
commitment scheme COM from [31]. 

The properties of the given protocol are summarized in Theorem 1. The 
proof of the theorem employs standard simulation and extraction techniques for 
Stern-like protocols [31,40,41], and is detailed in the full version of the paper. 

Theorem 1. The protocol in Fig. 1 is a statistical ZKAoK with perfect com- 
pleteness, soundness error 2/3, and communication cost O(Dlogq). Namely: 

- There exists a polynomial-time simulator that, on input (M,v), outputs an 
accepted transcript which is statistically close to that produced by the real 
prover. 

- There exists a polynomial-time knowledge extractor that, on input a commit- 
ment CMT and 3 valid responses (RSPi, RSP 2 , RSP 3 ) to all 3 possible values 
of the challenge Ch, outputs x' E VALID such that M • x' = v mod q. 

Note that, given vector x' outputted by the extractor, one can efficiently com- 
pute 15 vectors satisfying the conditions described at the beginning of this sub- 
section, simply by “backtracking” the transformations conducted by our first 3 
steps. In the group encryption scheme presented next, the constructed ZKAoK 
will be invoked by algorithm (V,V), while its simulator and extractor will come 
in handy in the proofs of security theorems, that are defined in the full version 
of the paper. 


1. Commitment: Prover samples r x <— U (j/f), 7r <— U(S) and randomness pi, p 2 , p 3 
for COM. Then he sends CMT = (Ci, C 2 , C 3 ) to the verifier, where 

Ci = COM(7r, M • r x ; pi), C 2 = COM(T 7r (r x ); p 2 ), C 3 = COM(T 7r (x + r x ); p 3 ). 

2. Challenge: The verifier sends a challenge Ch U({ 1, 2, 3}) to the prover. 

3. Response: Depending on Ch, the prover sends RSP computed as follows: 

- Ch= 1: Let t x = T n (x), t r = T n (r x ), and RSP = (t x , t r , p 2 , p 3 ). 

- Ch = 2: Let 7 t 2 = it, y 2 = x + r x , and RSP = (7 t 2 , y 2 , pi, p 3 ). 

- Ch = 3: Let 7 r 3 = tt, y 3 = r, and RSP = (7 t 3 , y 3 , pi, p 2 ). 

Verification: Receiving RSP, the verifier proceeds as follows: 

- Ch = 1: Check that t x E VALID and C 2 = COM(t r ; p 2 ), C 3 = COM(t x + t r ; p 3 ). 

- Ch = 2: Check that Ci = COM(7t 2 , M • y 2 - v; pi), C 3 = COM(T 7r2 (y 2 ); p 3 ). 

- Ch = 3: Check that Ci = COM(7t 3 , M • y 3 ; pi), C 2 = COM^ (y 3 ); p 2 ). 

In each case, the verifier outputs 1 if and only if all the conditions hold. 


Fig. 1 . Our zero-knowledge argument of knowledge. 


118 


B. Libert et al. 


5 Our Lattice-Based Group Encryption Scheme 

To build a GE scheme using our zero-knowledge argument system, we need to 
choose a specific key-private CCA2-secure encryption scheme. The first idea is to 
use the CCA2-secure public-key cryptosystem which is implied by the Agrawal- 
Boneh-Boyen identity-based encryption (IBE) scheme [1] (which is recalled in 
Appendix A. 2) via the Canetti-Halevi-Katz (CHK) transformation [16]. The 
ABB scheme is a natural choice since it has pseudo-random ciphertexts (which 
implies the key-privacy [7] when the CHK paradigm is applied) and provides 
one of the most efficient CCA2 cryptosystem based on the hardness of LWE 
in the standard model. One difficulty is that the Kiayias-Tsiounis-Yung model 
[33] requires that certified public keys be valid public keys (i.e., which have a 
matching secret key). When new group members join the system and request a 
certificate for their public key By E Z™ xm , a direct use of the ABB/CHK tech- 
nique would incur of proof of existence of a GPV trapdoor [23] corresponding 
to By (i.e., a small-norm matrix T Bu E Z mxm s.t. B • T Bu = 0 n mod q). While 
the techniques of Peikert and Vaikuntanathan [48] would provide a solution to 
this problem (as they allow proving that T Bu E Z mxm has full-rank), we found 
it simpler to rely on the trapdoor mechanism of Micciancio and Peikert [43]. 

If we assume public parameters containing a random matrix A E Z™ xm , each 
user’s public key can consist of a matrix By = A-Ty E Z™ xm , where Ty E Z mxm 
is a small-norm matrix whose calms are sampled from a discrete Gaussian dis- 
tribution. Note that, if A E Z™ xm is uniformly distributed, then [23, Lemma 
5.1] ensures that, with overwhelming probability, any matrix By E Z™ xm has 
an underlying small- norm matrix satisfying By = A • Ty mod q. This simplifies 
the joining procedure by eliminating the need for proofs of public key validity. 

In the encryption algorithm, the sender computes a dual Regev encryp- 
tion [23] of the witness w E {0, l} m using a matrix [A | By +■ FRD(VK) • G] E 
Z nx(m+m) ^ \/K £= jn is the verification key of a one-time signa- 

ture; (ii) FRD : Z™ — > Z™ xn is the full-rank difference 1 function of [1]; (iii) 
G = I n <g) [1|2| . . . \2 k ~ 1 } E Z™ xm is the gadget matrix of [43]. Given that G 
has a publicly known trapdoor allowing to sample short vectors in G), the 
user can use his private key Ty E Z mxm to decrypt by running the SampleRight 
algorithm of Lemma 5. 

Having encrypted the witness w E {0, l} m by running the ABB encryption 
algorithm, the sender proceeds by encrypting a hash value of By E Z™ xm under 
the public key Bqa = A • Toa E Z™ xm of the opening authority. The latter 
hash value is obtained as a bit-wise decomposition of F • mdec n?m;g (Bj) E Z^ n , 

where F E ^ nxnm d°g9l ^ a ran q om public matrix and mdec n?m ^(Bj) E 
{0, l}nm\\ogq] d eno tes an entry- wise binary decomposition of the matrix By E 

^nxfh 


1 This means that, for any two distinct one-time verification keys VK,VK / £ Z", the 
difference FRD(VK) - FRD(VK') £ Z£ Xn is invertible over Z q . 
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By combining our new argument for quadratic relations and the extensions of 
Stern’s protocol suggested in [37,41], we are able to prove that some component 
of the ciphertext is of the form c = Bj -s + e G Z™, for some s G Z™ and a 
small-norm e G Z m while also arguing possession of a signature on the binary 
decomposition mdec njm?g (Bj) G {0, l} 7 ^ 77 ^ r io s of Bj. For this purpose, we use 
a variant of a signature scheme due to Bohl et a/.’s signature [11] which was 
recently proposed by Libert, Ling, Mouhartem, Nguyen and Wang [37] (and of 
which a description is given in Appendix A.l). At the same time, the prover V 
can also argue that a hash value of mdec n;m?g (Bj) is properly encrypted under 
the OA’s public key using the ABB encryption scheme. 


5.1 Description of the Scheme 

Our GE scheme allows encrypting witnesses for the Inhomogeneous SIS relation 
Risis(n, <L 1), which consists of pairs ((A#, Ur), w) G (Z™ xm x Z™ ) x {0, l} m 
satisfying u r = Ar • w mod q. This relation is in the same spirit as the one 
of Kiayias, Tsiounis and Yung [33], who consider the verifiable encryption of 
discrete logarithms. While the construction of [33] allow verifiably encrypting 
discrete-logarithm-type secret keys under the public key of some anonymous 
TTP, our construction makes it possible to encrypt GPV-type secret keys [23]. 

SETUPini t (l A ): This algorithm performs the following: 

1. Choose integers n = 0(A), prime q = 0(n 4 ), and let k = [log 2 q\^m — nk 
and m = 2m = 2 nk. Choose a LLbounded distribution x over ^ f° r some 
B = y/nu) (log n). 

2. Choose a Gaussian parameter a = log q log n). Let /3 = auj (log n) 

be the upper bound of samples from 

3. Select integers i = £(X) which determines the maximum expected group 
size 2^, and ft = cj(logA) (the number of protocol repetitions). 

4. Select a strongly unforgeable one-time signature OTS = (Gen, Sig, Ver). 
We assume that the verification keys live in Z^ . 

5. Select public parameters COM par for a statistically- hiding commitment 
scheme like [31]. This commitment will serve as a building block for the 
zero-knowledge argument system used in (V,V). 

6. Let FRD : Z^ — > Z^ xn be the full-rank difference mapping from [1]. 

7. Pick a random matrix F <— Z^ nxnmfe , which will be used to hash users’ 
public keys from Z^ xm to Z^ . 

8. Let G G Z™ xm be the gadget matrix G = I n 0 [l 2 . . . 2 /c_1 ] of [43]. Pick 
matrices A,U <- £/(Z£ xm ) and V <- U( Z£ xm ). Looking ahead, U will 
be used to encrypt for the receiver while V will be used to encrypt the 
user’s public key under the OA’s public key. As for A, it will be used in 
two instances of the ABB encryption scheme [1]. 

Output 


param = {A, n, g', /c, m, 5, y, cr, /^, £, ft, (9T5, COM par , FRD, A, G, F, U, V}. 
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(G r , sample^): Algorithm Q r { 1 A , l n , l m ) proceeds by sampling a random matrix 
A r <— U(Z™ xm ) and outputting (pk^,sk^) = (Ar,s). On input of a public 
key pk^ = Ar G Z™ xm for the relation Risis, algorithm sample^ picks w <— 
U ({0, l} m ) and outputs a pair ((Ar, ur), w), where ur = Ar - wgZJ. 

SETUPGM(p3i"3ni): The GM generates (sk G M,pk GM ) Keygen(l A , g, n, m, i, cr) as 
a key pair for the SIS-based signature scheme of [37] (as recalled in Appendix 
A.l). This key pair consists of sk G M •= Ta and 

pk GM := (a, Ao, . . . , A/ e zy Do, D, e Z%* m , D e zy uezj). (12) 

SETUPoA(parani): The OA samples a small- norm matrix Toa D™m a in Z mxm 
to obtain a statistically uniform Bqa = A • Toa £ Z™ xm . The OA’s key pair 
consists of (sk 0 A, pk 0A ) = (T 0 a,B 0 a)- 

JOIN: The prospective user U and the GM interact in the following protocol. 

1. U first samples Ty <— D™m a in Z mxm to compute a statistically uniform 
matrix By = A • Ty G Z™ xm . The prospective user defines his key pair as 
(pky, sky) = (By , Ty ) and sends pk y = By to the GM. 

2. Upon receiving a public key pky = By G Z™ xm from the user, the GM certifies 
pk jj via the following steps: 

a. Compute hy = F • mdec n?? ^ ;(? (Bj) G Z^ n as a hash value of the public 
key pky = By G Z™ xr ™. 

b. Use the trapdoor sk G M = Ta to generate a signature 

certy = (r,d,r) e {0, 1} £ x [-/3,/3] 2m x [-/3,/3] m , (13) 


satisfying 


[ A I Z r ^ A i] ' d 

3 = 1 

= U + D vdec n? g_i(D 0 r + D x vdec n?(? _i(hu)) mod g, (14) 
where r = r[l\ ... r[£\ G {0, 1}^, as in the scheme of Appendix A.l. 

U verifies that certy is tuple of the form (13) satisfying (14) and returns _L if 
it is not the case. The GM stores (pky, certy) in the user database database and 
returns the certificate certy to the new user U. 

ENC(pk GM , pk 0A , pky, certy, w, L): To encrypt a witness w G {0, l} m such that 

((Ar,ur), w) G Risis(rc,ra,g, 1) (i.e., A R • w = u R mod g), parse pk GM as in 

(12), pk 0A as Bqa C Z™ xm , pk y as By G Z™ xm and certy as in (13). 

1. Generate a one-time key-pair (SK, VK) <— Gen(l A ), where VK G Z™. 

2. Compute a full-rank-difference hash Hvk = FRD(VK) G Z™ xn of the 
one-time verification key VK G Z™. 

3. Encrypt the witness w G {0, l} m under U’s public key By GZJ xm using 
the tag VK by taking the following steps: 
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a. Sample s rec <— U(Z™), R rec <— and x rec ,yrec X m - Compute 

Zrec = R-rec ' Yrec £ If 1 . 

b. Compute 

Cric = A T • s rec + y rec mod q 

< Crec = (Bu + Hvk • G) T • s rec + z rec mod q: (15) 

Crec = U T • S rec + X rec + W • , 

and let c rec = , Crec , ) G Z" 1 x Z" 1 x Z™ . which forms an ABB 

ciphertext [1] for the tag VK G Z” . 

4. Encrypt the decomposition vdec n . g _-| (hu) G {0, l} m of the hashed pk y 
under the OA’s public key Boa £ Z™ xm w.r.t. the tag VK G Z”. Namely, 
conduct the following steps: 

a. Sample s oa <- f/(Z”), R oa <- D£ xm , x oa <- x m ,y oa <- X m - Set 

Z oa = Rj a • yoa £ If 1 - 

b. Compute 

47 = A T • s oa + yoa mod q: 

< 47 = (Boa + Hvk • G) T • s oa + z oa mod q\ (16) 

= V T • s oa +x oa + vdec n , 9 _i(hu) • § , 

and let c oa = (47,47,47) GZ^xZf xZ“. 

5. Compute a one-time signature £ = Sig(SK, (c rec , c oa , L)). 

Output the ciphertext 


* = (VK,c rec ,c oa ,r). 


(17) 


and the state information coins ^ = (s rec , R re c 5 x rec , Yrec? s oa , R oa , x oa , y Q a) • 


DEC(sku, \l/, L): The decryption algorithm proceeds as follows: 

1. If Ver(VK, 17, (c rec , c oa , L)) = 0, return _L. Otherwise, parse the secret key 
sky as T u G Z mxm and the ciphertext ^ as in (17). Define the matrix 
B vk = By + FRD(VK) • G G Z£ x ™. 

2. Decrypt c rec using a decryption key for the tag VK G Z n . Namely, 

a. Define B UiV k = [A|B VK ] = [A|A • T y + FRD(VK) • G] G Zg X{m+fh) . 
Using Ty and the publicly known trapdoor Tq of G, compute a 
small- norm matrix Evk £= Z( m+m ) xm such that Bu,vk -Evk = U mod 
q by running the SampleRight algorithm of Lemma 5. 

b. Compute 


w = 



( 3 ) _ E 


T 

VK ’ 



G Z m 


and return the obtained w G {0, l} m . 
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OPEN(skoA, L): The opening algorithm proceeds as follows: 

1. If Ver(VK,V, (c rec , c oa ), L) = 0, then return _L. Otherwise, parse skoA as 
T oa E Z mxm and the ciphertext \l/ as in (17). 

2. Decrypt c oa using a decryption key for the tag VK G Z™ in the same way 
as in the decryption algorithm. That is, do the following: 

a. Define the matrix Bqa,vk = [A|Bqa + FRD(VK) • G] G Zg X ^ m+m \ 
Use Toa to compute a small-norm Eoa,vk E z( m+m ) xm satisfying 
Boa,vk * E 0 a,vk = V mod q. 

b. Compute 


hi 


r( 3 ) 'F~ r 
i C oa _ -^OA,VK 


Co^ 

„( 2 ) 


q 

L2J 


e{0,l} r 


and h(j = H 2 „, g -i • h G I? q n . 

3. Look up database to find a public key pky = By G Z™ xm that hashes 
to h(j G Z 2n (i.e., such that h(j = F • mdec n?? ^ ;(? (Bj)). If more than one 
such key exists, return _L. If only one key pky = By G Z™ xm satisfies 
hy = F • mdec n;7 ^ 5 g(Bj), return that key pky. In any other situation, 
return _L. 


(V,V): The common input consists of param and pk GM as specified above, as 
well as (Aft, ur) G Z™ xm x Z™, pk 0A = Boa G Z™ xm , and a ciphertext 
as in (17). Both parties compute Boa,vk = [A|Boa + FRD(VK) • G] as 
specified above. The prover’s secret input consists of a witness w G {0, l} m , 
pky = By, certy = (r, d,r) G {0,1}^ x Z 2m x Z m , and the random coins 
coinsxf, = (s r ec,Rrec,X r ec,yrec,Soa,Roa,Xoa,yoa) Used to generate \l>. 

The prover’s goal is to convince the verifier in zero-knowledge that his secret 
input satisfies the following: 

1. A ft • w = Ur mod q. 

2. h M = F • mdec n?m? g(M) mod q. 

3. Conditions (13) and (14) hold. 

4. Vectors x rec , y re c, x oa , y oa have infinity norms bounded by L>, and vectors 
z rec> z oa have infinity norms bounded by /3mB . 

5. Equations in (15) and (16) hold. 

To this end V conducts the following steps. 

1. Decompose the matrix By G Z™ xm into by = mdec n5? ^ 5(7 (Bj) G {0, l} nm/c 
and the vectors s rec ,s oa G Z™ into So, re c = vdec nj g_i(s rec ) G {0, l} nk and 
So,oa = v dec n5 g_i(s oa ) E {0,l} n/c . Combine the first two binary vectors into 
= expand (8> (by, s 0 ,rec) £ {0, l} 4nm/c2 . Define 

n times 

Q = • [oTUod G zf x “ 2 , 

where Qo = I mk 6 jmkxAmk 2 j s t [ le matrix defined as in (7). 
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2. Generate a zero-knowledge argument of knowledge of 

' r G {0, 1}*, d = [dj \dj] r e [-13, (3} 2m , r G [-13, (3] m 
tu G {0, l} m ,_ Wu G {0, 1}™ 

< bu e {0, l} nmfc , s 0 ,rec e {0, l} nk , Zy = expand®(bu,s 0 ,rec) 
Xrec, yrec G [~B,B] m , z rec G [- (3mB , firnB]™ , W G {0, l} m , 
k s 0) oa G {0, l} rafc , x oa , Yoa G [-B, £] m , z oa G [~/3mB, (3mB] m 

such that the following system of 10 equations holds: 


u= [A|A 0 |A 1 |...|A,]- 


dl \ 

d 2 

r[l] • d 2 


+ (— D) • wy mod q, 


\r[£] • d 2 / 

0 = H n ,q_i • wu + (-Do) • r + (-Dl) ■ tu mod q, 
0 = H 2n>9 _i • tu + (— F) • bu mod q, 


J c (!) - 

\ G r ec - 

h 

II 

Hn,<?— l) 

* s 0,rec 

+ Ira 

•Yrec 

; mod g, 

c (2) - 

Grec - 

= Q + (G t 

•H^k 

Hn,g- 

-l)’ 

S(),rec T Ira " Zrec mod g, 

c (3) - 

Grec - 

= (U T 

’ H n? g_l) 

‘ s 0,rec 

+ Ira 

• x rec 

: + (L 2 J ' Im) • w mod q 

U R = 

: A ij •’ 

w mod g, 





c (1) - 
^oa - 

h 

II 

Hn,<?— l) 

* SQ,oa 

+ Ira * 

y oa 

mod g, 


cia } = [(B 0 a + H V k • G) T • . t] • s 0>oa + I m • z 0 a mod q, 

k Coa (V * H n ^_i) • SQ i0 a "h I rn ' Xoa "h (L2J * ^m) ' t U mod q. 


Let Wi = bu, w 2 = So.rec, W 3 = Zq, = expand® (bu, s 0>rec ), w 4 = w U; w 5 = tu, 
W 6 = So.oa, w 7 = w, w 8 = x rec , w 9 = y rec , W10 = Z rec , Wu = r, w 12 = x oa , 
W13 = y 0 a, W14 = z oa and 

W15 = (dj || dj || t[ 1 ] • dj II ... \\t[ 1 }- dJ) T . 

Then system ( 18 ) can be rewritten as: 


Vi Mi 5 i • w i + Mi )2 • w 2 + . . . + Mi ? ! 5 • W15 mod q , 
v 2 = M 2j i • w i + M 2?2 • w 2 + . . . + M 25 15 • Wi5 mod q , 


, V 10 = Mio,i • w i + Mio ,2 • W 2 + . . . + Mio,i5 • w is mod g, 

where {Mij}(ij) G [i 0 ] X [i5], { v i}ie[io] are public matrices and vectors (which are 
possibly zero). 

The argument system is obtained by invoking the protocol from Sect. 4.2. 
The protocol is repeated k times to make the soundness error negligibly small. 
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5.2 Efficiency and Correctness 

Efficiency. It can be seen that the given group encryption scheme can be 
implemented in polynomial time. We now will evaluate the bit-sizes of keys and 
ciphertext, as well as the communication cost of the protocol (V,V). 

- The public key of GM, as in (12), has bit-size 0(£n 2 log 2 q) = 0(£X 2 ). 

- The public keys of OA and each user both have bit-size nra[log 2 q\ — 0( A 2 ). 

- The secret key of each party in the scheme is a trapdoor of bit-size 0( A 2 ). 
The user’s certificate certy has bit-size 0(A). 

- The ciphertext ^ consists of VK £ Z™, two ABB ciphertexts of total size 

2(2m + m) [log 2 q] and a one-time signature E. Thus, its bit-size is 0(A) + |X|. 

- The communication cost of the protocol (P, V) is largely dominated by the 
bit-size of the witness z^ = expand® (by, so, r ec) £ {0, l} 4nm/c . The total cost 
is k • 0(n 2 log 4 q ) = 0(A 2 ) bits. 


Correctness. The given group encryption scheme is correct with overwhelming 
probability. We first remark that the scheme parameters are set up so that 
the two instances of the ABB identity-based encryption [1] are correct. Indeed, 
during the decryption procedure of DEC (sky, Tq L), we have: 


A3) 


E 


VK 


c (1) ‘ 

Wee 

C (2) 

Wee 


X« 


■E, 


VK 


y rec 

+-•1! 

_ Zrec _ 

L2 J 


= HRjc-yrecll 


Note that Hx^dl^ and ||y re c||oo are bounded by B , and ||z r€ 
f3mB = 0(n 2 ). Furthermore, the entries of the discrete Gaussian matrix E^ K 


are bounded by 0(y/n). Hence, the error term : 


bee -^VK 


yiec 

z rec 


is bounded by 


0(n 3,5 ) which is much smaller than q/ 4 = 0(n 4 ). As a result, the decryption 
algorithm returns w with overwhelming probability. The correctness of algorithm 
OPEN(skoA, L) also follows from a similar argument. 

Finally, we note that if a certified group user honestly follows all the pre- 
scribed algorithms, then he should be able to compute valid wit ness- vectors to 
be used in the protocol (V, V), and he should be accepted by the verifier, thanks 
to the perfect completeness of the argument system in Sect. 4.2. 

Our scheme is proven secure under the SIS and LWE assumptions using classi- 
cal reduction techniques. The detailed security proofs are given in the full version 
of the paper. 
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A Building Blocks 

A.l Signatures Supporting Zero-Knowledge Proofs 

We use a signature scheme proposed by Libert, Ling, Mouhartem, Nguyen and 
Wang [37] who extended the Bohl et al. signature [11] (which is itself built upon 
Boyen’s signature [13]) into a signature scheme compatible with zero-knowledge 
proofs. While the scheme was designed to sign messages comprised of multiple 
blocks, we only use the single-block version here. 

Keygen(l A , g, n, m, £, a): This algorithm takes as input a security parameter A > 
0 as well as the following parameters: n = 0(A); a prime modulus q = 0(n 4 ); 
dimension m = 2n[logg]; an integer i = poly(A); and Gaussian parameters 
a = Q(y/n log q log n). It defines the message space as {0, l} m . 

1. Run TrapGen(l n , l m , q) to get A E Z™ xm and a short basis Ta of A). 

This basis allows computing short vectors in Aq(A) with a Gaussian 
parameter a. Next, choose t + 1 random Aq, Ai, . . . , A^ U{ Z™ xm ). 

2. Choose random matrices D I/(Zg Xm ^ 2 ), D 0 ,Di ^ P(Z™ xm ) as well 

as a random vector u U( Z™). 

The private key consists of SK := Ta and the public key is 

PK := (A, {Aj}j =0 , D 0 , D lt D, u). 

Sign (S' A, m): To sign a message m E {0, l} m , 

1. Choose a random binary string r ^ U({ 0, 1}^). Then, using SK := Ta, 
compute a short delegated basis T r E Z 2rnx2rn for the matrix 

i 

A t = [A I Ao + Y, r b1 A i] e zy 2m . (20) 

3 = 1 

2. Choose a discrete Gaussian vector r ^ D z^ ?cr - Compute c m E ZJ as a 
chameleon hash of m. Namely, compute c m = Bq r + Di • m E Z^ , which 
is used to define u m = u + D • vdec n? g_i(c m) G Z^ . Using the delegated 
basis T r E Z 2mx2m , sample a short vector v E Z 2m in D A ^ m( A t ) )<7 * 

Output the signature sig = (r, v,r) E {0, 1} £ x Z 2m x Z m . 

Verify (PA, m, sig): Given PK , m E {0, l} m and sig = (r, v, r) E {0, 1} £ x Z 2m x 
Z m , return 1 if ||v|| < crV2m, ||r|| < crySn and 

A r • v = u + D • vdec n} g_i(D 0 • r + D x • m) mod q. (21) 

Like [11,13], the scheme of [37] was proved secure under the SIS assumption 
and shown to easily interact with Stern-like protocols when it comes to proving 
knowledge of a hidden message- signature pair. While such proofs would also be 
possible using Boyen’s signature [13], the number of public matrices {A j}j = o in 
the public key can be reduced from 0(n • log q) to 0(A) using the scheme of [37]. 
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The above description uses a slightly different variant of [37] where, at step 2 
of the signing algorithm, a different binary decomposition of c m is used to com- 
pute u m- while [37] uses the standard binary decomposition, we use a non-unique 
encoding based on the vdec function for convenience. However, the security proof 
of [37] goes through with this encoding since the function vdec n? g_i(.) is injective. 

Lemma 6 ([37, Theorem 1]). The above signature scheme is unforgeable 
under chosen-message attacks if the SIS assumption holds. 

A. 2 The Agrawal-Boneh-Boyen IBE Scheme 

Identity-Based Encryption. An IBE scheme is a tuple of efficient algorithms 
(Setup, Extractpp, Encrypt PP , Decrypt PP ) such that 

Setup(l A ): On security parameter A, this algorithm outputs public parameters 
PP and a master secret key msk. 

Extractpp (msk, ID): Takes as input a master secret key msk and an identity ID 
and outputs a secret key skip. 

Encryptpp(ID, M): Given an identity ID and a message M, it outputs a ciphertext 
C. 

Decryptpp (sk|D, C): Given a secret key sk|D and a ciphertext (7, outputs either 
a decryption error symbol 1, or a message M. 

Correctness requires that, for any pair (PP, msk) Setup(l A ), any ID and any 
message M, we have Decrypt PP (Extractpp (msk, ID), Encrypt PP (ID, M)) = M. 

Our proofs rely on the semantic security of the scheme against selective adver- 
saries (IND-sID-CPA) but also on the stronger property of ciphertext pseudo- 
randomness. Informally, this notions demands that the adversary be unable to 
distinguish an encryption of a message of its choice from a random element of 
the ciphertext space C. Notice that this property implies IND-sID-CPA security. 

Definition 4. An IBE scheme has pseudo-random- ciphertexts if no PPT adver- 
sary A with access to private key extraction oracle Extractpp(msk ,•) has non- 
negligible advantage Adv ROR (A) = | Pr[Expt ROR = l] — ~| in this game: 

Experiment Expt ROR (A) 

ID* <— Aid{ A); (PP, msk) <— Setup(l A ); 

M <— K 4^ tractpp(msk ’' ) (pp)j 
b^U({ 0,1}); 

ifb = 1 then C * <— Encrypt PP (M, ID*) else C * <— U(C ); 

b' ^ A^l2 ctppimsk ’'\c*y, 

ifb = b' then return 1 else return 0; 


Zero-Knowledge Arguments for Matrix- Vector Relations 127 


The ABB System. Agrawal, Boneh and Boyen described [1] a compact IBE 
scheme in the standard model which allows encrypting multi-bit messages. 


Setup(l A ): Given a security parameter A, choose parameters g, n, cr, a and define 
k = [log #] 5 kh = nfc, m = 2m and choose a noise distribution x f° r LWE. 

1. Compute (A, T^) TrapGen(l n , l m , g). 

2. Define G = I n ® [1 1 2 1 . . . |2 /c_1 ] G Z™ xm . Sample matrices B U( Z™ xm ), 
U 4 - U( Z£ xm ). 

3. Let FRD : Z™ — > Z™ xn be the full-rank difference mapping from [1]. 
Output PP = (A,B,U) and msk = T^. 

Extractpp(msk, ID): Given msk = and an identity ID G Z™, do as follows: 

1. Define the matrix Bid = B + FRD(ID) • G G Z™ xm . 

2 . Let Ba,id = [A | Bid] G Zg X ^ m+m \ use Ta to compute a delegated basis 
Tid for the lattice tL^Bajd)- 

3. Use Tid to sample a small- norm matrix Eid G jf rn + rn ) xrn satisfying the 
equality Ba,id • Eid = U mod q. 

4. Output sk| D = Eid G z( m +™) xm . 


Encryptpp(ID, m): Given an identity ID and a message m G {0, l} m , 

1. Compute the matrix Bid = B + FRD(ID) • G G Z™ xm . Sample vectors 

s (Z™ ), x, y x™ i E D ™* 171 and compute z = R T • y G Z m . 

2. Compute 


c^ 1 ) = A T • s + y mod g, 

< c( 2) = B^ • s + z mod g, (22) 

c( 3 ) — U T • s + x + m • - . 


3. Output c = (cW,^ 2 ),^) GZ^xZf x Z™. 
Decryptpp(sk|D, c): Given sk|D = Eid and c = (c^\ c^ 2 \ c^ 3 )) G Z™ 
compute and output 


(h 3 ) - E 


ID ' 



G {0,l} m 


X ZJ 


x IT 


Theorem 2 ([1, Theorem 23]). The ABB IBE scheme has pseudo-random 
ciphertexts if the LWE n?g?x assumption holds. 
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Abstract. This paper presents MQDSS, the first signature scheme with 
a security reduction based on the problem of solving a multivariate sys- 
tem of quadratic equations (MQ problem). In order to construct this 
scheme we give a new security reduction for the Fiat- Shamir transform 
from a large class of 5-pass identification schemes and show that a previ- 
ous attempt from the literature to obtain such a proof does not achieve 
the desired goal. We give concrete parameters for MQDSS and pro- 
vide a detailed security analysis showing that the resulting instantiation 
MQDSS-31-64 achieves 128 bits of post-quantum security. Finally, we 
describe an optimized implementation of MQDSS-31-64 for recent Intel 
processors with full protection against timing attacks and report bench- 
marks of this implementation. 
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Already since 1997, when Shor published a polynomial-time quantum algorithm 
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This work was supported by the Netherlands Organization for Scientific Research 
(NWO) under Veni 2013 project 13114 and by the European Commission through 
the ICT Programme under contract ICT-645622 PQCRYPTO. Permanent ID of this 
document: 36edf 88b815b75e85f ae8684c05ec336. Date: September 6, 2016. 

(c) International Association for Cryptologic Research 2016 

J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 135-165, 2016. 
DOI: 10.1007/978-3-662-53890-6-5 



136 


M.-S. Chen et al. 


all public-key cryptography in use today. More recently, various statements by 
physicists and quantum engineers indicate that they may be able to build such 
a large quantum computer within the next few decades. For example, IBM’s 
Mark Ketchen said in 2012 “ I’m thinking like it’s 15 [years] or a little more. 
It’s within reach. It’s within our lifetime. It’s going to happen.”. In May this 
year, IBM gave access to their 5-qubit quantum computer to researchers and 
announced that they are expecting to scale up to 50-100 qubits within one 
decade [36]. 

It is still a matter of debate when and even if we will see a large quantum 
computer that can efficiently break, for example, RSA-4096 or 256-bit elliptic- 
curve crypto. However, it becomes more and more clear that cryptography aim- 
ing at long-term security can no longer discard the possibility of attacks by 
large quantum computers in the foreseeable future. Consequently, NS A recently 
updated their Suite B to explicitly emphasize the importance of a migration to 
post- quantum algorithms [41] and NIST announced a call for submissions to a 
post-quantum competition [40] . Submissions to this competition will be accepted 
for post-quantum public-key encryption, key exchange, and digital signature. 
The results presented in this paper fall into the last of these three categories: 
post-quantum digital signature schemes. 

Most experts agree that the most conservative choice for post-quantum sig- 
natures are hash-based signatures with tight reductions in the standard model to 
properties like second-preimage resistance of an underlying cryptographic hash 
function. Unfortunately, the most efficient hash-based schemes are stateful, a 
property that makes their use prohibitive in many scenarios [39]. A reason- 
ably efficient stateless construction called SPHINCS was presented at Eurocrypt 
2015 [6]; however, eliminating the state in this scheme comes at the cost of 
decreased speed and increased signature size. 

The second direction of research for post-quantum signatures are lattice- 
based schemes. Various schemes have been proposed with different security 
and performance properties. The best performance is achieved by BLISS [23] 
(improved in [22]) whose security reduction relies on the hardness of R-SIS and 
NTRU, and is non-tight. Furthermore, the performance is achieved at the cost of 
being vulnerable against cache-attacks as demonstrated in [33] . A more conserv- 
ative approach is the signature scheme proposed by Bai and Galbraith in [3] with 
improvements to performance and security in [1,2, 17]. The security reduction to 
LWE in [2] is tight; a variant using the (more efficient) ideal-lattice setting was 
presented in [1]. However, these schemes either come with enormous key and sig- 
nature sizes (e.g. sizes in [2] are in the order of megabytes), or sizes are reduced 
at the cost of switching to assumptions on lattices with additional structure like 
NTRU, Ring-SIS, or Ring-LWE. 

The third large class of post-quantum signature algorithms is based on the 
hardness of solving large systems of multivariate quadratic equations, the so- 
called A4 Q problem. For random instances this problem is NP-complete [30]. 
However, all schemes in this class that have been proposed with actual parame- 
ters for practical use share two properties that often raise concerns about their 
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security: First, their security arguments are rather ad-hoc; there is no reduction 
from the hardness of MQ. The reason for this is the second property, namely 
that these systems require a hidden structure in the system of equations; this 
implies that their security inherently also relies on the hardness of the so-called 
isomorphism-of-polynomials (IP) problem [42] (or, more precisely, the Extended 
IP problem [19] or the similar IP with partial knowledge [51] problem). Time 
has shown that IP in many of the proposed schemes actually relies on the Min- 
Rank problem [16,28], and unfortunately, more than often, on an easy instance 
of this problem. Therefore, many proposed schemes have been broken not by 
targeting MQ, but by targeting IP (and thus exploiting the structure in the 
system of equations). Examples of broken schemes include Oil-and-Vinegar [43] 
(broken in [38]), SFLASH [14] (broken in [21]), MQQ-Sig [31] (broken in [27]), 
(Enhanced) TTS [57,58] (broken in [52]), and Enhanced STS [53] (broken in 
[52]). There are essentially only two proposals from the “MQ + IP” class of 
schemes that are still standing: HFEv - variants [44,45] and Unbalanced Oil- 
and-Vinegar (UOV)variants [20,37]. The literature does not, to the best of our 
knowledge, describe any instantiation of those schemes with parameters that 
achieve a conservative post- quantum security level. 

Contributions of this paper. Obviously what one would want in the realm 
of M Q-based signatures is a scheme that has a tight reduction to MQ in the 
quantum-random-oracle model (QROM) or even better in the standard model, 
and has small key and signatures sizes and fast signing and verification algo- 
rithms when instantiated with parameters that offer 128 bits of post-quantum 
security. In this paper we make a major step towards such a scheme. Specifically, 
we present a signature system with a reduction from MQ, a set of parameters 
that achieves 128 bits of post-quantum security according to our careful post- 
quantum security analysis, and an optimized implementation of this scheme. 

This does not mean that our proposal is going quite all the way to the 
desired scheme sketched above: our reduction is non-tight and in the ROM. 
Furthermore, at the 128-bit post-quantum security level, the signature size is 
40 952 bytes, which is comparable to SPHINCS [6], but larger than what lattice- 
based schemes or MQ + IP schemes achieve. However, the scheme excels in key 
sizes: it needs only 72 bytes for public keys and 64 bytes for private keys. 

The basic idea of our construction is to apply a Fiat-Shamir transform to the 
A4Q-based 5-pass identification scheme (IDS) that was presented by Sakumoto, 
Shirai, and Hiwatari at Crypto 2011 [48]. In principle, this idea is not new; it 
already appeared in a 2012 paper by El Yousfi Alaoui, Dagdelen, Veron, Galindo, 
and Cayrel [24] . In their paper they use the 5-pass IDS from [48] as one example 
of a scheme with a property they call “n-soundness” . According to their proof 
in the ROM, this property of an IDS guarantees that it can be used in a Fiat- 
Shamir transform to obtain an existentially unforgeable signature scheme. They 
give such a transform using the IDS from [48, Sect. 4.2]. 

One might think that choosing suitable parameters for precisely this transform 
(and implementing the scheme with those parameters) produces the results we 
are advertising in this paper. However, we show that not only is the construction 
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from [24, Sect. 4.2] insecure (because it ignores the requirement of an exponentially 
large challenge space), but also that the proof based on the n-soundness property 
does not apply to a corrected Fiat-Shamir transform of the 5-pass IDS from [48]. 
The reason is that the n-soundness property does not hold for this IDS. More than 
that, we show that any (2 n + l)-pass scheme for which the n-soundness property 
holds can trivially be transformed into a 3-pass scheme. This observation essen- 
tially renders the results of [24] vacuous, because the declared contribution of that 
paper is to present “the first transformation which gives generic security statements 
for SS derived from (2 n + 1 )-pass IS”. 

To solve these issues, we present a new proof in the ROM for Fiat-Shamir 
transforms of a large class of 5-pass IDS, including the 5-pass scheme from [48]. 
This proof is of independent interest; it applies also, for example, to the IDS 
from [11,49] and (with minor modifications) to [46]. Equipped with this result, we 
fix the signature scheme from [24] and instantiate the scheme with parameters for 
the 128-bit post-quantum security level. We call this signature scheme MQDSS 
and the concrete instatiation with the proposed parameters MQDSS-31-64. Our 
optimized implementation of MQDSS-31-64 for Intel Haswell processors takes 
8 510 616 cycles for signing and 5 752 612 cycles for verification; key generation 
takes 1826 612 cycles. These cycle counts include full protection against timing 
attacks. 

Organization of this paper. We start with some preliminaries in Sect. 2. In 
Sect. 3, we recall the 5-pass IDS as introduced in [48]. We present our theoreti- 
cal results in Sect. 4. We discuss the problems with the result from [24] in Sub- 
sect. 4.1, and resolve them by providing a new proof in Subsect. 4.3. We present 
a description of the transformed 5-pass signature scheme and give a security 
reduction for it in Sect. 5. In Sect. 6 we finally present a concrete instantiation 
and implementation thereof. 

Availability of the software. We place all software described in this paper 
into the public domain to maximize reusability of our results. The software is 
available online at https://joostrijneveld.nl/papers/mqdss. 

2 Preliminaries 

In the following we provide basic definitions used throughout this work. 

Digital signatures. The main target of this work are digital signature schemes. 
These are defined as follows. 

Definition 2.1 (Digital signature scheme). A digital signature scheme Dss 
is a triplet of polynomial time algorithms Dss = (KGen, Sign, Vf) defined as: 

- The key generation algorithm KGen is a probabilistic algorithm that on input 
l k , where k is a security parameter, outputs a key pair (sk, pk). 

- The signing algorithm Sign is a possibly probabilistic algorithm that on input 
a secret key sk and a message M outputs a signature a. 


From 5-Pass AfQ-Based Identification to MQ- Based Signatures 


139 


- The verification algorithm Vf is a deterministic algorithm that on input a 
public key pk, a message M and a signature a outputs a bit b, where b = 1 
indicates that the signature is accepted and b = 0 indicates a reject. 

For correctness of a Dss, we require that for all k E N, (sk, pk) KGen(l /c ), all 
messages M and all signatures a Sign(sk, M), we get Vf(pk, M, a) = 1, i.e., 
that correctly generated signatures are accepted. 

Existential Unforgeability under Adaptive Chosen Message Attacks. 

The standard security notion for digital signature schemes is existential unforge- 
ability under adaptive chosen message attacks (EU-CMA) [32] which is defined 
using the following experiment. By DssfT^) we denote a signature scheme with 
security parameter k. 


Experiment ExpD SS C (ifc)(A) 

(sk, pk) <— KGen(l /c ), 

(Af*, a*) <- A Sign(sk ’-)(pk), with M’s queries 
Return 1 iff Vf(pk, M*, cr*) = 1 and M* 0 


For the success probability of an adversary A in the above experiment we 
write 


Succ^) M) 



A signature scheme is called EU- CM A- secure if any PPT adversary has only 
negligible success probability: 


Definition 2.2 (EU-CMA). Let k G N, Dss a digital signature scheme as 
defined above. We call Dss EU-CMA-secure if for all Q s ,t = poly(k) the max- 
imum success probability InSec eu_cma (Dss(l fe ); £, Q s ) of all possibly probabilistic 
classical adversaries A running in time < t, making at most Q s queries to Sign 
in the above experiment, is negligible in k: 


InSec eu " cma (Dss(l fc ); t, Q s ) d = max{ Succ^ ss c ^ a ^ (A)} = negl(k). 


Identification Schemes. An identification scheme (IDS) is a protocol that 
allows a prover V to convince a verifier V of its identity. More formally this is 
covered by the following definition. 

Definition 2.3 (Identification scheme). An identification scheme consists of 
three probabilistic, polynomial-time algorithms IDS = (KGen,?^, V) such that: 

- the key generation algorithm KGen is a probabilistic algorithm that on input 
l k , where k is a security parameter, outputs a key pair (sk, pk). 

- V and V are interactive algorithms, executing a common protocol. The prover 
V takes as input a secret key sk and the verifier V takes as input a public key 
pk. At the conclusion of the protocol, V outputs a bit b with 5=1 indicating 
“accept” and 5 = 0 indicating “reject”. 
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For correctness of the scheme we require that for all k E N and all (pk, sk) <— 
KGen(l /c ) we have Pr [(P(sk), V(pk)) = 1] = 1, where (P(sk), V(pk)) refers to the 
common execution of the protocol between V with input sk and V on input pk. 

In this work we are only concerned with passively secure identification schemes. 
We define security in terms of two properties: soundness and honest- verifier zero- 
knowledge. 

Definition 2.4 (Soundness (with soundness error ft)). Let k E N, IDS = 

(KGen,^, V) an identification scheme. We say that IDS is sound with soundness 
error ft if for every PPT adversary A , 


Pr 


(pk,sk) <— KGen(l /c ) 

pk), V(pk)> = 1 


< ft + negl(k). 


Of course, the goal is to obtain an IDS with negligible soundness error. This can 
be achieved by running r rounds of the protocol for an r that fulfills ft r = negl(fc). 

For the following definition we need the notion of a transcript. A transcript of 
an execution of an identification scheme IDS refers to all the messages exchanged 
between V and V and is denoted by trans(('P(sk), V(pk))). 


Definition 2.5 ((statistical) Honest-verifier zero-knowledge). Let k E N, 

IDS = (KGerpT^V) an identification scheme. We say that IDS is statistical 
honest-verifier zero-knowledge if there exists a probabilistic polynomial time algo- 
rithm S, called the simulator, such that the statistical distance between the fol- 
lowing two distribution ensembles is negligible in k: 


{ (pk, sk) <— KGen(l /c ) : (sk, pk, trans((T > (sk), V(pk))))} 
{(pk,sk) KGen(l /c ) : (sk, pk,<S(pk))} . 


3 Sakumoto et al. 5-Pass IDS Scheme 

In [48], Sakumoto et al. proposed two new identification schemes, a 3-pass and a 
5-pass IDS, based on the intractability of the MQ problem. They showed that 
assuming existence of a non-interactive commitment scheme that is statistically 
hiding and computationally binding, their schemes are statistical zero knowledge 
and argument of knowledge, respectively. They further showed that the parallel 
composition of their protocols is secure against impersonation under passive 
attack. Let us quickly recall the basics of the construction. 

Let x s= (xi, . . . ,x n ) and let MQ(n,m,F q ) denote the family of vector- 
ial functions F : F q — > F ™ of degree 2 over F q : MQ{n,m,¥ q ) = {F(x) = 

(/l(x),-..,/m(x))|/ s (x) = E i,j a ij XiX i + '£i b i S)xi ’ S G { !,•••, «l}}- The func - 
tion G(x, y) = F(x + y) — F(x) — F(y) is called the polar form of the function 
F. The MQ problem A4Q( F, v) is defined as follows: 

Given v E F™ find, if any, seFJ such that F(s) = v. 

The decisional version of this problem is NP-complete [30]. It is 
widely believed that the MQ problem is intractable, i.e., that given 
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F * — r MQ(n , ra, ¥ q ), s ^r F™ and v = F(s) there does not exist a PPT adver- 
sary A that outputs a solution s' to the MQ( F, v) problem with non-negligible 
probability. 

The novelty of the approach of Sakumoto et al. [48] is that unlike previous 
public key schemes, their solution provably relies only on the MQ problem (and 
the security of the commitment scheme), and not on other related problems in 
multivariate cryptography such as the Isomorphism of Polynomials (IP) problem 
[42], the related Extended IP [19] and IP with partial knowledge [51] problems or 
the MinRank problem [16,28]. The key for this is the introduction of a technique 
to split the secret using the polar form G(x, y) of a system of polynomials F(x). 

In essence, with their technique, the secret s is split into s = r 0 + ri, and the 
public v = F(s) can be represented as v = F(ro) + F(ri) + G(ro,ri). In order 
for the polar form not to depend on both shares of the secret, ro and F(i*o) are 
further split as <aro = to + ti and <aF(ro) = eo H-ei. Now, due to the linearity of 
the polar form it holds that av = (ei+aF(ri) + G(ti, ri)) + (eo + G(to, iq)), and 
from only one of the two summands, represented by (i*i,ti,ei) and (ri,to,eo), 
nothing can be learned about the secret s. The 5-pass IDS is given in Fig. 1 
where (pk, sk) = (v,s) <— KGen(l k ). 


V 


V 

1*0, to ±-R Fq, e 0 4 R F™ 

i*i «— s — r 0 

c 0 «— Com(r 0 ,t 0 ,e 0 ) 

ci 4- Com{ ri, G(t 0 , ri) + e 0 ) 

(co, Cl) 

a 4 r F q 


a. 

ti «- ar 0 - t 0 

ei 4— o:F(ro) — eo res Pi 

= (ti, ei) 

ch 2 4 r (0, 1} 


ch 2 

If ch 2 = 0, resp 2 4— ro 

Else resp 2 4— ri 

resp 2 

If ch 2 = 0, Parse resp 2 = ro, check 



c 0 = Com(r 0 , o;r 0 — ti, Q=F(r 0 ) - ei) 



Else Parse resp 2 = ri , check 

ci = Com(ri , a(v — F(ri)) — G(ti,ri) — ei) 


Fig. 1 . Sakumoto et al. 5-pass IDS 


Sakumoto et al. [48] proved that their 5-pass scheme is statistically zero 
knowledge when the commitment scheme Com is statistically hiding which 
implies (honest-verifier) zero knowledge. Here we prove the soundness property 
of the scheme 1 . 

1 Sakumoto et al. [48] also sketched a proof that their 5-pass protocol is argument of 
knowledge when Com is computationally binding. Our security arguments rely on 
the weaker notion of soundness, therefore we include an appropriate proof. 
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Theorem 3.1. The 5-pass identification scheme of Sakumoto et al. [48] is sound 
with soundness error \ + ^ when the commitment scheme Com is computation- 
ally binding. 


Proof. One can show that there exists an adversary C that can cheat with prob- 
ability | ^ (See the full version [13]). What we want to show now is that there 

cannot exist a cheater that wins with significantly higher success probability as 
long as the MQ problem is hard and the used commitment is computationally 
binding. 

Towards a contradiction, suppose there exists a malicious PPT cheater C 
such that it holds that e := Pr[(C(l /c , v), V(v)} = 1 ] — (1 + = p^y- for some 

polynomial function P(k). We show that this implies that there exists a PPT 
adversary A with access to C that can either break the binding property of Com 
or can solve the MQ problem MQ( F, v). 

A can achieve this if she can obtain four accepting transcripts from C with 
same internal random tape, equation system F, and public key v, such that for 
two different a there are two transcripts for each a with different ch 2 - This is done 
by rewinding C and feeding it with all possible combinations of a G [0, q — 1] and 
ch2 G {0, 1}. That way we obtain 2 q different transcripts. Now, per assumption 


C produces an accepting transcript with probability 


2 q 


+ e. Hence, with 


non- negligible probability e we get at least q + 2 accepting transcripts. A simple 
counting argument gives that there has to be a set of four transcripts fulfilling the 

), 

( 3 ) 


above conditions. Let these transcripts be ((co, ci), (t^ ,e^ ),ch 
where a^ 1 ) = a ^ = t^ 7 ^ = t£ 4 \ = 




(i) 

resp^ 

( 2 ) 


= e 


,(3) 


> (4) Ch^ 


ch 


( 3 ) 


( 2 ) _ ( 2 ) 


resp^ = 


( 4 ) _ ( 4 ) 


= 0, ch^ 2) 


ch 


( 4 ) 


1 (1) 

1, resp;. 


„(i) 


( 3 ) 

resp^ = i*q 


resp^ = 


. Since the commitment (cq,ci) is the same in all 


four transcripts, we have 


Com(r^\ c^^rg 1 ^ — t^, a^F(r^) — e^) = 
Cora(i*Q 3 \ <a( 3 )i*Q 3 ^ — t] 3 ), a^F(r^) — e^) 


( 1 ) 


Com(r ( p,a^ 2 \y - F(rf } )) - G(tj 2 ) ,r^ 2) ) - ef } ) = , . 

Com(rP , (v — F^ 4 ))) — G(tj 4 \r^) — e^) 

If any of the arguments of Com on the left-hand side is different from the one on 
the right-hand side in (1) or in (2), then we get two different openings of Com, 
which breaks its computationally binding property. 

If they are the same in both (1) and (2), then from (1): 

(a^ 1 ) — a^ 3 ))!*^ = — t® and — <a^ 3 ^)F(rQ 1 ^) = , 

and from (2): ( a ^ — <a^)(v — F(r^)) = G(t^ — t^ 4 \r^) + . 

Combining the two, 

( a ^ — a^)(v — F(r^)) = ( a ^ — <a^)G(rQ 1 \ r^) + ~*-.a^)F(r^) y 

and since a ^ we get v = F(rjj®) + G(r[ ) 1 \r^) + F(r^), i.e., +r^ 

is a solution to the given M Q problem. □ 
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We will look into the inner workings of the IDS in more detail in Sect. 5, 
where we also introduce the related 3-pass scheme. 

4 Fiat-Shamir for 5-Pass Identification Schemes 

For several intractability assumptions, the most efficient IDS are five pass, i.e. 
IDS where a transcript consists of five messages. Here, efficiency refers to the size 
of all communication of sufficient rounds to make the soundness error negligible. 
This becomes especially relevant when one wants to turn an IDS into a signature 
scheme as it is closely related to the signature size of the resulting scheme. 

In [24], the authors present a Fiat-Shamir style transform for (2 n + l)-pass 
IDS fulfilling a certain kind of canonical structure. To provide some intuition, a 
five pass IDS is called canonical in the above sense if V starts with a commitment 
comi, V replies with a challenge chi, V sends a first response resp!, V replies 
with a second challenge cli 2 and finally V returns a second response resp 2 . Based 
on this transcript, V then accepts or rejects. The authors of [24] also present a 
security reduction for signature schemes derived from such IDS using a security 
property of the IDS which they call special n-soundness. Intuitively, this property 
says that given two transcripts that agree on all messages but the last challenge 
and possibly the last response, one can extract a valid secret key. 

In this section we first show that any (2 n + l)-pass IDS that fulfills the 
requirements of the security reduction in [24] can be converted into a 3-pass 
IDS by letting V choose all but the last challenge uniformly at random himself. 
The main reason this is possible is the special n-soundness. On the other hand, 
we argue that existing 5-pass schemes in the literature do not fulfill special 
n-soundness and prove it for the 5-pass AIQ-IDS from [48]. Hence, they can 
neither be turned into 3-pass schemes, nor does the security reduction from [24] 
apply. Afterwards we give a security reduction for a less generic class of 5-pass 
IDS which covers many 5-pass IDS, including [11,46,49]. In particular, it covers 
the 5-pass A4Q scheme from [48]. 

4.1 The El Yousfi et al. Proof 

Before we can make any statement about IDS that fall into the case of [24] we 
have to define the target of our analysis. A canonical (2 n + l)-pass IDS is an 
IDS where the prover and the verifier exchange n challenges and replies. More 
formally: 

Definition 4.1 (Canonical (2n + l)-pass identification schemes). Let k E 

N, IDS = (KGen,P,V) a (2n + 1 )-pass identification scheme with n challenge 
spaces Cj,0 < j <n. We call IDS a canonical (2n-\-l)-pass identification scheme 
if the prover can be split into n + 1 subroutines V = ( Vo , . . . , V n ) and the verifier 
into n + 1 subroutines V = (ChSi, . . . , ChS n , Vf) such that 
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- Vo(sk) computes the initial commitment com sent as the first message. 

- ChSj, j < n computes the j-th challenge message ch j C j, sampling a 

random element from the j-th challenge space. 

- Vi(sk, trans 2 i), 0 < i < n computes the i-th response of the prover given access 
to the secret key and trans 2 z, the transcript so far, containing the first 2 i 
messages. 

- Vf(pk, trans), upon access to the public key and the whole transcript outputs 
V ’s final decision. 

The definition implies that a canonical (2 n + l)-pass IDS is public coin. The 
public coin property just says that the challenges are sampled from the respective 
challenge spaces using the uniform distribution. 

El Yousfi et al. propose a generalized Fiat-Shamir transform that turns a 
canonical (2 n + l)-pass IDS into a digital signature scheme. The algorithms of 
the obtained signature scheme make use of the IDS algorithms as follows. The 
key generation is just the IDS key generation. The signature algorithm simulates 
an execution of the IDS, replacing challenge ch j by the output of a hash func- 
tion (that maps into Cj) that takes as input the concatenation of the message 
to be signed and all 2(j — 1) + 1 messages that have been exchanged so far. The 
signature just contains the messages sent by V . The verification algorithm uses 
the signature and the message to be signed to generate a full transcript, recom- 
puting the challenges using the hash function. Then the verification algorithm 
runs Vf on the public key and the computed transcript and outputs its result. 

El Yousfi et al. give a reduction for the resulting signature scheme if the used 
IDS is honest-verifier zero-knowledge and fulfills special n-soundness defined 
below. The latter is a generalization of special soundness. Intuitively, special 
n-soundness says that given two transcripts that agree up to the second-to-last 
response but disagree on the last challenge, one can extract the secret key. 

Definition 4.2 (Special n- soundness). A canonical (2n + l)-pass IDS is said 
to fulfill special n-soundness if there exists a PPT algorithm £, called the extrac- 
tor, that given two accepting transcripts trans = (com, chi, resp x , ..., resp n _!, 
ch n , resp n ) and trans' = (com, chi, respi, . . . , resp n _i, ch^, resp(J with ch n ^ cW n 
as well as the corresponding public key pk, outputs a matching secret key sk for 
Pk with non-negligible success probability. 

The common special soundness for canonical (3-pass) IDS is hence just special 
1-soundness. Please note that El Yousfi et al. define special n-soundness for the 
resulting signature scheme which in turn requires the used IDS to provide special 
n-soundness. We decided to follow the more common approach, defining the 
soundness properties for the IDS. 

From (2n+l) to three passes. We now show that every canonical (2 n + 1)- 
pass IDS that fulfills special n-soundness can be turned into a canonical 3-pass 
IDS fulfilling special soundness. 
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Theorem 4.3. Let IDS = (KGen,V,V) be a canonical (2 n + 1 )-pass IDS that 
fulfills special n-soundness. Then, the following 3-pass IDS IDS 7 = (KGen, V' ,V') 
is canonical and fulfills special soundness. 

IDS 7 is obtained from IDS by just moving ChSj,0 < j < n, ( i.e . all but 
the last challenge generation algorithm) from V to V: V' computes com 7 = 
(com, chi, resp!, . . . , resp n _ l5 ch n _i) using Vo, . . . ,V n -i and ChSi, . . . , ChS n _i. 
After V' sent com', V' replies with ch[ <— ChS n (l /c ). V' computes resp'i <— 
^(sk, trans 2 n) and V' verifies the transcript using Vf. 

Proof Clearly, IDS 7 is a canonical 3-pass IDS. It remains to prove that it is 
honest- verifier zero-knowledge and that it fulfills special soundness. The latter 
is straight forward as two transcripts for IDS 7 , that fulfill the conditions in the 
soundness definition, can be turned into two transcripts for IDS fulfilling the 
conditions in the n-soundness definition, splitting com' = (com, chi, respi, . . . , 
resp n _i, ch n _i) into its parts. Consequently, we can use any extractor for IDS 
as an extractor for IDS 7 running in the same time and having the exact same 
success probability. 

Showing honest- verifier zero-knowledge is similarly straight forward. A sim- 
ulator S' for IDS 7 can be obtained from any simulator S for IDS. S' just runs S 
to obtain a transcript and regroups the messages to produce a valid transcript 
for IDS 7 . Again, S' runs in essentially the same time as S and achieves the exact 
same statistical distance. □ 

The Sakumoto et al. 5-pass IDS does not fulfill special n-soundness. 

The above result raises the question whether this property was overlooked and 
we can turn all the 5-pass schemes in the literature into 3-pass schemes. This 
would have the benefit that we could use the classical Fiat-Shamir transform to 
turn the resulting schemes into signature schemes. 

Sadly, this is not the case. The reason is that the extractors for those IDS 
need more than two transcripts. For example, the extractor for the 5-pass IDS 
from [48] needs four transcripts such that they all agree on com. The transcripts 
have to form two pairs such that in a pair the transcripts agree on chi but not 
on cli 2 and the two pairs disagree on chi. The proof given by El Yousfi et al. is 
flawed. The authors miss that the two secret shares ro and iq obtained from two 
different transcripts do not have to be shares of a valid secret key. We now give 
a formal proof. 

Theorem 4.4. The 5-pass identification scheme from [48] does not fulfill special 
n-soundness if the computational MQ-problem is hard. 

Proof. We prove this by showing that there exist pairs of transcripts, fulfilling 
the special n-soundness criteria that can be generated by an adversary without 
knowledge of the secret key simulating just two executions of the protocol. As 
a key pair for the A4Q-IDS is a random instance of the MQ problem, special 
n-soundness of the 5-pass A4Q-IDS would imply that the MQ problem can be 
solved in probabilistic polynomial time. 
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Towards a contradiction, assume there exists a PPT extractor £ against the 
5-pass MQ- IDS that fulfills Definition 4.2. We show how to build a PPT solver 
A for the MQ problem. Given an instance of the M Q problem v, A sets pk = v 
which is a valid public key for the AfQ-IDS. Next, A computes two transcripts 
as follows. A samples a random a E ¥ q and random s, r 0 ,to G FJ, eo G F™, 
and computes 1*1 <— s — 1*0, and ti <— aro — to- Then A simulates two successful 
protocol executions, one for cli 2 = 0, one for cli 2 = 1. To do so, A impersonates 
V and replaces the first challenge with a and the second with 0 in the first run 
and 1 in the second run. In addition, A uses the knowledge of a to compute the 
commitments as: 


c 0 <— Com(r 0 , t 0 , e 0 ), and a <— Com( ri,a(v-F(ri))-G(ti,ri)-aF(r 0 )+e 0 ). 

Then A computes ei oF(ro) — eo and sets the second commitment in both 
runs to (ti, ei). For ch2 = 0, A sets resp = 1*0, and for cli2 = 1 , A sets resp = 1*1. 

Now, the first transcript (when ch 2 = 0) is valid, since t 0 = ar 0 — ti and 
eo = aF(ro) — ei. The second transcript (when ch 2 = 1) is also valid as a 
straight forward calculation shows. Finally, A feeds the transcripts to £ and 
outputs whatever £ outputs. A has the same success probability as £ and runs 
in essentially the same time. As £ is a PPT algorithm per assumption, this 
contradicts the hardness of the computational MQ problem. □ 

Clearly, we can also use A to deal with a parallel execution of many rounds 
of the scheme. A similar situation arises for all the 5-pass IDS schemes that we 
found in the literature. 


4.2 A Fiat-Shamir Transform for Most ( 2 n + l)-pass IDS 

By now we have established that we are currently lacking security arguments 
for signature schemes derived from (2 n + l)-pass IDS. We now show how to fix 
this issue for most (2 n + l)-pass IDS in the literature. As most of these IDS 
are 5-pass schemes that follow a certain structure, we restrict ourselves to these 
cases. There are some generalizations that are straight-forward and possible to 
deal with, but they massively complicate accessibility of our statements. 

We will consider a particular type of 5-pass identification protocols where 
the length of the two challenges is restricted to q and 2. 

Definition 4.5 (q 2 -Identification scheme). Let k G N. A q 2 - Identification 
scheme I DS(l^) is a canonical 5 -pass identification scheme where for the chal- 
lenge spaces Ci and C 2 it holds that |Ci| = q and | C 2 1 = 2. Moreover, the 
probability that the commitment com takes a given value is negligible (in k), 
where the probability is taken over the random choice of the input and the used 
randomness. 

To keep the security reduction below somewhat generic, we also need a prop- 
erty that defines when an extractor exists for a g2-IDS. As we have seen special 
n-soundness is not applicable. Hence, we give a less generic definition. 
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Definition 4.6 (g2-Extractor). We say that a q2- Identification scheme 
IDS(l fe ) has a g2-extractor if there exists a PPT algorithm £, the extractor, 
that given a public key pk and four transcripts trans^ = (com, ch^\ resp^\ 
ch 2 z \ resp 2 ^), i G {1,2, 3, 4}, with 

ch^ = ch^ 7^ ch^ = ch^jch^ = ch^ ^ ch 2 2 ^ = ch 2 4 ^, (3) 

valid with respect to pk, outputs a matching secret key sk for pk with non- 
negligible success probability (in k). 

In what follows, let IDS r = (KGen,V r ,V r ) be the parallel composition of 
r rounds of the identification scheme IDS = (KGen, P, V). As the schemes we 
are concerned with only achieve a constant soundness error, the construction 
below uses a polynomial number of rounds to obtain an IDS with negligible 
soundness error as intermediate step. We denote the transcript of the j-th round 
by transj = (conrij, chij, resp x •, ch 2 j, resp 2 j). 

Construction 4.7 (Fiat-Shamir transform for g2-IDS). Let k G N the 

security parameter, IDS = (KGerpT^V) a q2- Identification scheme that achieves 
soundness with soundness error k. Select r, the number of (parallel) rounds 
of IDS, such that M = negl(k), and that the challenge spaces of the composi- 
tion IDS r , Ci, C 2 have exponential size in k. Moreover, select cryptographic hash 
functions Hi : {0,1}* — > C{ and H 2 : {0,1}* — > C 2 . The q2-signature scheme 
q2-Dss(\ k ^ derived from IDS is the triplet of algorithms (KGen, Sign, Vf) with: 

- (sk, pk) <— KGen(l /c ), 

- a = (< Jo,cri,cr 2 ) <— Sign(sk, m) where ao = com <— 'Po(sk), h\ = H\{m, ctq), 
o\ = resp-L <— P[(sk, cr 0 , hi), h 2 = H 2 (m,a 0 ,hi,ai), and a 2 = resp 2 <— 
^(sk,cr 0 ,hi,cri,h 2 ). 

- Vf(pk, m, cr) parses a = (cr 0 , (j\, a 2 ), computes the values hi = Hi(m, <Jo), 
h 2 = H 2 (m , ctq, hi, <Ji) as above and outputs V r (pk, cro, hi, <7i, h 2 , cr 2 ). 

Correctness of the scheme follows immediately from the correctness of IDS. 


4.3 Security of qr2-signature Schemes 

We now give a security reduction for the above transform in the random oracle 
model assuming that the underlying g2-IDS is honest-verifier zero-knowledge, 
achieves soundness with constant soundness error, and has a ^2-extractor. More 
specifically, we prove the following theorem: 

Theorem 4.8 (EU-CMA security of ^2-signature schemes). Let k G N, 

IDS(1*) a q2-IDS that is honest-verifier zero-knowledge, achieves soundness 
with constant soundness error n and has a q2-extractor. Then q2-Dss(l k ), the 
q2-signature scheme derived applying Construction f.l is existentially unforge- 
able under adaptive chosen message attacks. 
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In the following, we model the functions Hi and H 2 as independent random 
oracles 0\ and 0 2 . To proof Theorem 4.8, we proceed in several steps. Our proof 
builds on techniques introduced by Pointcheval and Stern [47]. As the reduction 
is far from being tight, we refrain from doing an exact proof as it does not 
buy us anything but a complicated statement. We first recall an important tool 
from [47] called the splitting lemma. 

Lemma 4.9 (Splitting lemma [47]). Let A C X x Y, such that 
Pr [A(x,y)\ ^ 6. Then, there exists Q C X, such that 

Ft[x G 12] ^ e/2, and Pr[A(a,y)\a G f2] ^ e/2. 


We now present a forking lemma for g2-signature schemes. The lemma shows 
that we can obtain four valid signatures which contain four valid transcripts of 
the underlying IDS, given a successful key-only adversary. Moreover, these four 
traces fulfill a certain requirement on the challenges (here the related parts of 
the hash function outputs) that we need later. 

Lemma 4.10 (Forking lemma for ^2-signature schemes). Let k G N, 

Dss(l k ) a q2- signature scheme with security parameter k. If there exists a PPT 
adversary A that can output a valid signature message pair (m, a) with non- 
negligible success probability, given only the public key as input, then, with 
non-negligible probability, rewinding A a polynomial number of times ( with 
same randomness) but different oracles, outputs 4 valid signature message pairs 
(m, a = (do, (Ji\ cr^); i G {1,2, 3,4}, such that for the associated hash values it 
holds that 


h A) _ ft (2) / ft (3) _ ft (4) h (l) _ ft (3) , ft (2) _ ft (4) 
ri 1 j — n x - 7 = n x - — n x -,n 2 - — n 2 - 7 = n 2 - — n 2 -, 


for some round j G {!,..., r}. 


(4) 


Proof. To prove the Lemma we need to show that we can rewind A three times 
and the probability that A succeeds in forging a (different) signature in all four 
runs is non-negligible. Moreover, we have to show that the signatures have the 
additional property claimed in the Lemma, again with non-negligible probability. 

Let u; G R w be M’s random tape with R w the set of allowable random tapes. 
During the attack A may ask polynomially many queries (in the security para- 
meter k) Qi(k) and Q 2 {k) to the random oracles 0\ and Let gqi, gi j2 , . . . , 
gi ? Q 1 and g 2? 1 , g 2?2 , . . . , q2,Q 2 be the queries to 0\ and 0 2 , respectively. More- 
over, let (n.i, r h2 , ■ ■ ■ , t-i.qJ £ (C^) Ql and (r 2 ,i, r 2 ,2, ■ ■ ■ , r 2 ,Q 2 ) € (Q) Q2 the 
corresponding answers of the oracles. 

Towards proving the first point, we assume that A also outputs hi , h 2 with 
the signature and a signature is considered invalid if those do not match the 
responses of 0\ and 0 2 , respectively. This assumption is without loss of gen- 
erality as we can construct such A from any A' that does not output hi , fo 2 . 
A just runs A' and given the result queries 0\ and O 2 for /ii,/i 2 and outputs 
everything. Clearly A succeeds with the same success probability as A' and runs 
in essentially the same time, making just one more query to each RO. 
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Denote by F the event that A outputs a valid message signature pair 
(m, a (■*-) = (ao, <Ji~\ cr^)) with the associated hash values h^\ Per assump- 
tion, this event occurs with non-negligible probability, i.e. , Pr[F] = p^y, for 


some polynomial P(k). In addition, F implies = O\(m,cro) and = 
02(m, ao,h^\a[^). As h^\ are chosen uniformly at random from expo- 
nentially large sets C^CJ, the probability that A did not query 0 \ for 
and O2 for is negligible. Hence, there exists a polynomial P' such that the 
event F' that F occurs and A queried 0 \ for and O2 for has probability 


Pr[F' 


1 

P'(k)' 


For the moment only consider the second oracle. As of the previous equation, 


there exists at least one /3 ^ Q 2 such that 


Pr[F' A q 2 ,p = 


1 


where the probability is taken over the random coins of A and O2 • Informally, 
the following steps just show that the success of an algorithm with non-negligible 
success probability cannot be conditioned on an event that occurs only with neg- 
ligible probability (i.e. the outcome of the <72,0 query landing in some negligible 
subset). 

Let B = {(<*;, r 2j i, r 2j2j • • • 5 r 2,Q 2 )|<^ G R w A (r 2j i, r 2j2 , • • • , r 2 ,Q 2 ) G ( C r 2 ) Q 2 A 
F' A q2,(3 = (m, (Jo, h^\ cr^)}, i.e., the set of random tapes and oracle responses 
such that F' A = (m, ao, h^\ <r^). This implies that there exists a non- 
negligible set of “good” random tapes ftp C R u for which A can provide a valid 
signature and </2,/3 is the oracle query fixing • Applying the splitting lemma, 
we get that 


Pr\w G ft 3] A 


Pr[(cj,r 2 ,i,r 2 ,2,...,r 2 ,g 2 ) G B\w G ftp] ^ 7 


2 Q 2 (k)P'(k) 

1 


2 Q 2 (k)P'(k) 


Applying the same reasoning again we can derive from the later probability being 
non-negligible that there exists a non-negligible subset ftp^ of the “good” oracle 
responses (r 2 ,i,r 2 , 2 , • • 1) such that (u, r 2 ,i, r 2j2 , • • -,r 2 ,g 2 ) G B. Applying 

the splitting lemma again, we get 

p r[(w, r 2 , 1, • • • , r 2)Q2 ) G B (r 2 ,u ■■■, r 2 , f 3-1) G %*)] > - q 2 ^ p ,^ 

This means that rewinding A to the point where it made query (72 , /3 and 
running it with new, random r' 2 r' 2 q 2 has a non-negligible probabil- 

ity of A outputting another valid signature. Therefore, we can use A to 
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find two valid signature message pairs with associated hash values (ra, cr = 


r (i) 


(m, 


(cro^i^cr ^),^,^ 1J ), (m,cr (2) 

and such that (ao,h^\a[ 1 ' > ) = (<7o, h^\ <7^), with non-negligible probability. 

We now rewind the adversary again using exactly the same technique as above 
but now considering the queries to 0\ and its responses. In the replay we change 
the responses of 0\ to obtain a third signature that differs from the previously 
obtained ones in the first associated hash value. It can be shown that with non- 
negligible probability A will output a third signature on ra, = (<7o, , cr^), 

with associated hash values h^) such that 7^ h ^ = h^\ 

Finally, we rewind the adversary a third time, keeping the responses of 0\ 
from the last rewind and focusing on 0 2 again. Again, with non-negligible prob- 
ability A will produce yet another signature on ra, = (cro, cr[ 4 \ cr^) with 
associated hash values (h^\ h^) such that and 7^ 

Summing up, rewinding the adversary three times, we can find four valid 
signatures cr^ with the above property on the associated hash 

values with non-negligible success probability for some polynomial P(k). 

p { k ) 

Let us denote this event by £ a . So we have that Pr[£ a ] ^ 


Oo,cr 
( 2 ) 


<ai 


with 7^ h , 


( 2 ) 

2 




What remains is to show that the obtained signatures satisfy the particular 
structure from the lemma (Eq. 4) with non-negligible probability. 

Let TL be the event that there exists a j G {1 , . . . , r} such that (4) is satisfied. 
We have that 


Pr[£ a h H] = Pr[5 a ]-PrhWA^] = Pr[f <7 ]-PrhW|5 (7 ]Pr[5 ff ] > 

P(k) 


We will now give a statistical argument why Pr[-i7Y|£cr] is negligible. 

As argued above, the hash values associated with the signatures must be 
outcomes of the RO queries of A. During its first run, A can choose the first 
hash value from his Qi queries to 0\ and the second hash value from 
his Q 2 queries to 0 2 . The total number of possible combinations is Q 1 Q 2 • The 
hash values associated with the second signature are (as £ a ) and 

h\ ’ . So, the first hash value is fixed and the second is chosen from a set of no 
more than Q 2 responses from 0 2 . Following the same arguments, the hash pair 
associated with the third signature is chosen from a set of size Q 1 Q 2 and the one 
associated with the fourth signature from a set of size Q 2 . The oracle outputs 
are uniformly distributed within and OJ, respectively. Hence, the set of all 
possible combinations of hash values that A could output has size 


X(k) < Q1Q2 • Q2 • Q1Q2 * Q2 5 


which is a polynomial in k as Q 1 and Q 2 are. 

Recall Ci has size q and C 2 size 2. The probability that the required pattern 
did not occur in the four-tupel of challenges derived from random hash values 
for one internal round j is 
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Pr h Uj\ = 1 - Pr [Hj] = 1 - 


3q P 1 
4 q 


The last follows from the fact that out of all 2 4 q 2 4-tuples ((ai, /?i), (ai, # 2 ), 
(012, 03 ), ( 012 , 04 :)) e (Ci x C 2 ) 4 exactly 2 2 q(q - 1 ) satisfy ^ a 2 , 0i ^ 02, 
03 Pa- Hence, the probability that a random four-tuple of hash values does 
not have a single internal round that satisfies (4) and hence fulfills -H is 


Pr [-.ft] 


( 3q + l 

V ^ 


= negl(fc). 


According to Construction 4.7, the number of rounds r must be super- 
logarithmic (in fc), to fulfill C£ being exponentially large (in k). Hence, the above 
is negligible for random hash values. 

Finally, we just have to combine the two results. The adversary can at most 
choose out of a polynomially bounded number of four-tuples of hash pairs. Each 
of these four-tuples has a negligible probability of fulfilling -H. Hence, the prob- 
ability that all the possible combinations of query responses even contain a four- 
tuple that does not fulfill Ti is negligible. So, Pr[-i7Y|£ a ] = negl(fc), and hence, 
the conditions from the lemma are satisfied with non-negligible probability. □ 


With Lemma 4.10 we can already establish unforgeability under key only attacks: 

Corollary 4.11 (Key-only attack resistance). Let k G N, IDS(l fe ) a q2-IDS 

that achieves soundness with constant soundness error k and has a q2- extractor. 
Then q2- Dss(l k ), the q2-signature scheme derived applying Construction f.7 is 
unforgeable under key- only attacks. 


A straight forward application of Lemma 4.10 allows to generate the four traces 
needed to apply the ^2-extractor. The obtained secret key can then be used to 
violate soundness. 

For EU-CMA security, we still have to deal with signature queries. The follow- 
ing lemma shows that a reduction can produce valid responses to the adversarial 
signature queries if the identification scheme is honest- verifier zero-knowledge. 

Lemma 4.12. Let k G N the security parameter, IDS(l fe ) a q2-IDS that is 
honest-verifier zero-knowledge. Then any PPT adversary B against the EU-CMA- 
security of q2 - Dss(l k ) , the q2-signature scheme derived by applying Construc- 
tion f.l, can be turned into a key-only adversary A with the properties described 
in Lemma f. 10. A runs in polynomial time and succeeds with essentially the 
same success probability as B. 

Proof. By construction. We show how to construct an oracle machine AP’ s ’ 0l ’° 2 
that has access to B, an honest- verifier zero-knowledge simulator S , and random 
oracles 0\, O 2 - A produces a valid signature for q2 - Dss(l /c ) given only a public 
key running in time polynomial in k and achieving essentially the same success 
probability (up to a negligible difference) as B. 
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Upon input of public key pk, A runs B°' 1,0 ' 2,s ' gn (pk) simulating the random 
oracles (ROs) as well as the signing oracle Sign towards B. When B 

outputs a forgery (m*,cr*), A just forwards it. 

To simulate the ROs, A keeps two initially empty tables of query-response 
pairs, one per oracle. Whenever B queries O f h , A first checks if the table for 0' b 
already contains a pair for this query. If such a pair exists, A just returns the 
stored response. Otherwise, A forwards the query to its own Ob- 

As IDS is honest-verifier zero-knowledge there exists a PPT simulator S that 
upon input of a IDS public key generates a valid transcript that is indistin- 
guishable of the transcripts generated by honest protocol executions. Whenever 
B queries the signature oracle with message m, A runs S r times, to obtain r 
valid transcripts. A combines the transcripts to obtain a valid signature with 
associated hashes a = ((cr 0 , <ri, ( 72 ), fti, Before outputting cr, A checks if 
the table for 0' x already contains an entry for query (m, do). If so, A aborts. 
Otherwise, A adds the pair ((m, do), h±). Then, A checks the second table 
for query (m, do, hi, cq). Again, A aborts if it finds such an entry and adds 
((m, do, hi, di), / 12 ), otherwise. 

The probability that A aborts is negligible in k. When answering signature 
queries, A verifies that certain queries were not made before. Both queries con- 
tain a\ which takes any given value only with negligible probability. On the 
other hand, the total number of queries that B makes to all its oracles is polyno- 
mially bounded. Hence, the probability that one of the two queries was already 
made before is negligible. If A does not abort, it perfectly simulates all oracles 
towards B. Hence, B - and thereby A - succeeds with the same probability as 
in the real EU-CMA game in this case. Hence, A succeeds with essentially the 
same probability as B. □ 

We now got everything we need to prove Theorem 4.8. The proof is a straight 
forward application of the previous two lemmas. 

Proof (of Theorem 4.8,). Towards a contradiction, assume that there exists a 
PPT adversary B against the EU-CMA- security of q2- Dss succeeding with non- 
negligible probability. We show how to construct a PPT impersonator C breaking 
the soundness of IDS. Applying Lemma 4.12, C can construct a PPT key-only 
forger A, with essentially the same success probability as B. Given a public key 
for IDS (which is a valid q2-Dss public key) C runs A as described in Lemma 4.10. 
That way C can use A to obtain four signatures that per (4) lead four transcripts 
as required by the g2-extractor £. Running £, C can extract a valid secret key 
that allows to impersonate V with success probability 1. 

C just runs A and £ , two PPT algorithms. Consequently, C runs in polynomial 
time. Also, A and £ both have non-negligible success probability implying that 
also C succeeds with non-negligible probability. □ 

5 Our Proposal 

In the previous sections, we gave security arguments for a Fiat-Shamir trans- 
form of 5-pass IDS that contain two challenges, from {0, ... , g — 1} and {0, 1} 
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respectively, where q G Z*. In this section we apply the transform to the 5-pass 
IDS from [48] (see Sect. 3). Before discussing the 5-pass scheme, which we dub 
MQDSS, we first briefly examine the signature scheme obtained by applying the 
traditional Fiat-Shamir transform to the 3-pass IDS in [48], to obtain a baseline. 
Then we give a generic description of MQDSS and prove it secure. 

The IDS requires an MQ system F as input, potentially system- wide. We 
could simply select one function F and define it as a system parameter for all 
users. Instead, we choose to derive it from a unique seed that is included in each 
public key. This increases the size of pk by k bits, and adds some cost for seed 
expansion when signing and verifying. However, selecting a single system- wide 
F might allow an attacker to focus their efforts on a single F for all users, and 
would require whoever selects this system parameter to convince all users of its 
randomness (which is not trivial [5]). For consistency with literature, we still 
occasionally refer to F as the ‘system parameter’. 

Note that the signing procedure described below is slightly more involved 
than is suggested by Construction 4.7. Where the transformed construction oper- 
ates directly on the message m, we first apply what is effectively a randomized 
hash function. As discussed in [35], this extra step provides resilience against 
collisions in the hash function at only little extra cost. A similar construction 
appears e.g. in SPHINCS [6]. The digest (and thus the signature) is still derived 
from m and sk deterministically. 

5.1 Establishing a Baseline Using the 3-Pass Scheme over F 2 

In the interest of brevity, we will not go into the details of the derived signature 
scheme here - instead, we refer to the full version of the paper [13]. 

For the 3-pass scheme, we select n = m = 256 over F 2 . This results in 
signatures of 54.81 KB, and a key pair of 64 bytes per key. We ran benchmarks 
on a single 3.5 GHz core of an Intel Core i7-4770K CPU, measuring 118 088 992 
cycles for signature generation, 8 066 324 cycles for key generation and 82 650 156 
cycles for signature verification (or 33.7ms, 2.30ms and 23.6ms, respectively). 

5.2 The 5-Pass Scheme over F 3 i 

As can be seen from the results above, the plain 3-pass scheme over F 2 is quite 
inefficient, both in terms of signature size and signing speed. This is a direct 
consequence of the large number of variables and equations required to achieve 
128 bits of post-quantum security using MQ over F 2 , as well as the high number 
of rounds required (see the full version [13] of the paper for an analysis). Using 
a 5-pass scheme over F 3 i allows for a smaller n and m, as well as a smaller 
number of rounds. One might wonder why we do not consider different fields 
for the 3-pass scenario, instead. This turns out to be suboptimal: contrary to 
the 5-pass scheme, this does not result in a knowledge error reduction, but does 
increase the transcript size per round. 

The MQDSS signature scheme. We now explicitly construct the functions 
KGen, Sign and Vf in accordance with Definition 2.1. Specific values for the 
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parameters that achieve 128 bit post-quantum security are given in the next 
section. We start by presenting the parameters of the scheme in general. 

Parameters. MQDSS is parameterized by a security parameter k G N, and 
ra,n G N such that the security level of the M.Q instance A4Q(n,ra, F 2 ) > k. 
The latter fix the description length of the equation system F, T) en = m • n '^+ 1 ) . 

- Cryptographic hash functions Ti : {0,1}* — > {0, l} fe , Hi : {0, l} 2k — ► F 3;L r , 
and i^ 2 : {0, l} 2k — > {0, l} r . 

- two string commitment functions Como : F 3:L n x F 3 i n x F 3 i m — > {0, l} k and 
Com\ : F 31 n x F 31 m — > {0, l} fe , 

- pseudo-random generators Gs F : {0,1}^ — > F 3 i Fzen , G^k : {0, 1}^ — > F 3 i n , 
and G c : {0, l} 2k F 31 r - (2n+m) . 

Key generation. Given the security parameter fc, we randomly sample a secret 
key of k bits SK <— r {0, l} k as well as a seed Sp {0, l} fc . We then select a 
pseudorandom MQ system F from A4<2(n, m, F 3 i) by expanding Sp. In total, 
we must generate Fi en = m • ( n ‘^+ 1 ) elements for F, to use as coefficients 
for both the quadratic and the linear monomials. We use the pseudorandom 
generator Gs F for this. 

In order to compute the public key, we want to use the secret key as input for 
the A4Q function defined by F. As SK is a fc-bit string rather than a sequence of 
n elements from F 3 i, we instead use it as a seed for a pseudorandom generator 
as well, deriving SK ¥si = Gsk(SK). It is then possible to compute PK V = 
F(SK ¥sl ). The secret key sk = (SK,Sp) and the public key pk = ( Sp,PK v ) 
require 2 • k and k + 5 • m bits respectively, assuming 5 bits per F 3 i element. 

Signing. The signature algorithm takes as input a message m G {0, 1}* and a 
secret key sk = ( SK,Sf ). Similarly as in the key generation, we derive F = 
Gs F {Sp). Then, we derive a message-dependent random value R = TL(SK || 
m), where “||” is string concatenation. Using this random value i?, we compute 
the randomized message digest D = 7i(R \\ m). The value R must be included 
in the signature, so that a verifier can derive the same randomized digest. 

As mentioned in Definition 2.4, the core of the derived signature scheme 
essentially consists of iterations of the IDS. We refer to the number of required 
iterations to achieve the security level k as r (note that this should not be 
confused with 1*0 and iq, which are vectors of elements of F 3 i). 

Given SK and D, we now compute G C (SK , D ) to produce (r( 0j o)? • • • , Uo,r)’ 
t( 0 ,o)j • • •? t( 0)r ), e(o 5 op . e( 0)7 .)). Using these values, we compute C( 0? q and 
C( 1? q for each round i, as defined in the IDS. Recall that G(x,y) = F(x + y) — 
F(x) — F(y), and that Como and Com\ are string commitment functions: 

c (o ,i) = Como (r( 0? q , t( 0? q , e( 0 ,q ) and C( 1? q = Gomi (r^) , G(t ( 0 ,q , ) + e (o,q ) • 

As mentioned in [48], it is not necessary to include all 2 r commitments in 
the transcript. Instead, we include a digest over the concatenation of all com- 
mitments do = 7Y(c( 0 ,o) || c (i,o) II ••• || c (o,r-i) ll c (i,r-i))* We derive the challenges 2 

2 Note that the concatenation of all oti was previously referred to as chi. 
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&i E F31 (for 0 < i < r) by applying Hi to hi = (D,(Tq). Using these c^, the 
vectors t(i ? p = a* -r( 0ji ) -t( 0 ,q and e^j = a* -F(r(o,q) -e( 0l *) can be computed. 

Let <ji = (t ( i ;0 ) ||e ( i ?0 ) || • • . ||t(i, r _i) j|e ( i ?r _i)). We compute h 2 by applying H 2 
to the tuple (D, <7o, hi, <7i) and use it as r binary challenges ch 2 ^ E {0, 1}. 

Now we define cr 2 = (r (ch2 , r (ch2 . ?r _ 1) , Ci_ ch2 . , . . . , Ci-ch^^j. Note 

that here we also need to include the challenges ci_ C h 2;i that the verifier cannot 
recompute. We then output a = (R, do, <ti, <j 2 ) as the signature. At 5 bits per 
F31 element, the size of the signature is (2 + r) • k + 5 • r • (2 • n + m) bits. 

Verification. The verification algorithm takes as input the message m, the sig- 
nature cr = (R, <j 0 , <Ji, <r 2 ) and the public key PK = (<Sp, PK V ). As above, we 
use R and m to compute D , and derive F from Sf using As the signature 
contains do, we can compose hi and, consequentially, the challenge values cq for 
all r rounds by using H\. Similarly, the values ch 2 ^ are computed by applying 
H 2 to (D, cro, h%, (Ji). For each round i, the verifier extracts vectors t i and 
(which are always t( 1? q and e^q) from di and from a 2 . Depending on ch 2 ^, 
half of the commitments can now be computed: 


if ch 2;i = 0 C( 0j i)= Com 0 (ri,a • r* - t*,o • F(r*) - e*) 

if ch 2?i = 1 C( M )= a • (PK V - F(r*)) - G(t*, r*) - e*) 


Extracting the missing commitments C( 1 _ c h 2 from d 2 , the verifier now 
computes ctq = 7Y(c( 0; o) ll c (i,o) • • • || c (o,r-i) Il c (i^-i))- For verification to succeed, 
a 0 = ctq should hold. 


5.3 Security of MQDSS 

We now give a security reduction for MQDSS in the ROM. As our results from 
the last section are non-tight we only prove an asymptotic statement. While this 
does not suffice to make any statement about the security of a specific parame- 
ter choice, it provides evidence that the general approach leads a secure scheme. 
Also, the reduction is in the ROM, not in the QROM, thereby limiting applica- 
bility in the post-quantum setting. As already mentioned in the introduction, 
we consider it important future work to strengthen this statement. 

In the remainder of this subsection we prove the following theorem. 

Theorem 5.1. MQDSS is EU-CMA -secure in the random oracle model, if 

- the search version of the MQ problem is intractable, 

- the hash functions Ti, Hi, and H 2 are modeled as random oracles, 

- the commitment functions C omo andComi are computationally binding, com- 
putationally hiding, and the probability that their output takes a given value is 
negligible in the security parameter, 

- the pseudorandom generator Gs F is modeled as random oracle, and 
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- the pseudorandom generators , Gsk, and G c have outputs computationally 
indistinguishable from random. 

To prove this theorem we would like to apply Theorem 4.8. However, 
Theorem 4.8 was formulated for a slightly more generic construction. The point 
is that we apply an optimization originally proposed in [50]. So, in our actual 
proposal, the parallel composition of the IDS is slightly different as, instead of 
the commitments, only the hash of their concatenation is sent. Also, the last 
message now contains the remaining commitments. 

While we could have treated this case in Sect. 4, it would have limited the 
general applicability of the result, as the above optimization is only applicable 
to schemes with a certain, less generic, structure. However, it is straightforward 
to redo the proofs from Sect. 4 for the optimized scheme. When modeling the 
hash function used to compress the commitments as RO, the arguments are 
exactly the same with one exception. The proof of Lemma 4.12 uses that the 
commitment scheme - and thereby the first signature element a\ - only takes a 
given value with negligible probability. Now this statement follows from the same 
property of the commitment scheme and the randomness of the RO. Altogether 
this leads to the following corollary: 

Corollary 5.2 (EU-CMA security of g2-signature schemes). Let k G N, 

IDS(l /c ) a q2-IDS that is ho nest- verifier zero -knowledge, achieves soundness with 
constant soundness error n and has a q2- extractor. Then opt-q2-Dss(l k ) , the 
optimized q2-signature scheme derived by applying Construction J^.l and the 
optimization explained above, is existentially unforgeable under adaptive chosen 
message attacks. 

Based on this corollary we can now prove the above theorem. 

Proof (of Theorem b.l). Towards a contradiction, assume there exists an adver- 
sary A that wins the EU-CMA game against MQDSS with non-negligible suc- 
cess probability. We show that this implies the existence of an oracle machine 
A4 a that solves the A4Q problem, breaks a property of one of the commitment 
schemes, or distinguishes the outputs of one of the pseudorandom generators 
from random. We first define a series of games and argue that the difference in 
success probability of A between these games is negligible. We assume that M 
runs A in these games. 

Game 0: Is the EU-CMA game for MQDSS. 

Game 1: Is Game 0 with the difference that M. replaces the outputs of Gsk 
by random bit strings. 

Game 2: Is Game 1 with the difference that M. replaces the outputs of G c by 
random bit strings. 

Game 3: Is Game 2 with the difference that M takes as additional input a 
random equation system F. M. simulates Gs F towards A, programming Gs F 
such that it returns the coefficients representing F upon input of Sp and 
uniformly random values on any other input. 
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Per assumption, A wins Game 0 with non-negligible success probability. Let’s 
call this e. If the difference in *4’s success probability playing Game 0 or Game 1 
was non-negligible, we could use A to distinguish the outputs of Gsk from ran- 
dom. The same argument applies for the difference between Game 1 and Game 
2 , and G c . Finally, the output distribution of Gs F in Game 3 is the same as in 
previous games. Hence, there is no difference for A between Game 2 and Game 3. 
Accordingly, *4’s success probability in these two games is equal. 

Now, Game 3 is exactly the EU-CMA game for the optimized q2 signature 
scheme that is derived from A1Q-IDS, the 5-pass IDS from [48]. We obtain the 
necessary contradiction if we can apply Corollary 5.2. For this, it just remains 
to be shown that A4Q-IDS is a g 2 -IDS that is honest-verifier zero-knowledge, 
achieves soundness with constant soundness error k and has a g 2 -extractor. 
Clearly, A4Q-IDS is a ^ 2 -IDS under the given assumptions on the commit- 
ment schemes. Sakumoto et al. [48] show that A4Q-IDS is honest- verifier zero- 
knowledge. Theorem 3.1 shows that A1Q-IDS achieves soundness with constant 
soundness error hi = Finally, the proof of Theorem 3.1 provides a construc- 
tion of a ^ 2 -extractor. □ 

6 Instantiating the Scheme 

In this section, we provide a concrete instance of MQDSS. We discuss a suitable 
set of parameters to achieve the desired security level, discuss an optimized 
software implementation, and present benchmark results. 

Parameter choice and security analysis. For the 5-pass scheme, the sound- 
ness error hi is affected by the size of q. This motivates a field choice larger than 
F 2 in order to reduce the number of rounds required. From an implementation 
point of view, it is beneficial to select a small prime, allowing very cheap mul- 
tiplications as well as comparatively cheap field reductions. We choose F 31 with 
the intention of storing it in a 16 bit value - the benefits of which become clear 
in the next subsection, where we discuss the required reductions. 

We now consider the choice of A4Q(n, m, F 31 ), i.e. the parameters n and 
m. There are several known generic classical algorithms for solving systems of 
quadratic equations over finite fields, such as the F4 algorithm [25] and the F5 
algorithm [4,26] using Grobner basis techniques, the Hybrid Approach [9,10] 
that is a variant of the F5 algorithm, or the XL algorithm [15,18] and variants 
[56]. 

Currently, for fields ¥ q where q ^ 4, the best known technique for solving 
overdetermined systems of equations over ¥ q is combining equation solvers with 
exhaustive search. The Hybrid Approach [9,10] and the FXL variant of XL [56] 
use this paradigm. Here we will analyze the complexity using the Hybrid app- 
roach. Note that the complexity for the XL family of algorithms is similar [59]. 

Roughly speaking, for an optimization parameter £, using the Hybrid app- 
roach one first fixes i among the n variables, and then computes q l Grobner 
bases of the smaller systems in n — £ variables. Hence, the improvement over 
the plain F5 algorithm comes from the proper choice of the parameter L It has 
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been shown in [9] that the best trade-off is achieved when the parameter £ is 
proportional to the number of variables n, i.e. when £ = rn. 

Let 2 ^ uj ^ 3 be the linear algebra constant. The complexity of computing 
a Grobner basis of a system of m equations in n variables, m ^ n, using the F5 
algorithm is given by 


CVsfyq m) = O ( I m 


+ d reg (n, m) - 1 
dreg 


where d reg (n,m) is the degree of regularity of the system which can be approx- 
imated as 


d reg (n, m) « (— - 1 - J—(— - 1)) + 0 (n 1/3 ) • 
n 2 \ n n \ J 

For a fixed 0 < r < 1, the complexity of the Hybrid approach is 

C H yb(n,m,T,d reg (n(l - r),m)) = q Tn ■ C F5 (n(l - r),rn,d reSiT (n( 1 - r),m)). 

It is well known (and can be seen from the complexity above) that the F5 
algorithm as well as the Hybrid approach perform better when the number of 
equations is bigger than the number of variables, so from this point of view there 
is no incentive in choosing m > n. On the other hand, if m < n, then we can 
simply fix n — m variables and reduce the problem to a smaller one, with m 
variables. Therefore, in terms of classical security the best choice is m = n. 

Following the analysis from [9,10], we calculated the best trade-off for r for 
the family of functions A4Q(n, n, F 3 i), when cj = 2.3. Asymptotically, r — > 0.16, 
although for smaller values of n (e.g. n = 32) we find r = 0.13. 

Since our goal is classical security of at least 128 bits, we need to choose 
n > 51, so that for any choice of the linear algebra constant 2 ^ cj ^ 3 the 
Hybrid approach would need at least 2 128 operations. Note that if we set the 
more realistic value of uj = 2.3, the minimum is n = 45. 

For implementation reasons, we choose n = 64. In particular, a multiple of 
16 suggests efficient register usage for vectorized implementations. In this case, 
for u) = 2.3, the complexity of the Hybrid approach is ~ 2 177 and the best result 
is obtained for r = 0.14, which translates to fixing 9 variables in the system. 

Regarding post-quantum security, at the moment there is no dedicated quan- 
tum algorithm for solving systems of quadratic equations. Instead, we can use 
Grover’s search algorithm [34] to directly attack the A4Q problem, or use 
Grover’s algorithm for the search part in a quantum implementation of the 
Hybrid method. Note that the later requires an efficient quantum implementa- 
tion of the F5 algorithm, that we will assume provides no quantum speedup over 
the classical implementation. 

Grover’s algorithm searches for an item in a unordered list of size N = 2 n that 
satisfies a certain condition given in the form of a quantum black-box function 
/ : {0, l} n — > {0, 1}. If the condition is satisfied for the i-th item, then f(i) = 1, 
otherwise f(i) = 0. The complexity of Grover’s algorithm is 0(y/N/M), where 
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M is the number of items in the list that satisfy the condition, i.e. the algorithm 
provides a quadratic speed-up compared to classical search. 

First we will consider a direct application of Grover’s algorithm on the M.Q 
problem in question. In this case, / should provide an answer whether a given 
n-tuple x from satisfies the system of equations F(x) = v. Since the domain 
is not Boolean, we need to convert it one, so we get a domain of size n log 31. 

To estimate the complexity of the algorithm, we need the number of solu- 
tions M to the given system of equations. Determining the exact M requires 
exponential time [54] , but it was shown in [29] that the number of solutions of a 
system of n equations in n variables follows the Poisson distribution with para- 
meter A = 1. Therefore the expected value is 1. Furthermore, the probability 
that there are at least M solutions can be estimated as the tail probability of a 
Poisson random variable P[X ^ M\ > = e(n) M which i s negligible in 

M. In practice, we can safely assume that M < 4, since P[M > 5] ^ 2 -8 . In 
total, Grover’s algorithm takes 0(2 nlog31 / 2 /4) « 2 156 operations. 

As said earlier, we can also use a quantum version of the Hybrid approach 
for m = n. In this case the complexity will be 


G 1 H yb, quantum d re g(jl(l t ), 77 ,)) 


I q rn 

Y -j^’C F5 (n(l-r),n, d regiT (n(l-r),n)). 


Taking again M 4, the optimal value for the optimization parameter is r = 
0.39, which means we should fix 25 variables in the system. Hence, the quantum 
version of the Hybrid method has a time complexity of ~ 2 139 operations. 

To achieve EU-CMA for 128 bits of post-quantum security, we require that 
k r < 2 -256 , as an adversary could perform a preimage search to effectively 
control the challenges. As k = with q = 31, we need r = 269. To complete 
the scheme, we instantiate the functions 74, Como and Com\ with SHA3-256, 
and use SHAKE-128 for Hi, H2, Gs F , G c , and Gsk [7]. In order to convert 
between the output domain of SHAKE- 128 and functions that map to vectors 
over F31, we simply reject and resample values that are not in F31 (effectively 
applying an instance of the second TSS08 construction from [55]). 

We refer to this instance of the scheme as MQDSS-31-64. 

Implementation. The central and most costly computation in this signature 
scheme is the evaluation of F (and, by corollary, G). The signing procedure 
requires one evaluation of each for every round, and the verifier needs to compute 
either F (if <±2 = 0) or both F and G (if <±2 = 1), for each round. Other than 
these functions, the computational effort is made up of seed expansion, several 
hash function applications and a small number of additions and subtractions. 
For SHA3-256 and SHAKE-128, we rely on existing code from the Keccak Code 
Package [8] . Clearly, the focus for an optimized implementation should be on the 
M.Q function. Previous work [12] has shown that modern CPUs offer interesting 
and valuable methods to efficiently implement this primitive, in particular by 
exploiting the high level of internal parallelism. 

Compared to the binary 3-pass scheme, the implementation of the 5-pass 
scheme over F31 presents more challenges. As F31 does not have closure under 
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regular integer multiplication and addition, results of computations need to be 
reduced to smaller representations. To avoid having to this too frequently, we 
generally represent field elements during computation as unsigned 16 bit values. 
During specific parts of the computation, we vary this representation as needed. 

The evaluation of F can roughly be divided in two parts: the generation of 
all monomials, and computation of the resulting polynomials for known mono- 
mials. Generating the quadratic monomials based on the given linear monomials 
requires n • multiplications. For the second part, we require m • (n + n • 
multiplications to multiply the coefficients of the system parameter with the 
quadratic monomials, as well as a number of additions to accumulate all results. 
As the second part is clearly more computationally intensive, the optimization 
of this part is our primary concern. We describe an approach for the monomial 
generation in the full version [13] of the paper. 

To efficiently compute all polynomials for a given set of monomials, we keep 
all required data in registers to avoid the cost of register spilling throughout 
the computation. Given that n = m = 64, for this part of the computation 
we represent the 64 F31 input values as 8 bit values and the resulting 64 F31 
elements as 16 bit values, costing us 2 and 4 YMM registers respectively. The 
coefficients of F can be represented as a column major matrix with every column 
containing all coefficients that correspond to a specific monomial, i.e. one for 
each output value. That would imply that every row of the matrix represents 
one polynomial of F. In this representation, each result term is computed by 
accumulating the products of a row of coefficients with each monomial, which 
is exactly the same as computing the product of the matrix F and the vector 
containing all monomials. This allows us to efficiently accumulate the output 
terms, minimizing the required output registers. 

In order to perform the required multiplications and additions as quickly as 
possible, we heavily rely on the AVX2 instruction VPMADDUBSW. In one instruc- 
tion, this computes two 8 bit SIMD multiplications and a 16 bit SIMD addition. 
However, this instruction operates on 8 bit input values that are stored adja- 
cently. This requires a slight variation on the representation of F described above: 
instead, we arrange the coefficients of F in a column major matrix with 16 bit 
elements, each corresponding to two concatenated monomials. 

When arranging reductions, we must strike a careful balance between pre- 
venting overflow and not reducing more often than necessary. As we make exten- 
sive use of VPMADDUBSW, which takes both a signed and an unsigned operand to 
compute the quadratic monomials, we ensure that the input variables for the 
MQ function are unsigned values (in particular: {0, . ..,31}). For the coeffi- 
cients in the system parameter F, we can then freely assume the values are in 
{ — 15,. ..,15}, as these are the direct result of a pseudo-random generator. It 
turns out to be efficient to immediately reduce the quadratic monomials back 
to {0, . . . , 31} when they are computed. When we now multiply such a product 
with an element from the system parameter and add it to the accumulators, the 
maximum value of each accumulator word will be at most 3 64 • 31 • 15 = 29760. 


This follows from the fact that we combine 64 such monomials in two YMM registers. 
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As this does not exceed 32768, we only have to perform reductions on each 
individual accumulator at the very end. 

One should note that [12] approaches this problem from a slightly different 
angle. In particular, they accumulate each individual output element sequen- 
tially, allowing them to keep the intermediate results in the 32 bit representation 
that is the output of their combined multiplication and addition instructions. 
This has the natural consequence of also avoiding early reductions. 

Benchmark results. The MQDSS-31-64 implementation has been optimized 
for large Intel processors, supporting AVX2 instructions. Benchmarks were car- 
ried out on a single core of an Intel Core i7-4770K CPU, running at 3.5 GHz. 
Signature and key sizes. The signature size of MQDSS-31-64 is considerably 
smaller than that of the 3-pass scheme. The obvious factor in this is the decreased 
ratio between the element size (which, in packed form, now require 64 • 5 = 320 
bits each) and the number of rounds, resulting in a signature size of 2 • 256 + 
269 • (256 + (5 ■ 3 ■ 64)) = 327616 bits, or 40 952 bytes (39.99KB). The shape 
of the keys does not change compared to 3-pass scheme, but since a vector of 
field elements now requires 320 bits, the public key is 72 bytes. The secret key 
remains 64 bytes. 

Performance. As the A4Q function is the most costly part of the computation, 
parameters are chosen in such a way that its performance is maximized. The 
required number of multiplications and additions (expressed as functions of n and 
m) does not change dramatically compared to the 3-pass baseline 4 , but the actual 
values n and m are only a quarter of what they were. As the relation between 
n and m and the number of multiplications is quadratic for the monomials and 
cubic for the system parameter masking, and we see only a linear increase in the 
number of registers needed to operate on, the entire sequence of multiplications 
and additions becomes much cheaper. This especially impacts operations that 
involve the accumulators. As the representation allows us to keep reductions out 
of this innermost repeated loop, we perform (only) + 4 = 136 reductions 5 
throughout the main computation and 66 when preparing quadratic monomials. 
As we were able to arrange the registers in such a way that they do not need 
to rotate across multiple registers, we greatly reduce the number of rotations 
required compared to the 3-pass scenario. Furthermore, we note that we use a 
total of 67 • 16 • 4 = 4288 VPMADDUBSW instructions for the core computations. 

For one iteration of the A iQ function F, we measure 6 616 cycles (G is 
slightly less costly, at 6 396 cycles). We measure a total of 8 510 616 cycles for 
the complete signature generation. Key generation costs 1826 612 cycles, and 
verification consumes 5 752 612 cycles. On the given platform, that translates 
to roughly 2.43 ms, 0.52 ms and 1.64 ms, respectively. Verification is expected 
to require on average | calls to an A4Q function per round, whereas signature 


4 A slight difference is introduced by cancellation of the monomials in the ¥2 setting. 

5 This follows from the fact that we need a total of 644 ~ g 4 ' 65 = 67 YMM registers worth 
of space to store the monomials and perform 4 reductions after accumulating 2 YMM 
monomials. 
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generation always requires two. This explains the ratio; note that both signer and 
verifier incur additional costs besides the A4Q functions, e.g. for seed expansion. 

In order to compare these results to the state of the art, we consider the 
performance figures reported in [12]. In particular, we examine the Rainbow(31, 
24, 20 , 20 ) instance, as the ‘public map’ in this scheme is effectively the MQ 
function over F 31 with n = 64, as used above. The number of equations differs 
(i.e. m = 40 as opposed to m = 64), but this can be approximated by normal- 
izing linearly. In [12], the authors report a time measurement of 17.7 /is, which 
converts to 50 144 cycles on their 2.833 GHz Intel C 2 Q Q9550. After normaliz- 
ing for m, this amounts to 80 230 cycles. Results from the eBACS benchmarking 
project further show that running the Rainbow verification function from [ 12 ] 
on a Haswell CPU requires approximately 46 520 cycles (and thus 74 432 after 
normalizing); verification is dominated by the public map. Using their (by now 
arguably outdated) SSE 2 -based code to evaluate a public map with m = 64 
consumes 60 968 cycles on our Intel Core i7-4770K. All of these results provide 
confidence in the fact that our implementation, which makes extensive use of 
AVX 2 instructions, is performing in line with expectations. 
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Abstract. We construct collapse-binding commitments in the standard 
model. Collapse-binding commitments were introduced in (Unruh, Euro- 
crypt 2016) to model the computational-binding property of commit- 
ments against quantum adversaries, but only constructions in the ran- 
dom oracle model were known. 

Furthermore, we show that collapse-binding commitments imply 
selected other security definitions for quantum commitments, answering 
an open question from (Unruh, Eurocrypt 2016). 


Keywords: Quantum cryptography • Commitments • Hash functions 


1 Introduction 

Commitment schemes are one of the most fundamental primitives in cryptog- 
raphy. A commitment scheme is a two-party protocol consisting of two phases, 
the commit and the open phase. The goal of the commitment is to allow the 
sender to transmit information related to a message m during the commit phase 
in such a way that the recipient learns nothing about the message (hiding prop- 
erty). But at the same time, the sender cannot change his mind later about the 
message (binding property). Later, in the open phase, the sender reveals the 
message m and proves that this was indeed the message that he had in mind 
earlier (by sending some “opening information” u). Unfortunately, it was shown 
by [11] that the binding and hiding property of a commitment cannot both hold 
with statistical (i.e., information-theoretical) security even when using quantum 
communication. Thus, one typically requires one of them to hold only against 
computationally-limited adversaries. Since the privacy of data should usually 
extend far beyond the end of a protocol run, and since we cannot tell which tech- 
nological advances may happen in that time, we may want the hiding property 
to hold statistically, and thus are interested in computationally binding commit- 
ments. Unfortunately, computationally binding commitments turn out to be a 
subtle issue in the quantum setting. As shown in [1], if we use the natural ana- 
logue to the classical definition of computationally binding commitments (called 
“classical-style binding”), 1 we get a definition that is basically meaningless (the 

1 This definition, called classical-style style binding in [16], roughly states, that it is 
computationally hard to find a commitment c, two messages m ^ m and corre- 
sponding valid opening informations u, u . 
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adversary can open the commitment to whatever message he wishes). [16] sug- 
gested a new definition, “collapse binding” commitments, that better captures 
the idea of computationally binding commitments against quantum adversaries. 
This definition was shown to perform well in security proofs that use rewind- 
ing. 2 (They studied classical non-interactive commitments, i.e., all exchanged 
messages are classical, but the adversary is quantum.) 

We describe basic idea of “collapse-binding” commitments: When commit- 
ting to a message m using a commitment c, it should be impossible for a quantum 
adversary to produce a superposition of different messages m that he can open 
to. Unfortunately, this requirement is too strong to achieve (at least for an sta- 
tistically hiding commitment). 3 Instead, we require something slightly weaker: 
Any superposition of different messages m that the adversary can open to should 
look like it is a superposition of only a single message m. Formally, if the adver- 
sary produces a classical commitment c, and a superposition of openings m, u 
in registers M, 17, the adversary should not be able to distinguish whether M is 
measured in the computational basis or not measured. That is, for all quantum- 
polynomial-time A , F>, the circuits (a) and (b) in Fig. 1 are indistinguishable 
(assuming A only outputs superpositions that contain only valid openings). 



c 


( c ) 



c 


(d) 



Fig. 1 . For collapse-binding commitments, (a) and (b) should be indistinguishable, 
i.e., Pr[6 = 1] negligibly close in both cases. For collapsing hash functions, (c) and (d) 
should be indistinguishable. 


[16] showed that collapse-binding commitments avoid various problems of 
other definitions of computationally binding commitments in the quantum set- 
ting. In particular, they compose in parallel and are well suited for proofs that 
involve rewinding (e.g., when constructing zero-knowledge arguments of knowl- 
edge) . 

2 We do not claim that they will work in every rewinding-based proof, but [16] showed 
their usefulness in the construction of arguments of knowledge. The proof of their 
construction did involve the quantum rewinding techniques from [14,17]. 

3 The adversary can initialize a register M with the superposition of all messages, run 
the commit algorithm in superposition, and measure the resulting commitment c. 
Then M will still be in superposition between many different messages m which the 
adversary can open c to. 
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[16] further showed that in the quantum random oracle model, collapse- 
binding, statistically hiding commitments can be constructed. However, they 
left open two big questions: 

- Can collapse-binding commitments be constructed in the standard model? 
That is, without the use of random oracles? 

- One standard minimum requirement for commitments (called “sum-binding” 
in [16]) is that for quantum-polynomial-time A, p o+pi < 1 + negligible where 
Pb is the probability that A opens a commitment to b when he learns b only 
after the commit phase. Surprisingly, [16] left it open whether the collapse- 
binding property implies the sum-binding property. 

First contribution: collapse-binding commitments in the standard 
model. We show that collapse-binding commitments exist in the standard 
model. More precisely, we construct a non-interactive, classical commitment in 
the public parameter model (i.e., we assume that some parameters are globally 
fixed) , for arbitrarily long messages (the length of the public parameters and the 
commitment itself do not grow with the message length), statistically hiding, 
and collapse-binding. The security assumption is the existence of lossy trapdoor 
functions [13] with lossiness rate > ^, or alternatively that SIVP and GapSVP 
are hard for quantum algorithms to approximate within 0(d c ) factors for some 
constant c > 5. 

The basic idea of our construction is the following: In [16], it was shown 
that statistically hiding, collapse-binding commitments can be constructed from 
“collapsing” hash functions (using a classical construction from [6,9]). A func- 
tion H is collapsing if an adversary that outputs h and a superposition M of 
H- preimages of h cannot distinguish whether M is measured or not. That is, 
the circuits (c) and (d) in Fig. 1 should be indistinguishable. So all we need to 
construct is a collapsing hash function in the standard model. 

To do so, we use a lossy trapdoor function (we do not actually need the 
trapdoor part, though). A lossy function F s : A — > B is parametrized by a 
public parameter s. There are two kinds of parameters, which are assumed to 
be indistinguishable: We call s lossy if |imF| |A|, that is, if its image is very 
sparse. We call s injective if F s is injective. 

If s is injective, then it is easy to see that F s is collapsing: There can be only 
one preimage of F s on register M, so measuring M will not disturb M. But since 
lossy and injective s are indistinguishable, it follows that F s is also collapsing 
for lossy s. Note, however, that F s is not yet useful on its own, because its range 
B is much bigger than A , while we want a compressing hash functions (output 
smaller than input). 

However, for lossy s, |imF s | <C \A\. Let h r : B — > C be a universal hash 
function, indexed by r, with |imF s | <C |Cj <C \A\. We can show that with over- 
whelming probability, h r is injective on imF s , for suitable choice of C. Hence h r 
is collapsing (on imF s ). The composition of two collapsing functions is collaps- 
ing, thus L?( r ,s) := h r ° F s is collapsing for lossy s. (Note that im F s is not an 
efficiently decidable set. Fortunately, we can construct all our reductions such 
that we never need to decide that set.) 
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Thus far, we have found a collapsing : A — > C that is compressing. But 

we need something stronger, namely a collapsing hash function {0, 1}* — ► C, i.e., 
applicable to arbitrary long inputs. A well-known construction (in the classical 
setting) is the Merkle-Damgard construction, that transforms a compressing 
collision-resistant function H into a collision-resistant one with domain {0, 1}*. 
We prove that the Merkle-Damgard construction also preserves the collapsing 
property. (This proof is done by a sequence of games that each measure more 
and more about the hashed message m, each time with a negligible probability 
of being noticed due to the collapsing property of H^.) Applying this result to 
JT( rjS ), we get a collapsing hash function MD( r?s ) : {0, 1}* — > C . And from this, 
we get collapse-binding commitments. 

We present our results with concrete security bounds, and our reductions 
have only constant factors in the runtime, and the security level only has an 
O (message length ) factor. 

We stress that the security proof for the Merkle-Damgard construction has 
an additional benefit: It shows that existing hash function like SHA-2 [12] are 
collapsing, assuming that the compression function is collapsing (which in turn 
is suggested by the random oracle results in [16]). Since we claim that collapsing 
is a desirable and natural analogue to collision-resistance in the post-quantum 
setting, this gives evidence for the post-quantum security of SHA-2. 

Second contribution: Collapse-binding implies sum-binding. In the clas- 
sical setting, it relatively straightforward to show that a computationally binding 
bit commitment satisfies the (classical) sum-binding condition. Namely, assume 
that the adversary breaks sum-binding, i.e., po + p\ > 1 + non-negligible. Then 
one runs the adversary, lets him open the commitment as m = 0 (which succeeds 
with probability po)? then rewinds the adversary, and lets him open the same 
commitment as m = 1 (which succeeds with probability p\). So the probabil- 
ity that both runs succeed is at least po + p\ — 1 > non-negligible , which is a 
contradiction to the computational binding property. 

Since collapse-binding commitments work well with rewinding, one would 
assume that a similar proof works using the quantum rewinding technique from 
[14]. Unfortunately, existing quantum rewinding techniques do not seem to work. 

To show that a collapse-binding commitment is sum-binding, another proof 
technique is needed. The basic idea is, instead of simulating two executions 
of the adversary (opening m m 0 and opening m — 1) after each other, we 
perform the two executions in superposition, controlled by a register M, initially 
in state |+). This entangles M with the execution of the adversary and thus 
disturbs M. It turns out that the disturbance of M is greater if we measure 
which bit the adversary opens than if we do not. This allows us to distinguish 
between measuring and not measuring, breaking the collapse-binding property. 

The same proof technique can be used to show that a collapse-binding string 
commitment satisfies the generalization of sum-binding presented in [3]. (In 
this case we have to use a superposition of a polynomial-number of adversary 
executions.) 
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Possibly the technique of “rewinding in superposition” used here might be 
a special case of a more general new quantum rewinding technique (other than 
[14,17]), we leave this as an open question. 

On the necessity of public parameters. Our commitment scheme assumes 
the existence of public parameters. This raises the question whether these are 
necessary. We argue that it would be unlikely to be able to construct non- 
interactive, statistically hiding, computationally binding commitments without 
public parameters (not even only classically secure ones) from standard assump- 
tions other than collision-resistant or collapsing hash functions. Namely, such a 
commitment can always be broken by a non-uniform adversary. (Because the 
adversary could have a commitment and two valid openings hardcoded.) Could 
there be a such a commitment secure only against uniform adversaries, based 
on some assumption XI That is, a uniform adversary breaking the commitment 
could be transformed into an adversary against assumption X. All cryptographic 
proof techniques that we are aware of would then also transform a non-uniform 
adversary breaking the commitment into a non-uniform adversary breaking X. 
Since a non-uniform adversary breaking the commitment always exists, it fol- 
lows that X must be an assumption that cannot be secure against non-uniform 
adversaries. The only such assumptions that we are aware of are (unkeyed) 
collision-resistant and collapsing hash functions. 4 Thus it is unlikely that there 
are non-interactive, statistically hiding, computationally binding commitments 
without public parameters based on standard assumptions different from those 
two. (We are aware that the above constitutes no proof, but we consider it a 
strong argument.) We know how to construct such commitments from collapsing 
hash functions [16]. We leave it as an open problem whether such commitments 
can be constructed from collision-resistant hash functions. 

Of course, it might be possible to have interactive statistically-hiding 
collapse-binding commitments. In fact, our construction can be easily trans- 
formed into a two-round scheme by letting the recipient choose the public para- 
meters. This does not affect the collapsing property (because for that property we 
assume the recipient to be trusted), nor the statistical hiding property (because 
the proof of hiding did not make any assumptions about the distribution of the 
public parameters). 

Related work. Security definitions for quantum commitments were studied in 
a number of works: What we call the “sum-binding” definition occurred implic- 
itly and explicitly in different variants in [2,4,7,11]. Of these, [11] showed the 
impossibility of statistically satisfying that definition (thus breaking [2]). [7] gave 
a construction of a statistically hiding commitment based on quantum one-way 
permutations (their commitment sends quantum messages). [4] gives statistically 
secure commitments in the multi-prover setting. [3] generalizes the sum-binding 
definition for string commitments, arriving at a computational-binding defini- 


4 By unkeyed hash function, we mean a function that depends only on the security 
parameter. Such a function might be collision-resistant against uniform adversaries, 
but not against non-uniform ones. 
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tion we call CDMS-binding. (Both sum-binding and CDMS-binding are implied 
by collapse-binding as we show in this paper.) [5] gives another definition of 
computational-binding (called Q-binding in [16]; see there for a discussion of 
the differences to collapse-binding commitments). They also show how to con- 
struct Q-binding commitments from sigma-protocols. (Both their assumptions 
and their security definition seem incomparable to ours; finding out how their 
definition relates to ours is an interesting open problem.) [18] gives a statistical 
binding definition of commitments sending quantum messages and shows that 
statistically binding, computationally hiding commitments (sending quantum 
messages) can be constructed from pseudorandom permutations (and thus from 
quantum one-way functions, if the results from [10] hold in the quantum set- 
ting, as is claimed, e.g., in [19]). [16] gave the collapse-binding definition that we 
achieve in this paper; they showed how to construct statistically hiding, collapse- 
binding commitments in the random oracle model. [1] showed that classical-style 
binding does not exclude that the adversary can open the commitment to any 
value he chooses. [16] generalized this by showing that this even holds for certain 
natural constructions based on collision-resistant hash functions. 

Organization. In Sect. 2, we give some mathematical preliminaries and crypto- 
graphic definitions. In Sect. 3, we recall the notions of collapse-binding commit- 
ments and collapsing hash functions, with suitable extensions to model public 
parameters and to allow for more refined concrete security statements. We also 
state some known or elementary facts about collapse-binding commitments and 
collapsing hash functions there. In Sect. 4 we show that the Merkle-Damgard 
construction allows us to get collapsing hash functions with unbounded input 
length from collapsing compression functions. In Sect. 5 we show how to con- 
struct collapsing hash functions from lossy functions (or from lattice assump- 
tions). Combined with existing results this gives us statistically hiding, collapse- 
binding commitments for unbounded messages, interactive and non-interactive. 
In Sect. 6 we show that collapse-binding implies the existing definitions of sum- 
binding and CDMS-binding. In the full version [15] we give proofs for getting 
concrete security bounds. Those proofs use the same techniques as the proofs in 
this paper, but are somewhat less readable due to additional calculations and 
indices. 

2 Preliminaries 

Given a function / : X — > T, let im f = f(X) denote the image of /. 

Given a distribution Dona countable set X, let suppP denote the support 
of P, i.e., the set of all values that have non-zero probability. The statistical 
distance between two distributions or random variables X,Y with countable 
range is defined as \ J^ a |Pr[X = a] — Pr[T = a]|. 

Let A denote the empty word. 

We assume that all algorithms and parameters depend on an integer r] > 0, 
the security parameter (unless a parameter is explicitly called “constant”). We 
will keep this dependence implicit (i.e., we write A{pc) instead of A(rj,x) for an 
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algorithm A , and £ instead of £{rj) for an integer parameter £). When calling an 
adversary (quantum-)polynomial-time, we mean that the runtime is polynomial 
in 77 . 

We do not specify whether our adversaries are uniform or non-uniform. (I.e., 
whether the adversary’s code may depend in an noncomputable way on the 
security parameter.) All our results hold both in the uniform and in the non- 
uniform case. 

Definition 1 (Universal hash function). A universal hash function is a 
function family h r : X — > Y (with r G R) such that for any x,x' G X with 
x 7 ^ x f , we have Pr [h r (x) = h r (x') : r R] = 1/|T|. 

We define lossy functions, which are like lossy trapdoor functions [13], except 
that we do not require the existence of a trapdoor. 

Definition 2 (Lossy functions). A collection of (£,k)~ lossy functions consists 
of a PPT algorithm Sf and polynomial-time computable deterministic function 
F s on {0, 1}^ and a message space M\~ such that: 

- Existence of injective keys: There is a distribution T>i n j such that for any 
s G supply we have that F s is injective. (We call such a key s injective.) 

- Existence of lossy keys: There is a distribution Vi OSS y such that for any s G 
supp V i OSS y we have that |imF s | < 2 £ ~ k . (We call such a key s lossy.) 

- Hard to distinguish injective from lossy: For any quantum-polynomial-time 
adversary A , the advantage |Pr[A(s) = 1 : s T>i n j] — Pr[A(s) = 1 : s <— 
Flossy] | is negligible. 

- Hard to distinguish lossy from S: For any quantum-polynomial-time adversary 
A, the advantage |Pr[A(s) = 1 : s <— Flossy] ~ Pr[A(s) = 1 : s <— 5^]| is 
negligible. 

The parameter k is called the lossiness of F s . 

This is a weakening of the definition of lossy trapdoor functions from [13]. Our 
definition does not require the existence of trapdoors, and also does not require 
that lossy or injective keys can be efficiently sampleable. (We only require that 
keys that are indistinguishable from both lossy and injective keys can be sampled 
efficiently using Sf-) 

If k/i > K for some constant K , and £ G a; (log 77 ), we say that the lossy 
function has lossiness rate K. 

Any “almost-always lossy trapdoor function” (SW , ^idtf , ^idtf) sense 

of [13] is a lossy function in the sense of Definition 2. 5 

5 To see that, let T>i n j be the distribution of the first output (i.e., discarding the 
trapdoor) of the injective key sampler *S'idtf (77, 1) conditioned on outputting an injec- 
tive key. Let T>i ossy be the distribution of the first output of the lossy key sampler 
<Sidtf (77 5 0 ) conditioned on outputting a lossy key. Let Sf return the first output of 
Sidtf (77, 0 ) (or *S'idtf( 77 , 1 )). Let Fk(x) := F\dtf(k,x). For those choices, it is easy to see 
that (Sf,Fi e) satisfies Definition 2 . 
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[13] shows that for any constant K < 1, there is an almost-always lossy trap- 
door function with lossiness rate K based on the LWE assumption for suitable 
parameters. [13] further shows that almost-always (£, k)- lossy trapdoor func- 
tions with lossiness rate K exist if SIVP and GapSVP are hard for quantum 
algorithms to approximate within 0(d c ) factors, where c = 2 + 2 ( i - k ) + ^ f° r 
any desired 5 > 0. The same thus holds for lossy functions in our sense. Fur- 
thermore, the construction from [13] has keys that are indistinguishable from 
uniformly random, hence we can choose Sf to simply return s {0, 1}^ S for 
suitable £ s . 6 

3 Collapse-Binding Commitments and Collapsing Hash 
Functions 

We reproduce the relevant results from [16] here. Note we have extended the 
definitions in two ways: We include a public parameter k <— P. And we give 
additional equivalent definitions for a more refined treatment of the concrete 
security of commitments. 

Commitments. A commitment scheme consists of three algorithms 
(P, com, verify), k <— P chooses the public parameter. (c,u) com (fc,m) pro- 
duces a commitment c for a message m, and also returns opening information 
u to be revealed later, ok verify(fc, c, m, u) checks whether the opening infor- 
mation u is correct for a given commitment c and message m (if so, ok = 1, else 
ofc = 0). 

Definition 3 (Collapse-binding). For algorithms (A,B), consider the fol- 
lowing games: 

Gamei: k <- P, (5, M, C7, c) <- A(k), ra <- M(M), b^B(S,M,U) 
Game 2 : k <- P, (S, M, U, c) <- A(k), b^B(S,M,U) 


This is not explicitly mentioned in [13], but can be seen as follows: [13] constructs a 
matrix encryption scheme whose ciphertexts are pairs of matrices (A, C') over Z g for 
a suitable prime q. We can see those ciphertexts as a tuple s' G Z™ for some n. The 
proof of Lemma 6.2 in [13, full version] shows that the matrix encryption scheme 
produces ciphertexts that are indistinguishable from uniformly random s' Z™ . 

The lattice-based lossy trapdoor function from [13] uses a ciphertext of that lossy 
encryption scheme as its key. Thus a key is indistinguishable from s' <— Z™ . Hence 
we can choose Sf to simply return a uniformly random s' Z™ . 

To get an Sf that returns s {0, 1 Y s instead, we let Sf choose s G {0, . . . , 2 £ — 
l} n and set s[ Si mod q. For sufficiently large £, this changes the distribution of s' 
only by a negligible amount. Then s can be encoded as an i s -bitstring with i s n£. 
(Since this way of sampling s[ is “oblivious”, i.e., given s[ we can efficiently find 
randomness Si that leads to that s [ , the security of the lossy function is not affected 
by outputting Si as the key instead of s'.). 
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Here S,M,U are quantum registers. M.(M) is a measurement of M in the 
computational basis. 

We call an adversary (A, B ) c.b. -valid for verify iff for all k, 
Pr[verify(&, c, m, u) = 1] = 1 when we run (S, M,U,c) A(k) and measure 
M in the computational basis as m, and U in the computational basis as u. 

A commitment scheme is collapse-binding iff for any quantum-polynomial- 
time adversary (A,B) that is c.b. -valid for verify, |Pr[6 = 1 : Gamei] — Pr [b = 
1 : Game2]| is negligible. 

The only difference to the definition from [16] is that we have introduced 
a public parameter k chosen by P. The proofs in [16] are not affected by this 
change. 

For stating concrete security results (i.e. , with more specific claims about 
the runtimes and advantages of adversaries than “polynomial-time” and “negli- 
gible”), we could simply call |Pr[b = 1 : Gamei] — Pr [b = 1 : Game 2 ]| the advan- 
tage of the adversary (A, B). However, we find that we get stronger results if we 
directly specify the advantage of an adversary that attacks t commitments simul- 
taneously. 7 This leads to the following definition of advantage. (A reader only 
interested in asymptotic results may ignore this definition. The main body of this 
paper will provide statements and proofs with respect to the simpler asymptotic 
definitions. Concrete security proofs are given in the full version [15].) 

Definition 4 (Collapse-binding — concrete security). For algorithms 
(A,B), consider the following games: 


Gamei : 


Game 2 : 


-P, (S,M 1 , 

. . . , M t , Ui, 

• • • 5 U 1 5 ^1 1 • • 

■ ,c t ) 



m t <- 




■ B(S,M 

■ , M t , Ui, . . 

■ ,Ut ) 



-P, (S, M u 


• • • 5 U t ■ Cl ; . . 

• ,c t ) 




-,Ut) 




Here S', Mi, . . . , M t , • • • , U t are quantum registers. M(Mi) is a measurement 
of Mi in the computational basis. 

We call an adversary 

(A, B) t-c.b. -valid for verify iff for all k , Pr[Vi. verify (fc, q, m^, uf) = 1] = 1 
when we run (S, Mi, . . . , M t , U\, . . . , Ut, ci, . . . , c t ) <— A{k) and measure all Mi 
in the computational basis as mi, and all Ui in the computational basis as Ui. 

For any adversary (A,B), we call | Pr [6 = 1 : Gamei] — Pr [b = 1 : Game2]| 
the collapse-binding- advantage of (A, B) against (P, com, verify). 

7 We could simply analyze all schemes for adversaries that attack a single commit- 
ment at a time, and then invoke the parallel composition theorem from [16] to get 
the advantage when attacking t commitments. That theorem will then introduce a 
factor t in the advantage. ([16] states the theorem without concrete security bounds, 
but they are easily extracted from the proof.) In contrast, a direct analysis for t 
commitments may give better bounds, since the advantages we get in this paper do 
not depend on t. 
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Lemma 5. A commitment scheme (P, com, verify) is collapse-binding iff for 
any polynomially-bounded t, and any quantum-polynomial-time adversary (A, B ) 
that is t-c.b. -valid for verify, the collapse-binding -advantage of (A, B) against 
(P, com, verify) is negligible. 

This follows from the parallel composition theorem from [16]. 

In [16], two different definitions of collapse-binding were given. The second 
definition does not require an adversary to be valid (i.e., to output only valid 
openings) but instead measures whether the adversary’s openings are valid. We 
restate the equivalence here in the public parameter setting, the proof is essen- 
tially unchanged. 

Lemma 6. (Collapse-binding, alternative characterization). For a com- 
mitment scheme (P, com, verify), and for algorithms (. A , B), consider the follow- 
ing games: 

Gamei : k <- P, (5, M, U, c ) <- A(k), ok <- V C (M, U),x <- M ok (M ), b <- B(S, M, U) 
Game 2 : k <—P, (S, M, U, c) <— A(k), ok <— V C (M, U), b^B(S,M,U) 


Here V c is a measurement whether M, U contains a valid opening. Formally 
V c is defined through the projector m,u \m)(m\ 0 \u)(u\. A4 ok is a 

verify (k,c,m,u) = l 

measurement of M in the computational basis if ok = 1, and does nothing if 
ok = 0 (i.e., it sets m := _L and does not touch the register M). 

(P, com, verify) is collapse-binding iff for all polynomial-time adversaries 
(A,B), |Pr[6 = 1 : Gamei] — Pr [b = 1 : Game2]| is negligible. 

Hash functions. A hash function is a pair (P,i7/~) of a parameter sampler P 
and a function H k : X — > Y for some range X and domain Y. is parametric 
in the public parameter k <— P. (Typically, Y consists of fixed length bitstrings, 
and X consists of fixed length bitstrings or {0, 1}*.) 

Definition 7 (Collapsing). For algorithms A, B, consider the following 
games: 


Gamei : k <- P, (5, M, h) <- A(k), m <- M(M), b <- B(S, M) 

Game 2 : k <- P, (5, M, ft) <- A(fc), b <- 5(5, M) 

iTere 5, M are quantum registers. M. (M) is a measurement of M in the compu- 
tational basis. 

For a family of sets M we call an adversary ( A , 5) valid on M& for H k iff 
for all k, Pr [H k (m) = c A m E M&] = 1 when we run (S,M,h) A(fc) and 
measure M in the computational basis as m. If we omit “on M ree assume 
M/e to be the domain of Hj~. 

A function H is collapsing (on M k) iff for any quantum-polynomial-time 
adversary (A, B) that is valid for H (on M k), |Pr[6 = 1 : Gamei] — Pr [b = 1 : 
Games] | is negligible. 
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In contrast to [16] we have added the public parameter k. Furthermore, we 
have extended the definition to allow to specify the set M& of messages the 
adversary is allowed to use. This extra expressiveness will be needed for stating 
some intermediate results. 

Analogously to case of commitments, we give a definition of advantage for a 
t-session adversary to get more precise results. 

Definition 8 (Collapsing — concrete security). For algorithms A, B, and 
an integer t, consider the following games: 


Gamei : 


Game2 : 


k <— 

P, (S', M \ , , 

. . . , M t , hi, 

■■■M) 


TOi < 


. . . , m t <- 

M(M t ) 


b <- 

B(S, M\, . . . 

■,M t ) 



k <— 

P, (S, Mi, . 

. . . , M t , hi, 


- A(k), 

b 

B(S, M 1; . . . 

■ 5 AI t ) 




Here S', Mi, . . . , M t are quantum registers. Ai(Mj) is a measurement of Mi in 
the computational basis. 

For a family of sets M&, we call an adversary (A, B) t - valid on M& for 
Hk 'Iff for all k, Pr[Vi. Hkfrrii) = c* A mi G M J = 1 when we run 
(S, Mi, . . . , M t , hi, . . . , h t ) A{k) and measure all Mi in the computational 
basis as mi. If we omit u on M k”, we assume M& to be the domain of Hk. 

We call adv := |Pr[6 — 1 : Gamei] — Pr [b = 1 : Game 2 ]| the collapsing- 
advantage of (A, B) against (P ,Hk). 

Lemma 9. A hash function (P ,Hjf) is collapsing (on ~M.k) 'Iff f° r an U 
polynomially-bounded t, and any quantum-polynomial-time adversary (A, B) that 
is t-valid for Hk (on MJ, the collapsing- advantage of (A, B) against (P , M&) is 
negligible. 

This follows from the parallel composition theorem for hash functions 
from [16]. 

Constructions of commitments. In [16] it was shown that the statistically 
hiding commitment from Halevi and Micali [9] (which is almost identical to 
the independently and earlier discovered commitment by Damgard, Pedersen, 
and Pfitzmann [6]) is collapse-binding, assuming a collapsing hash function. We 
restate their results with respect to public parameters, the proofs are essentially 
unchanged. 

Definition 10 (Unbounded Halevi-Micali commitment [9]). Let (P,Hjf) 
with Hk : {0, 1}* — ► {0, 1} £ be a hash function. Let L := 6^+4. Let h r : {0, 1} L — > 
{0, 1} £ with r G {0, l} ir be an universal hash function. 

We define the unbounded Halevi-Micali commitment (P, com^ u ,verify^ Mn ) 
as: 


P is the same parameter sampler as in (P, Hk). 
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- com HMu(k,m): Pick r G {0,1 } ir and u G {0, 1} L uniformly at random , con- 
ditioned on h r (u) = Hk(m). 8 Compute h := Hk(u). Let c := (ft, r). Return 
commitment c and opening information u. 

- verify HMu {k,c,m,u) with c = (ft, r): Check whether h r {u) = Hk(m) and h = 
Hk ( u ) . If so, return 1 . 

We define the statistical hiding property in the public parameter model. We 
use an adaptive definition where the committed message may depend on the 
public parameter. 

Definition 11 (Statistically hiding). Fix a commitment (P, com, verify) and 

an adversary (A,B). Let 

Pb :=Pr \b' =1 : k P, (S,mo,mi)<- A(k), (c,u) com(fc,ra&), b' <— B(S,c)]. 

We call \po — pi\ the hiding- advantage of (A, B). We call (P, com, verify) sta- 
tistically hiding iff for any (possibly unbounded) (A,B), the hiding -advantage is 
negligible. 

Theorem 12 (Security of the unbounded Halevi-Micali commitment). 

(P,com HMu,veWy hmu) i s statistically hiding and collapse-binding. 

Miscellaneous facts. These simple facts will be useful throughout the paper. 

Lemma 13. Let be a family of sets. Assume thaCPr[Hk is not injective on 
: k P] is negligible. Then (P ,Hk) is collapsing on M&. 

Lemma 14. Fix hash functions (P,/^) and (P ,gjf) with the same P and with 
polynomial-time computable /&. If (P,fk) is collapsing and (P ,gif) is collapsing 
on im fa, then (P,gk ° fk ) is collapsing. 

Lemma 15. If Pi and P 2 are computationally indistinguishable, and (Pi ,Hk) 
is collapsing, then (P 2 , -fffc) is collapsing. 

4 Security of Merkle-Damgard Hashes 

For this section, fix a hash function (P,Hk) with : {0, l} £in — > {0, 1 } £out and 
Un > tout • Let tbiock := tin - tout • Fix some bitstring iv G {0, l} iout (may 
depend on the security parameter). Fix a message space M with |M| > 2 (e.g., 
M = {0, 1}*). Fix a function pad : M — > ({0, 1 }^ ocfc )*. 

Definition 16 (Iterated hash). We define the iterated hash IH/e : 
({0,1}^)* — > {0, l} iout as IH/e (A) •= iv for the empty word A and 

IH/ C (m||m / ) := i!7/e(IH/e(m)||m / ) forme ({0,1 Y block )* and m' G {0,1 Y block . 

8 In general, this can be computationally hard. However, should h r be a universal 
hash function where this is hard, one can replace h r by ft( r t ) defined as h'^ r t ^(x) := 
t ® h r (x). This function is still a universal hash function, and sampling r, t , u is easy. 
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Definition 17 (Merkle-Damgard). We call pad a Merkle-Damgard padding 

iff pad is injective and for any x,y G M with x j ^ y, we have that pad(x) is not 
a suffix of pad (y) (in other words, pad(WV) is a suffix code). 9 

We define the Merkle-Damgard construction MD k : M — ► {0, 1 } iout by 
MD fc := IR k o pad. 

Note that IR k and MD^ depend on the choice of H k , iv, and pad, but we 
leave this dependence implicit for brevity. 

Lemma 18. (Security of iterated hash). Let M C ({0,1 Y block Y be a suffix 
code with |M| > 2. If (P,H k ) is a polynomial-time computable collapsing hash 
function, then (P,IHfc) is collapsing on M. 

We sketch the idea of the proof: What we have to show is that, if the adversary 
classically outputs IH/^m), we can measure m on register M without the adver- 
sary noticing. We show this by successively measuring more and more informa- 
tion about the message m on M, each time noting that the additional measure- 
ment is not noticed by the adversary. First, measuring IH/ e (m) does not disturb 
M because IH/ C (m) is already known. Note that IH/ C (m) = H k (IR k (m')\\m) for 
m =: m'|| m. Thus, we have measured the image of IH/ c (m / )||m under H k . Since 
H k is collapsing, we know that, once we have measured the hash of a value, we 
can also measure that value itself without being noticed. Thus we can measure 
IH*(m , )|| m (this value will be called step 0 (m) in the full proof). Now we use 
the same argument again: IH/ C (m / ) = H k (IR k (m") \\m') for m' =: m"\\m' . Since 
we know classically IH/ C (m / ), we can measure IH/ c (m // )||ra / (this value will be 
called step 1 (m)). Now we already have measured the two last blocks m'\\m of m 
without being noticed. We can continue this way, until we have all of m. Since 
in each step, the adversary did not notice the measurement, he will not notice 
if we measure all of m. 

There is one hidden problem in the above argument: We claimed that given 
IH/ C (m / ), we have that IH/ C (m / ) = H k (IR k (m")\\m'). This is only correct if 
m' is not empty! So, the above measurement procedure will implicitly measure 
whether m' is empty (and similarly for the values m" etc. that are measured 
afterwards). Such a measurement might disturb the state. Here the assumption 
comes in that M is a suffix code. Namely, since we know m such that m = m'||m, 
we can tell whether m G M (then m' must be empty) or m £ M (then m' cannot 
be empty). Thus we already know whether m' is empty, and measuring this 
information will not disturb the state. Similarly, we deduce from m'\\m whether 
m" is empty, etc. 

We now give the formal proof: 


9 Commonly, stronger conditions are placed on pad , see, e.g., [8, Def. 8.7]. However, 
“suffix-code” and “injective” turns out to be sufficient. For example, the padding 
using in SHA-256 [12] is a Merkle-Damgard padding for M = {0, l}- 2 -1 according 
to our definition. 
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Proof of Lemma 18. Assume a polynomial-time adversary (A, B ) that is valid for 
IH& on M. Let Gamei and Game 2 be the games from Definition? for adversary 
(A, B). Let 

e := |Pr[6 = 1 : Gamei] — Pr [b = 1 : Game 2 ]|. (1) 

We will need to show that 6 is negligible. 

We have A ^ M. (A denotes the empty word.) Otherwise, we would have 
M = {A} since M is a suffix code, which contradicts |M| > 2. 

For a multi-block message m E ({0,1 Y block Y ^ let |m| denote the number of 
^biock~ bit blocks in m. (I.e., |m| is the bitlength of m divided by £ block •) Let rrq 
denote the i-th block of m, and let m denote the i-th block from the end (i.e., 
m -i = m| m |_^ +1 ). Let m >_^ denote all the blocks in m starting from m (i.e., 
m >_^ consists of the last i blocks of m). Let m < _ i denote the blocks before 
m z . (I.e., m = || m> _ 2 for i < |m|.) 

Let B be a polynomial upper bound on the number of blocks in the message 
m output by A on register M. 

For a function /, let Ad/(M) denote a measurement that, given a register 
M that contains values |m) in superposition, measures /( m), but without mea- 
suring more information than that. Formally, Ad/ is a projective measurement 
consisting of projectors P y (y E im /) with P y = Z!m:/(m)=y l m )( m l- 

For m E M, we define 


partial^m) 


(-L) m ) (if |m| <i) 

(IHfe(m < _j), m>_j) (if |m| > i) 


(The function partial^ also depends on fc, but we leave that dependence implicit.) 
Intuitively, partial^m) represents a partial evaluation of IHfc(m), with the last 
i blocks not yet processed. 

Note that partial^m) always contains enough information to compute 
IH/^m). And the larger i is, the more about m is revealed. In fact, learning 
partial 0 (m) is equivalent to learning IH/^m), and learning partial B (m) is equiv- 
alent to learning m as the following easy to verify facts show: 

Fact 1 partial 0 (m) = (IHfc(m), A) for all m E M. 

Fact 2 partial B (m) = (_L, m) for all m E M with |m| < B. 

We will need one additional auxiliary function step^, defined by step i (m) := 
IH fe (m < _( i+1 ))||m_(i +1 ) for |m| > i + 1. (And step^m) := JL if |m| < i.) 
Intuitively, step i (m) is the input to last call of when computing partial^m). 
The following facts are again easy to verify using the definition of partial^, step i5 
and IH/e 


Fact 3 If partial^ (m) = (h,s) and h 7 ^ _L ; then iL&( step i (m)) = h. 

Fact 4 From (partial i (m), step i (m)) one can compute partial i+1 (m) and 
vice versa. Formally: there are functions f , g such that for all m E 
M, /(partial i (m),step i (m)) = partial i+1 (m) and g(partial i+1 (m)) = 
(partial^ (m) , step^ (m) ) . 
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In a sense, partial i (m) interpolates between the knowledge of only IHfc(m) 
(case i = 0), and full knowledge of m (case i = B). (Cf. Facts 1, 2.) We make 
this more formal by defining the following hybrid game for i =» 0, . . . , B: 


Game^ 6 : k <- P, (S, M, h) <- A(k), 

( h , S ) * -Mpartial^ (M'), 

b^B(S, M). 

(Here .M par ti a p is M.f as defined above with / := partial^.) 

Consider Game^ 6 . By assumption, (A,B) is valid for HR on M, so we have 
that the register M contains superpositions of states |m) with IHfc(m) = hj 
and m G M. By Factl, this implies that the measurement -M par tiai 0 (M) will 
always yield the outcome (ft/, s) = (ft, A). Hence the measurement A4 part i a i 0 (M) 
has a deterministic outcome. Thus, the probability of ft = 1 in Game^ 6 does not 
change if we omit the measurements y <— A4 part i a i. (M). Thus 

Pr[ft = 1 : Game^ 6 ] = Pr[ft = 1 : Game 2 ]. (2) 

Consider Game^ 6 . By assumption, A outputs only states on M which are 
superpositions of |m) with m G M and |m| < B. Thus, by Fact 2, (ft',s) <— 
*Ad par tiai s (M) is a complete measurement in the computational basis. Hence 

Pr[ft = 1 : Game^ 6 ] = Pr[ft = 1 : Gamei]. (3) 

From (1, 2, 3), we get 

|Pr[ft = 1 : Game^ 6 ] — Pr[ft = 1 : Game^ 6 ]| = 5. (4) 

For i == 0, . . . , B we now define an adversary (A*, B*) against 
Algorithm A* ( k ) runs: 

- (S*,M*,ft*) <- A(k). 

- (ft',s)<- A4 partiali (M*). 

- Initialize M with |0^ m ). 

- If ft/ ^ -L: 

• Apply U s tep . to M*,M. 

• ft := ft'. 

- If ft' = _L: 

• Let ft 1=^(0^). 

- Let S := S*,M*,ft/,i. (That is, all those registers and classical values are 
combined into a single register S.) 

- Return (S', M, ft). 

Here [/ stePi refers to the unitary transformation \x)\y) h- ► \x) \y 0 step^(x)). See 
the left dashed box in Fig. 2 for a circuit-representation of A*. 
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Algorithm B*(S,M ) runs: 

- Let S*,M*,h',i:=S. 

- If h' ^ A: apply U s tep . to M*,M. 

- Run b <— B(S*,M*). 

- Return b. 

See the left dashed box in Fig. 2 for a circuit-representation of B* . 


A* B* 



Fig. 2. The adversary (A*, B*) in games Game! and Game^. Depicted is Gameb Game^ 
is derived by omitting the measurement M in the middle. 


Claim 1. (A*,ft>*) is valid. 

We show this claim: After the measurement (ft', s ) <— -M pa rtiai. (M*), we have 
that M* contains a superposition of |m) with partial i (m) = (ft',s). If ft' = _L, 
then A* initializes M with |0^ n ) and sets ft := H k (0 im ). Thus in this case, M 
trivially contains a superposition of | m) with Hk(m) = ft. If ft' ^ A, then by 
Fact 3, M* contains a superposition of |m) with ^(step^m)) = ft' = ft. Then 
A* initializes M with |(/ w ) and applies U s tep . to M*,M. Thus after that, M is 
in a superposition of |m) with Hk(m) = hj. Concluding, in both cases M is in 
a superposition of | m) with Hk(m) = ft, thus (A*,F>*) is valid and the claim 
follows. 

Let Game^ denote Gamei from Definition?, but with adversary (A*,ft>*) and 
hash function (P ,i?/c). Analogously Game?,. Figure 2 depicts both games. 

Claim 2. Pr [b = 1 : Game?,] = Pr [b = 1 : Game^ 6 ]. 

We show this claim: In Game^, no measurement occurs between the invoca- 
tion of E/step, by A* and the invocation of U s tep . by B* . (Cf. Fig. 2.) Since U s tep . 
is an involution, those two invocations cancel out. Thus only the invocations of 
P, A, Adpartiai^ and B remain. This is exactly Game^ 6 . This shows the claim. 

Claim 3. Pr [b = 1 : Game^] = Pr[6 = 1 : Game^]. 

We show the claim: Note that in Game^, after the measurement Ad pa rtiai i5 on 
the registers M*,M, we have the following sequence of operations if ft' ^ A: 
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M is initialized with |0^ n ). U step . is applied to M*, M. M is measured in the 
computational basis (outcome m). U s tePi is applied to M*,M. M is discarded. 

This is equivalent to just executing m <— Ad ste p. (M*). 

Furthermore, if h «= _L, then the sequence of operations is simply: Initialize 
M with |0^ n ). Measure M. Discard M. This is equivalent to doing nothing. And 
doing nothing is equivalent to m <— Ad ste p. (M*) in case h! = _L. (Because in 
that case, M* is in a superposition of |m) with |m| < i, and thus step i (m) = _L, 
and hence the outcome of .AT s t e p- is deterministic.) 

Thus Game^ is equivalent to the following Game^* (in the sense that Pr [b = 1] 
is the same in both games): 

Gamei* : k <- P, (S*, AT, h*) <- A(ft), 

(ft', 5) <- ^partial, (M*), m <- M 8 tep 4 (M*), 

b B(S* ,M*). 

By Fact 4, measurements A4 part i a i. (M*) and Ad s t ePi (M*) have the same effect 
on M* as Af par tiai i+1 (M*). (The measurement outcome may be different, but we 
do not use the measurement outcome in our games.) Thus Game^* is equivalent 
to Garnet* (in the sense that Pr [b = 1] is the same in both games): 

Game*** : k <- P, (S*, M*, ft*) <- A(ft), 

(ft', s) Ad partial . +1 (M*), 

b <— B(S* , M*). 

But Game^** is the same as Game^, except that S, M, ft are renamed to 
5*, M*, ft*. Hence Pr[6 = 1] is the same in Game^ and Game^, the claim follows. 

Let A* pick i <?- {0, . . . , — 1} and then run A*. From Claim 1, it follows 

that (A*,F>*) is valid, too. Let Game^ denote Gamei from Definition?, but with 
adversary (A*,H*) and hash function (P ,#&). Analogously Game?? 

Since (P , if*,) is collapsing by assumption, and (A*,B*) is valid and 
polynomial-time, we have that e* := |Pr[6 = 1 : Game^] — Pr [b = 1 : Game^l is 
negligible. 

Then we have: 


5 * = | Pr [6 = 1 : Game^] — Pr[ft = 1 : Game^] | 

B - 1 B - 1 

= — I ^ Pr[6 = 1 : Game^] — ^ Pr[6 = 1 : Game^ 


i = 0 
B-l 


2=0 

B-l 


= — | ^ Pr[6 = 1 : Game^] - ^ Pr[6 = 1 : Ga 


B 


me' 196 ' 


2 = 0 


2 = 0 


Pr[6 = 1 : Game^ 6 ] — Pr [b = 1 : Game, 




( 4 ) e_ 

B' 


Here (*) follows from Claims 2 and 3. 

Since £* is negligible, 5 = Be * is negligible. 


□ 
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Theorem 19 (Security of Merkle-Damgard). Assume that pad is 
a polynomial-time computable Merkle-Damgard padding. If (P , U&) is a 
polynomial-time computable collapsing hash function, (P,MD&) is collapsing. 

A concrete security statement is given in Theorem 20. 

Proof. Since pad is a Merkle-Damgard padding, we have that pad is injective 
and im pad is a suffix code. Since the domain of pad is M, and |M I > 2 by 
assumption, \impad\ > 2. Thus by Lemma 18, (P,IHfc) is collapsing on im pad. 
Since pad is injective, (P ,pad) is collapsing by Lemma 13. 

Since MD& = IH/- o pad, by Lemma 14, (P,MD/~) is collapsing. □ 

Concluding, we also state Theorem 19 in its concrete security variant. Let 
th denote an upper bound on the time needed for evaluating H^. Let r pa d(I) 
denote an upper bound on the time for computing pad( m) for |m| < I. Let 
£pad(£) denote an upper bound on \pad(m)\ for |m| <1. (|-| refers to the length 
in bits.) 

Theorem 20 (Concrete security of Merkle-Damgard). Assume that pad 
is a Merkle-Damgard padding. 

Let ( A , B ) be a r-time adversary, t-valid for MD& on M, with collapsing- 
advantage £ against (P,MDfe). 

Then there is a (r + 0(tr pa d(lA ) + tI pa d(lA)^H / ^ block)) -time adversary 
(. A*,B *), t-valid for Hk, with collapsing -advantage > elbiock/ ^pad(^A) against 

(P ,H k ). 


5 Collapsing Hashes in the Standard Model 

In the following, let ( Sf,F s ) be am k)- lossy function with F s : {0, 1 } £m — > 
{0, 1 Y mid . Let h r : {0, 1 Y mid — > {0, 1 Y out be a universal hash function (with key 
r G {0, 1 Y aeeA ). Let V in j and Vi OSS y be as in Definition 2. 

We will often write F( r:S ) and for F s and h r to unify notation (one of 

the parameters will be silently ignored in this case). 

Construction 1 (Collapsing compression function). We define the para- 
meter sampler P in j to return (r, s) with r {0, 1 Y seed , s <— V in j. We define the 
parameter sampler P lossy to return ( r,s ) with r {0,1 Y seed , s Di OS sy Ale 
define the parameter sampler P h to return (r, s ) with r {0, 1 Y seed , s <— Sp- 
We define the hash function H( r , s ) : {0, lY in — > {0, 1 } iout by #( r?s ) := ^( r , s ) ° 
P(r,s) * 

Note that we are mainly interested in the case where I out < Ii n - Other- 
wise, iL( r?s ) could simply be chosen to be an injective function which is always 
collapsing (Lemma 13). 

Furthermore, note that P i n j and P i OSS y are not necessarily polynomial-time. 
The final construction will use P#, but we need P in j and P i OSS y to state inter- 
mediate results. 
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Lemma 21. If(Sp,F s ) is a lossy function, then (Pi ossy , F( rjS )) is collapsing. 

Proof. For (r, s) P^, F(r,s) is always injective. Hence by Lemma 13, 
(P mj ,F (r?s) ) is collapsing. 

Since (Sp, F s ) is a lossy function, we have that V in j and Vi OS sy are computa- 
tionally indistinguishable. Hence P mj and P i OSS y are computationally indistin- 
guishable. 

Thus by Lemma 15, (P lossy, F(r,s)) is collapsing. □ 

Lemma 22. If (Sf,F s ) is a lossy function with lossiness rate K , and if 
f' out I f' %n > c > 2 — 2 K for some constant c, (P i OS sy,h( r ,s)) is collapsing on 

im . 

Proof. We first compute the probability that h( r?s ) is not injective on imf^. 


Pr[h( r?s ) is not injective on imF( r s ^ : (r,s) <— P lossy] 

= ^~^Pr [Di OSS y = s] Pr[h( r?s ) is not injective on imFJy^) : r {0, 1 Y seed ] 

s 

< E Pr [D lossy = s] Pl [ h (r,s)( x ) = h (r,s)(,y ) : r A {0, 1 Y seed ] 

s x,y£im F s 

x^y 


(**) 

< 


< V p r[D, 




ossy 


= S\ 


E 

x,y £ im F t 
x^y 


1 (***) 


2 £ * 


<E Pr ^ 


ossy 


= s\ 


(2^m-fc) 2 


_ 2^m— 2 k—£ out g. 


(5) 


Here (*) uses the fact that (r, s) <— P^ oss?/ is the same as r ^ {0, l} £w , s <— 
Flossy And (**) is by definition of universal hash functions. And (***) follows 
from the fact that for any s in the support of Vi OSS y , imF s = imF( r?s ) has size 
at most 2 iin ~ k (recall that k is the lossiness of F s ). 

Since (Sf,F s ) has lossiness rate if, we have k > K£i n by definition, and £i n 
is super logarithmic. Remember that £ ou t/^in > c. Then 

£• 2 2£in—2k—£ 0 ut < 2 2£in — 2K£i n —c£i n 2 (^ — 2 K)£ in — c£i n _ 2 — diin 

for d := c — (2 — 2K). 

Since by assumption, c and if are constants and c > 2 — 2if , we have that 
d > 0 is a constant. Since Ii n is super logarithmic, this implies that e < 2~ diin is 
negligible. 

From (5) and Lemma 13, we then have that (P lossy, h( r , s )) is collapsing on 
imF( r)S ). □ 

Theorem 23. If (Sf,F s ) is a polynomial-time computable lossy function with 
lossiness rate K , and if £ ou t/£in > c > 2 — 2 K for some constant c, then 
(P#, iJ( r?s )) zs collapsing. 
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Proof. By Lemma 21, (P lossy, F( r ,s)) is collapsing. By Lemma22, (P lossy, h^) 
is collapsing on im F^ s y By Construction 1, #( r?s ) = /i( rjS ) o F^ s y Thus, by 
Lemma 14, (Pi OS sy, is collapsing. 

Since (S f ,F s ) is a lossy function, Vi OSS y and Sf are computationally indis- 
tinguishable. Hence P i OSS y and P# are computationally indistinguishable. Hence 
by Lemma 15, (P#, iJ( r?s )) is collapsing. □ 

Theorem 24. Assume £i n > £ out • Let MD( r?s ) be the Merkle-Damgard con- 
struction applied to iJ( r?s ) (using a Merkle-Damgard padding pad). 

If(S F ,F s ) is a polynomial-time computable lossy function with lossiness rate 
K, and h r is polynomial-time computable, and if £ ou t/^in > c > 2 — 2 K for some 
constant c, then (P#, MD( r?s )) is collapsing. 

Proof. By Lemma 23, (P#,iL( r?s )) is collapsing. Then by Theorem 19, 

(P#, MD( r?s )) is collapsing. □ 

Theorem 25. Assume ii n > i ou t • LetMD( r ^ be the Merkle-Damgard construc- 
tion applied to H^ s y Let (com#Mu 5 verify # Mn ) denote the unbounded Halevi- 
Micali commitment using MD( r?s ). 

If(Sp,F s ) is a polynomial-time computable lossy function with lossiness rate 
K , and h r is polynomial-time computable, and if £ ou t/£in > c > 2 — 2 K for some 
constant c, then (P#, com#Mu, verify is statistically hiding and collapse- 
binding. 

Proof. By Theorem 24, (P#, MD( r?s )) is collapsing. Then by Theorem 12, 
(P#, verify# Mn ) i s statistically hiding and collapse-binding. □ 

Note that if K > we have 2 — 2 K < 1. Then h r ,c can always be chosen 
to satisfy the conditions of Theorems 24 and 25 (namely £ 0 ut/£in > c > 2 — 2 K 
and £i n £out) % 

For completeness, we now give the concrete security variant of Theorem 25 
here. Let r F denote the time needed for evaluating F^ s \. Let denote the 
time needed for evaluating h( VjS y Let r' h denotes an upper bound on the time 
needed for computing the universal hash function from Definition 10. For a given 
adversary (. A , B), let i A be a upper bound on the length of each message output 
by A on the registers Mi (cf. Definitions). 

Theorem 26. Assume ii n > i ou t • Let MD( r be the Merkle-Damgard construc- 
tion applied to H^ s y Let (com hmu, verify HMu ) denote the unbounded Halevi- 
Micali commitment using MD( r?s ). 

Then any adversary against (P#, com^, verify # Mn ) has hiding- advantage 

2 ^ out i 

Let ( A,B ) be a r-time adversary t-c.b. -valid for verify with collapsing- 
advantage £ against (P#, com^u 5 verify # Mn ). 

Then there are ( T+0(tT vad (£ A )+M vad (£ A )(T F +T h ) / (l in -l out )+£ S eed+tT f h ))- 
time adversaries C \, . . . , Cq, such that C\, C 2 , C 3 distinguish S F and T>i ossy with 
some advantages £ 1 , £ 2 , £ 3 , and C 4 , C 5 , Cq distinguish V in j and Di ossy with some 
advantages £ 4 , £ 5 , £6; and £ < ( 2 2*<„-2fc-* 0ttt +2 Y^i=i e i) ’ 
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By using existing constructions of lossy functions, we further get: 

Theorem 27. If SIVP and GapSVP are hard for quantum algorithms to approx- 
imate within 0(d c ) factors for some c > 5, then there is a collapsing hash func- 
tion with domain {0, 1}* and codomain {0, 1 } iout for some £ 0 ut> as we M as a 
non-interactive, statistically hiding, collapse-binding commitment schemes with 
message space {0, 1}*. 

Furthermore, the hash function and the commitment scheme can be chosen 
such that their parameter sampler P returns a uniformly random bitstring. 

Proof [13] shows that almost-always lossy trapdoor functions with lossiness 
rate K < 1 exist if SIVP and GapSVP are hard for quantum algorithms to 
approximate within 0(d c ) factors, where c = 2 + 2 (i-k) + ^ for an y desired 
S > 0. Almost-always lossy trapdoor functions are in particular lossy functions. 
If c > 5, we can chose some constant K > \ such that c = 2 + 2 ( 1 - k) + $ 
for some S > 0. Thus there is a lossy function with constant lossiness rate 
K > h Hence by Theorems 24 and 25 there are a collapsing hash function 
(P H,H( r , s )) and a non-interactive collapse-binding statistically hiding commit- 
ment (P H , com HMu, verify HMu ). 

P h returns (s,r) with s <— Sf and r {0, 1}^ W . Furthermore, as dis- 
cussed after Definition 2, the lossy function (Sf,F s ) can be chosen such that Sf 
returns uniformly random keys s. In that case P h returns a uniformly random 
bitstring. □ 

Interactive commitments without public parameters. The above text 
analyzed non-interactive commitments using public parameters. We refer to the 
introduction for the reason why it is unlikely that we can get rid of the public 
parameters in the non-interactive setting. However, in the interactive setting, we 
get the following result: 

Theorem 28. If lossy function with lossiness rate K > \ exist, or if SIVP and 
GapSVP are hard for quantum algorithms to approximate within 0(d c ) factors 
for some c > 5, then there is a collapse-binding 10 statistically-hiding commitment 
scheme with two-round commit phase and non- interactive verification, without 
public parameters. 

Proof. Let (P #, com hmu, verify # Mn ) be the commitment scheme analyzed above. 

We construct an interactive commitment scheme as follows: To commit to 
a message m, the recipient runs k <— P h and sends k to the committer. Then 
the committer computes (c,u) <— com and sends c. To open to m, the 
committer sends u , and the verifier checks whether verify HMu (k,c,m,u) = 1 . 

It is easy to see that if (P#, com^, HMu) collapse-binding, so is 
the resulting interactive scheme. (In the collapse-binding game, the verifier is 
honest. Hence it is equivalent whether the verifier or P h picks k .) 


10 


We refer to [16] for the definition of “collapse-binding” for interactive commitments. 
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In general, having the verifier pick k may break the hiding prop- 
erty of the commitment. However, the proof of the hiding property of 
(P#, com^y, verify # Mn ) (in the full version) reveals that commitment is statis- 
tically hiding for any choice of k. Thus the interactive commitment is statistically 
hiding. □ 

6 Collapse-Binding Implies Sum-Binding 

For the remainder of this section, let (P, com, verify) be a commitment scheme 
with message space {0, 1}. (I.e., a bit commitment.) 

A very simple and natural definition of the binding property for bit commit- 
ment schemes is the following one (it occurred implicitly and explicitly in differ- 
ent variants in [2-4, 7, 11]): If an adversary produces a commitment c, and is told 
only afterwards which bit m he should open it to, then po + Pi < 1 + negligible. 
Here po is the probability that he successfully opens the commitment to m = 0, 
and pi analogously. This definition is motivated by the fact that a perfectly 
binding commitment trivially satisfies po + Pi < 1 + negligible. 

Definition 29 (Sum-binding). For any adversary (Co,Ci) and m G {0,1}, 
let 

Pm (Co, Ci) := Pr[verify(/c, c, m, u) = 1 : k <— P, (S, c) <— C 0 (fe), u <- Ci(5,m)]. 

Here S is a quantum register, and c a classical value. We call adv := po + p\ — 

I the sum-binding- advantage o/(Co,Cl). (With adv := 0 if the difference is 
negative.) 

A commitment is sum-binding iff for any quantum-polynomial-time (Co, Ci), 
adv is negligible. 

Unfortunately, this definition seems too weak to be useful (see [16] for more 
discussion), but certainly it seems that the sum-binding property is a minimal 
requirement for a bit commitment scheme. Yet, it was so far not known whether 
collapse-binding bit commitments are sum-binding. In this section, we will show 
that collapse-binding bit commitments are sum-binding, thus giving additional 
evidence that collapse-binding is a sensible definition. 

Proof attempt using rewinding. Before we prove our result, we first explain 
why existing approaches (i.e., rewinding) do not give the required result. 

First, the classical case as a warm up. Assume a classical adversary with 
Po +pi = 1 + £ for non-negligible 5 . We then break the classical computational- 
binding property as follows: Run the adversary to get c. Then ask him to provide 
an opening u for m = 0. Then rewind him to the state where he produced c. 
Then ask him to provide an opening u' for m == 1. The probability that u is valid 
is po , the probability that u! is valid is p\. From the union bound, we get that 
the probability that both are valid is at least po +Pi — 1 = e. 11 But that means 

II Namely, Pr[^ invalid] = 1 — po, Pr [u' invalid] = 1 — p±. Hence Pr[^ invalid or 
u invalid] < (1 — po) + (1 — pf). Thus Pr [u,u valid] > 1 — ((1 — po) + (1 — pi)) = 
Po +pi ~ 1. 
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that the adversary has non- negligible probability 5 of finding c,m,m' ,u,u f with 
m 7 ^ m' and u,u f being valid openings for m, m'. This contradicts the classical- 
style binding property. 

Now what happens if we try to use rewinding in the quantum case to show 
that collapse-binding implies sum-binding? If we use the rewinding technique 
from [14], the basic idea is the following: 

Run the adversary to get a commitment c (i.e., (S', c) <— Co(k)). Run the 
adversary to get an opening u for m = 0 (i.e., run u Ci(S, 0 )). Here we assume 
w.l.o.g. that Ci is unitary. Measure u. Run the inverse of the unitary Ci(S, 0). 
Run the adversary to get an opening u' for m = 1 (i.e., run u <— Ci(S, 1)). 

To get a contradiction, we need to show that with non-negligible probability u 
and v! are both valid openings. While u will be valid with probability po, there is 
nothing we can say about u' . This is because measuring u will disturb the state 
of the adversary so that Ci(S, 1 ) may return nonsensical outputs. [14] shows 
that if there is only one valid u , then rewinding works. But there is nothing that 
guarantees that there is only one valid u. 12 At this point the rewinding-based 
proof fails. 

Collapse-binding implies sum-binding. We now formally state and prove 
the main result of this section with a technique different from rewinding. (But 
possibly this is a new rewinding technique under the hood.) 

Theorem 30. If (P, com, verify) is collapse-binding , then (P, com, verify) is 
sum-binding. 

An interesting open question is whether the converse holds. If so, this 
would immediate give strong results for the parallel composition of sum-binding 
commitments and their use in rewinding proofs (because all the properties of 
collapse-binding commitments would carry over). 

We give a proof sketch first: As we have seen, running two executions of 
the adversary sequentially (first opening to m m 0 , then opening to m = 1 ) via 
rewinding is problematic because the second execution may not be successful any 
more. Instead, we will run both executions at the same time in superposition: 

Assume an adversary against sum-binding with non-negligible advantage 6 . 
We initialize a qubit M with |+) = ^|0) + ^|1). Then we let the adversary 
commit ((S', c) Co(fc)), and then we run Ci(S, 0 ) or Ci(S, 1 ) in superposition, 
controlled by the register M. This may entangle M with the rest of the system. 
And we get openings for m = 0 and m = 1 in superposition on a register U. Now 
if we measure whether U contains a valid opening for the message on register 
M, the answer will be yes with probability d := Po + Pl = -k±^ where po,Pi are as 
in Definition 29 (call this measurement V c ). Now, we either measure the register 


12 Collapse-binding commitments are rewinding-friendly, but this refers only to the 
case where we wish to measure the opened message m. Roughly, collapse-binding 
implies that measuring m does disturb the state more than measuring whether the 
commitment was opened correctly or not, and in that case, the rewinding technique 
from [14] applies. The [16] for example proofs using this technique. 
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M in the computational basis or we do not. And finally we apply the inverse of 
Ci (5, 0) or Ci(S, 1) in superposition. And finally we measure whether M is still 
in the state |+) (call this measurement M.+). 

We distinguish two cases: If we measure M in the computational basis, then 
M = |0) or M = |1) afterwards. So the measurement Ad + succeeds with proba- 
bility Hence the probability that both V c and Ad + succeed is 

If we do not measure M in the computational basis, then we have the follow- 
ing situation. The invocation Ci(S, 0) or C\(S, 1) in superposition, together with 
the measurement V c , together with the uncomputation of Ci(S, 0) or Ci(S, 1) 
can be seen as a single binary measurement R c . Now if we have a measurement 
that succeeds with high probability, it cannot change the state much. Thus, the 
higher the success probability S of R c , the more likely it is that M is still in state 
|+) and Ad+ succeeds. An exact computation reveals: the probability that both 
R c (a.k.a. V c ) and Ad+ succeed is S 2 . 

Thus the measurement Ad+ distinguishes between measuring and not mea- 
suring M with non- negligible probability | — S 2 > |. This contradicts the 
collapse-binding property, the theorem follows. 

We now give the full proof: 

Proof of Theorem 30. Let (Co,Ci) be an adversary in the sense of Definition 29 
(against sum-binding). Let po := Po(Cq,Ci) and p\ := pi(Co,Ci). We have to 
show that the advantage e : = Po + Pi — 1 is upper bounded by a negligible 
function. 

Without loss of generality, we can assume that C\ is unitary. More precisely, 
Ci(S,m) applies a unitary circuit U m to S', resulting in two output registers 
U and E. Then he measures U in the computational basis and returns the 
outcomes u. 

With that notation, we can express the game from Definition 29 as the fol- 
lowing circuit (renaming the register S to S' to avoid name clashes later): 



(6) 


(Here and in the following, A4 denotes a measurement in the computational 
basis.) In that circuit, Pr [verify (fc, c, m, u) « 1] « S :=» - |(1 + 5 ). 

Let M denote a one-qubit quantum register, and define Um • \T}s' ► 

| m) M 0 U m \\P)s'- That is, Um is a unitary with two input registers M, S', and 
three output registers M,U,E which is realized by applying Uo or U\ to S', 
depending on whether M is |0) or |1). 

Let M+ be the binary measurement that checks whether register M is in 
state |+) = ^=|0) + ^|1). Formally, Ad+ is defined by the projector P + := 
|+) (+| on M . 

Recall that V c from Lemma 6 is the measurement defined by the projector 
P c := m ’ n \m)(m\ 0 \u)(u\. 

verify (k,c,m,u)=l 
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A B 



Fig. 3. Circuit describing Gamei. Game 2 can be derived by omitting M 0 k- The adver- 
sary algorithms A and B are depicted in the dashed boxes. (To avoid wires crossing 
gates, the outgoing wires of Um are ordered E : M , U, not M, U, E as in the text.) 


We define an adversary (A, B) against the collapse-binding property of com 
(using the alternative definition from Lemma 6). Algorithm A(k) performs the 
following steps (see also Fig. 3): 

- Run (S", c) <— Co(fc). 

- Initialize a register M with |+). 

- (M,U,E) <- U m (M,S'). That is, apply U M to M,S". 

- S := E. (That is, we rename the register E.) 

- Return (S', M, U, c). 

Algorithm B(S,M,U) performs the following steps (see also Fig. 3): 

- E:=S. 

- (M, S') <— U, E). 

- b <— M+{Y). 

- Return b. 

Let Gamei, Game2 refer to the games from Lemma 6 with adversary (A,B). 
Figure 3 depicts those games as a quantum circuit. 

We consider Gamei first. We are interested in computing the probability 
p := Pr[6 = 1 A ok = 1] in this game. Observe that replacing M 0 k by Ad (the 
latter being the measurement in the computational basis, applied even when 
ok = 0) does not change p. (Because M. 0 k an d Ad behave differently only when 
ok = 0.) Thus, replacing M 0 k on M by Ad does not change p. Thus, we get the 
following circuit: 



(7) 


and have 
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Pr [b = 1 A ok = 1 : Circuit (7)] = Pr[6 = 1 A ok = 1 : Gamei]. (8) 

Note that M on M commutes with V c and Um • So we can move .Ad to the 
beginning (right after initializing M with |+)). But measuring |+) in the com- 
putational basis yields a uniformly distributed bit m. And furthermore, if M 
contains |ra), then Um degenerates to Um on register 5", and M stays in state 
| m) until the measurement Ad+. Thus we can simplify (7) as follows: 



We thus have 


Pr [b = 1 A ok = 1 : Circuit (7)] = Pr [b m 1 A ok m 1 : Circuit (9)]. (10) 

It is easy to see that 

Pr [ok = 1 : Circuit (9)] = Pr[verify(&, c, ra, u) = 1 : Circuit (6)] = 6. 

Furthermore, in (9), b is independent of ok , and we have Pr [b = 1] = \ by 
definition of Ad+. Thus 

Pr[6 as 1 A ok = 1 : Gamei] (8) = 0) p r [ft = 1 A ofc = 1 : Circuit (9)] = (11) 

We now consider Game 2 - This game is depicted in Fig. 3 (when omitting the 
measurement A4 0 k)- We are interested in computing the probability q := Pr[b = 
1 A ok = 1] in this game. Recall that P+, P c are the projectors describing the 
measurements Ad+, V c . Thus, g = tr p where p is the final state of the following 
circuit: 


State: p' 


State: p 



( 12 ) 


=: R c 


— : Q 


We abbreviate the product of the operators Um, Pc, Um Pc • Note that 
R c is a projector since P c is a projector and Um is unitary. Let Q := P+ <g) 
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Furthermore, let p c be the state output by Co on S' conditioned on classical 
output c (and let p c be the probability of that output). We can write p c as p c = 
JT Pdl^ci) {&ci\ for some normalized quantum states | \P c i) and some probabilities 
Pci with J2iPci = 1 - Let \&ci) ■= 1 +) ® Wei)- Let \<P ci ) := QR c \^’ ci ). With that 
notation, we have p = J2 c ,iPcPa\^ci}{^ci\ and Yj C ,iPcPa = L Hence q = tr p = 

'Ec,iPcPci\\\$ci )\\ 2 ■ 

Furthermore, if p’ is the state in circuit (12) after U]^, then it is easy to see 
that tr p' = S (recall that S is the success probability in (6)). We then have that 

s = tr p’ = T.c,iPcPci\\RcKi )\\ 2 = 'LciPcPcrfcf with S cf := \\R c \Ki) f ■ 

By definition of Q and |$C), we have that Q|<ZC) = |lFb). Then 

5 ci = (Ki\Rc\Ki) = {Ki\QRc\Ki) < \\QRM\\ = ||M|. 


Thus 

q = E^IH^)|| 2 > ^PcPdSi > (y, repaid) = s 2 

c,i c,i c,i 

Here (*) uses Jensen’s inequality and the fact that ^}Z ci PcPci = 1- 
Thus 


Pr [b = 1 A ok = 1 : Game 2 ] = q > S 2 . 

Since Gamei and Game 2 are identical unless ok = 1, we have that 


(13) 


Pr[6 = 1 A ok ^ 1 : Gamei] = Pr[6 = 1 A ok ^ 1 : Game 2 ]. (14) 


Thus 


Pr[6 = 1 : Game 2 ] — Pr [b = 1 : Gamei] 

= (Pr [b = 1 A ok = 1 : Game 2 ] + Pr [b = 1 A ok ^ 1 : Game 2 ]) 

— (Pr [b = 1 A ok = 1 : Gamei] + Pr [b = 1 A ok ^ 1 : Gamei]) 

Pr[6 = 1 A ok = 1 : Game 2 ] — Pr[6 = 1 A ok ± 1 : Gamei] 
(iiyi3) 2 _ i > e 

2 - 4' 


Thus 


Pr [b = 1 : Gamei] — Pr [b 


1 : Game 2 ] 



(15) 


Since (Co, Ci) is polynomial-time adversary, (A, B) is polynomial-time. By 
assumption, (P, com, verify) is collapse binding. Thus by Lemma 6, the rhs of (15) 
is negligible. Hence 5 is negligible. Since e was the advantage of the adversary 
(Co, Ci) against the sum-binding property, it follows that (P, com, verify) is sum- 
binding. □ 
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6.1 CDMS-Blinding 

For the remainder of this section, let (P, com, verify) be a commitment scheme 
with message space {0,1}^. 

The sum-binding definition is restricted to bit commitments. In [3], a gen- 
eralization of sum-binding definition is given. Intuitively, for any function /, if 
the adversary produces a commitment c, then there should be at most one value 
y such that the adversary can open c to a message m with f(m) = y. Slightly 
more formally, we require that ^ y P y < 1 + negligible where p y is the probability 
that the adversary (who gets y after producing the commitment c) manages to 
open c to a message m with f(m) = y. Again, this definition is motivated by 
the fact that perfectly binding commitments satisfy Jf y p y < 1. The definition 
can be parametrized by specifying the set F of allowed functions /. 

Definition 31 (CDMS-binding, following [3]). Let F be a family of func- 
tions {0, 1} £ — ► {0, 1} A . 

For any adversary (Co, C\) and any y G {0, 1} A , let 

P y (C 0 , Ci) := Pr[verify (fc, c, m, u) = 1 A f{m) = y : 

k <- P,(S, cj) <- C 0 (k),(m,u) <- C^S.y)]. 

Here S is a quantum register, and c a classical value, and f a function in F 
(represented as a Boolean circuit). 

We call (Co, Ci) F-CDMS-valid if it only outputs functions f G F. We call 
adv := X^e{o ±}a P y (Co, Ci) — 1 the F- CD MS- advantage of (Co,Ci). (With 
adv := 0 if the difference is negative.) 

We call a commitment scheme F-CDMS-binding iff for all quantum- 
polynomial-time F-CDMS-valid (Co,Ci), the F-CDMS-advantage of (Co,Ci) 
is negligible. 

We have somewhat modified the definition with respect to [3]: Namely, 
instead of quantifying over all / G F, we let the adversary choose /. This gives 
the adversary additional power, because / may depend on the public parameter 
fc, but at the same time it also removes some power (because / needs to be effi- 
ciently computed in our definition). For non-uniform adversaries, our definition 
implies the one from [3]. 

Note that the sum-binding definition is a special case of the CDMS-binding 
definition: A bit commitment is sum-binding iff it is F-binding where F contains 
only the identity. 

The following theorem is shown using a similar technique as Theorem 30. The 
main difference is that we have to use a superposition of all possible values y, 
instead of the superposition |+) of messages 0 and 1. Furthermore, the fact that 
the adversary has free choice of m, subject to the condition f(m) = c introduces 
additional technicalities, but these are solved in the full proof. 

Theorem 32. If (P, com, verify) is collapse-binding, then (P, com, verify) is F- 
CDMS-binding for any F C {0, 1} £ —> {0, 1} A with logarithmically -bounded A. 
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Note the condition that A is logarithmically-bounded. This condition is neces- 
sary as the following example shows: Let com be a perfectly binding commit- 
ment, except that with probability 5 the adversary finds a secret that allows 
him to open the commitment to any message. This small probability 5 does not 
change the fact that the commitment is collapse-binding (and arguably any rea- 
sonable definition of computationally binding should tolerate such a negligible 
error). However, an adversary that commits to 0, then gets y G {0, 1} A , and 
then tries to open to an arbitrary m with f(m) = y will succeed with proba- 
bility p y = s for all y ^ /( 0), and with probability p y = 1 for y = /( 0). Hence 
EyPy — l + (2 yl — l)e. If A is superlogarithmic, then (2 A — l)e will not necessarily 
be negligible. This example shows that collapse-binding cannot imply CDMS- 
binding for superlogarithmic A and also indicates that probably CDMS-binding 
with superlogarithmic A is not a reasonable definition of computationally bind- 
ing. (Note: in [3] , only CDMS-binding with logarithmically-bounded A was used 
and is sufficient for their OT protocol.) 
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Abstract. Many practical lattice-based schemes are built upon the 
Ring-SIS or Ring-LWE problems, which are problems that are based on 
the presumed difficulty of finding low- weight solutions to linear equations 
over polynomial rings Z g [x]/(f). Our belief in the asymptotic computa- 
tional hardness of these problems rests in part on the fact that there are 
reduction showing that solving them is as hard as finding short vectors 
in all lattices that correspond to ideals of the polynomial ring Z[x]/(f). 
These reductions, however, do not give us an indication as to the effect 
that the polynomial f , which defines the ring, has on the average-case or 
worst-case problems. 

As of today, there haven’t been any weaknesses found in Ring-SIS or 
Ring-LWE problems when one uses an f which leads to a meaningful 
worst-case to average-case reduction, but there have been some recent 
algorithms for related problems that heavily use the algebraic structures 
of the underlying rings. It is thus conceivable that some rings could give 
rise to more difficult instances of Ring-SIS and Ring-LWE than other 
rings. A more ideal scenario would therefore be if there would be an 
average-case problem, allowing for efficient cryptographic constructions, 
that is based on the hardness of finding short vectors in ideals of Z[x]/ (f) 
for every f. 

In this work, we show that the above may actually be possible. We 
construct a digital signature scheme based (in the random oracle model) 
on a simple adaptation of the Ring-SIS problem which is as hard to break 
as worst-case problems in every f whose degree is bounded by the para- 
meters of the scheme. Up to constant factors, our scheme is as efficient 
as the highly practical schemes that work over the ring Z[x]/(x n + 1). 


1 Introduction 

One of the attractive features of lattice cryptography is that one can construct 
cryptographic primitives whose security is based on the hardness of worst-case 
lattice problems [Ajt96]. More concretely, average-case problems such as SIS 
and LWE are defined in such a way that an adversary who is able to solve 
these problems could then be used to find short vectors in any lattice. While 
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the worst-case to average-case reductions do not help us figure out the exact 
parameter settings that make SIS and LWE hard, they definitely deserve the 
credit for leading researchers to the right definitions of these problems. 

Recent years have seen numerous cryptographic protocols constructed based 
on SIS and LWE. These schemes, however, are not particularly efficient because 
SIS and LWE inherently give rise to key sizes and/or outputs which are 0( A 2 ) 
in the security parameter A. For this reason, almost all of the practical lattice- 
based constructions are built upon the average-case problems Ring-SIS and Ring- 
LWE. The algebraic structure underlying Ring-SIS and Ring- LWE problems 
are polynomial rings of the form Z g [x]/(f), and it was shown in [PR06,LM06, 
SSTX09,LPR13] that solving Ring-SIS and Ring- LWE over this ring implies 
finding short vectors in all ideals of Z[x]/(f). Notice that these are somewhat 
weaker statements than the proof for SIS and LWE because one needs to first 
pick the ring Z[x]/(f) where the worst-case problems are believed to be hard. 

As of today, there have not been any attacks on worst-case problems in any 
ring, nor on the Ring-SIS or Ring-LWE problems in rings for which there exist 
non-vacuous (i.e. the reduction is not from a problem that is easy) worst-case 
to average-case reductions. For this reason, most proposals choose to work with 
cyclotomic rings, such as Z[x]/(x 2 + 1), due to their particularly nice algebraic 
structure for implementation purposes. Cyclotomics also have the feature that 
the decision version of the Ring-LWE problem in these rings is hard [LPR13], 
which makes them even more useful for cryptographic applications. 

While the Ring-SIS and Ring-LWE problems remain hard, there have been 
some recent works that were able to solve other problems in certain rings by tak- 
ing advantage of the algebraic structure. The work of Cramer et al. [CDPR16], 
which built on the approach of Campbell et al. [CGS14], showed that the log- 
unit lattice of cyclotomic rings is efficiently decodable. When combined with a 
polynomial-time quantum algorithm of Biasse and Song [BS16] (building upon 
[EHKS14,CGS14]) for finding generators of principal ideals, one obtains a quan- 
tum polynomial-time algorithm for finding a 2° -approximate shortest vector 
problem in principal ideals of cyclotomic rings. 

The simultaneous works of Albrecht et al. [ABD16] and Cheon et al. [CJL16] 
exploited the sub-field structure of number fields to give sub-exponential algo- 
rithms for the NTRU problem in which the secret polynomials are very small. 
This is an approach that is very similar to an early idea mentioned in [GS02, 
Sect. 6]. While it is interesting to note that none of these attacks say anything 
about worst-case problems or average-case Ring-SIS and Ring-LWE, they do 
point out that the choice ring can affect the hardness of problems. For this rea- 
son, there have been proposals for using alternative rings (e.g. Bernstein et al. 
[BCLvV16] suggested using rings Z[x]/(x p — x — 1)) which do not have the alge- 
braic structure exploited by the aforementioned algorithms. But in the absence 
of attacks on any of the current constructions, it is of course not clear whether 
one is more secure than the other. 
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1.1 Our Result 

A more ideal situation would be if one could build efficient cryptographic schemes 
that are simultaneously based on the hardness of average-case (and therefore 
worst-case) problems in every ring. In this work we show that this indeed may 
be possible. We construct a digital signature scheme which is up to constant 
factors, in terms of running time and key /signature sizes, as efficient as the 
most practical signature schemes [Lyul2,GLP12,DDLL13] (i.e. the key sizes, 
running time, and output sizes are all 0( A)), and is based on the hardness of 
the Ring-SIS problem in every ring Z[x]/(f), with the obvious restriction that 
the degree of f is bounded by the parameters of the scheme. 

In the Ring-SIS problem over the ring Z (? [x]/(f), called f-SIS, one is given k 
uniformly random polynomials ai, . . . , a& and is asked to find elements zi, . . . , 
with small coefficients such that ^ = 0 in the ring Z g [x]/(f). A simple, yet 

very important, observation is that the input to this problem only very loosely 
depends on the polynomial f. In particular, for all f of the same degree, this 
input has the exact same distribution. 

If we then defined a problem over the ring Z g [x] that required finding a 
combination of the such that = 0, then these z * would also be a 

solution to a i z i = 0 mod f for any f . If the degree of f is larger than the 
degree of z^, then as long as one of the z i is non-zero in Z g [x], it is also non-zero 
in Z,[x]/(f). 

The intuition for building a digital signature scheme is to let the public key be 
random polynomials ai, . . . , a& in Z 9 [x] of bounded degree n— 1, and t = a^s* 
where all operations are performed over Z g [x]. We would like to choose the s* 
such that their degree d is somewhat less than n, and also such that the function 
/ defined as /( Si,...,Sfc) = J^a^s* is compressing. One can then adapt the 
“Fiat-Shamir with Aborts” technique for 17-protocols from [Lyu09,Lyul2] to 
create a signature (zi, . . . , z/~) that is independent of s* and satisfies some linear 
relation relating a^, t and the “commit” and “challenge” steps of the 17-protocol. 

It can be then shown that an adversary who can break the unforgeability 
security property of the digital scheme can be used to extract polynomials with 
small norms zi, . . . , z& and c that satisfy the equation ^ a^ = tc over Z g [x]. 
We then show that a solution to this equation that satisfies certain conditions on 
the coefficient sizes and degrees of polynomials z c, as well as the polynomials 
s i that were used to construct t, implies a solution to the f-SIS problem for any 
f whose degree is between d + deg(c) and n. 1 When combined with the worst- 
case to average-case reduction from finding short vectors in ideals of Z[x]/ (f) to 
the f-SIS problem from [LM06], this gives a reduction from worst-case lattice 
problems in ideals of any ring Z[x]/(f) to the hardness of breaking the signature 
scheme. 


1 The lower-bound d + deg(c) on the degree of f can be circumvented, but its presence 
makes the proofs simpler. We also do not think that it’s particularly interesting to 
extend the proofs for f of very small (compared to n) degree, because those problems 
will be generally easier than problems over larger rings. 
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A Note on the Definition of Length. It should be pointed out that the 
quality of the worst-case to f-SIS reduction in [LM06] depends on f . If we define 
the norms of elements in Z g [x]/ (f) by computing a standard norm on their coef- 
ficients (e.g. the ^oo-norm), then it is possible that a solution to f-SIS does not 
lead to finding short vectors in the lattice. [LM06] defined the “expansion factor” 
of f which determined how much coefficients of polynomial products could grow 
when multiplied modulo f. For some f, this growth could be exponential, and 
one would lose this factor in the reductions, thus making them vacuous. In later 
works [PR07,LPR13], it was shown that using coefficient sizes is not the most 
natural way to define the length of elements in Z q [x]/(f). If one instead uses 
the “canonical embedding” norm whose definition itself depends on f, then a 
lot of the issues concerning the expansion factor disappear, and one can achieve 
meaningful reductions for all polynomials f . 

In this current work, though, we cannot use a definition of norm that depends 
on f because there is no f in our average-case problem! We therefore need to use 
the most natural definition for small elements that is independent of any ring. 
For this, we go back to the definition that simply looks at the coefficients of 
the polynomials. The reason that we believe that this is most natural is because 
for many rings, a small coefficient norm implies a small norm in the canonical 
embedding. Unfortunately, there are rings for which this does not hold true (these 
are the ones with the large expansion factor), but it seems impossible to define 
a norm that is independent of f in which products of small elements remain 
small in Z g [x]/(f) for all f. We do want to point out that all polynomials that 
have been proposed for applications such as cyclotomics (of reasonable degree) 
and others, such as x p - x- 1, have small expansion factors. In particular, any 

L n /2j 

polynomial of the form x n + cqx 2 where are small, has a relatively small 

i=0 

expansion factor [LM06]. Thus the signature scheme in this paper is as hard 
to break as finding short vectors all such rings Z g [x]/ (f), of which there are 
exponentially many. 


1.2 Discussion and Open Problems 

While our scheme has keys and ciphertexts which are of size 0(A) in the security 
parameter, just like in signature schemes based on the Ring-SIS and Ring-LWE 
problems, the concrete instantiations are worse (see Fig. 1) than those of the 
most practical schemes. Compared to BLISS [DDLL13], the secret key is about 
20 times larger, the public key 10 times, and the signature about 30 times. 
We did not optimize our scheme using the tricks from [GLP12,DDLL13] such as 
compressing the signature using Huffman codes and altering the random oracle to 
allow us to output one less polynomial in the signature. A rough estimate shows 
that these improvements would decrease our signature size by about 20 %, which 
would still not make it competitive with the best constructions. The biggest 
contributor to the superiority of the current state-of-the-art schemes is that 
they are based on Ring-LWE rather than Ring-SIS. 
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It was shown in [Lyul2] that by creating the public key for the signature 
scheme based on LWE (or an inhomogeneous version of SIS where there is a 
unique solution), one can reduce the key /signature sizes by about an order of 
magnitude. There seems to be a major roadblock to getting a reduction from 
such problems to those that work over the ring 7L q [x] , though. As we mentioned in 
the previous section, one reason that we were able to give a reduction from f-SIS 
to Ring-SIS over Z g [x] is because the input to f-SIS does not really depend on 
f. In an inhomogeneous version of f-SIS, however, where one is given ai, . . . , 
and t = ^RiSi £ Zg[x]/(f), where t is not statistically-close to uniform in 
Z q \x\/ (f), the value of t very much depends on f. Thus it is not clear to us how 
to transform this into an instance that is at the same time independent from f , 
yet somehow retains pseudo-randomness. 

In addition to being able to create more efficient signatures based on the 
hardness of worst-case problems over all rings, getting such a reduction from 
f-LWE would then allow for efficient constructions of encryption schemes and 
a myriad of other primitives with the same hardness guarantees. We therefore 
believe that finding such a reduction would be truly an outstanding result. A 
slightly weaker, yet also very interesting achievement, would be to construct 
schemes which are simultaneously as hard as problems over a few different types 
of rings. The trivial solution would be to simply combine two schemes over two 
different rings, so the question here is whether it is possible to get something 
more efficient than the trivial construction. 

Of a more theoretical nature is the direction of trying to understand the real 
hardness of our new average case problems without relating them to Z g [x]/(f). 
The average-case problems that we define in this paper operate over the ring 
7L q [x] , so perhaps showing that they are as hard as solving lattice problems over 
ideals in Z[x]/(f) is not the most “natural” reduction. It would therefore be an 
interesting problem if one could give a reduction to our average-case problem 
from a different worst-case problem, perhaps more directly related to the ring 
Z 9 [x]. 


1.3 Paper Organization 

In Sect. 2 we introduce the notation and definitions that are used throughout the 
paper. Section 3 presents the new average-case problems defined over the ring 
7L q [x] and lemmas showing their relation to lattice problems over all polynomial 
rings. In Sect. 4, we describe a signature scheme and prove its security based on 
the hardness of our new average-case problems. 

2 Preliminaries 

2.1 Notation 

Throughout the paper, R will denote the polynomial ring Z g [x]. We will also 
assume that all polynomial operations occur in this ring (thus we will not write 
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mod g, as it is implicit). Elements of this ring can be represented by polynomials 

00 

a = ^ ciiX 1 where a{ G {— 1_§ J , . . . , J }• For a polynomial a G R with a finite 

i=0 

deg(a) — 1 

degree deg(a), we denote Halloo to mean max|ai| and ||a||i to be |cq|. 

ai i=0 

We will write R <n to mean the set of all polynomials in R of degree less 
than n, and Rf n to be polynomials a G R <n with ||a||oo < i. For a polynomial 
a G R and a monic polynomial f of degree n, the expression a mod f denotes 
the unique polynomial a' in R <n for which there exists an r G Z g [x] such that 

a' + rf = a. 

There is a natural mapping between polynomial in Z[x] of degree n — 1 and 
vectors in 7L n that simply maps each coefficient of the polynomial to a vector 
coordinate. We will make use of this mapping implicitly throughout the paper - 
that is elements in 7L n are simultaneously polynomials in R <n . If ai, . . . , a& are 
elements in Z n , then their concatenation (ai | ... | a&) is a vector in Z kn . 

For a set 5, we denote s S to mean that s is chosen uniformly at random 
from S. For a distribution D , we write s <— D to mean that s is chosen according 
to the distribution D. 


2.2 Lattice Problems 

a lattice 
be some 

IMU < 

Definition 2.2 (Ring-SIS). The homogeneous f-SIS problem is defined as fol- 
lows. An instance of the f-SIS k, q ,p problem consists of ai, . . . ,a& Z g [x]/(f). 

A solution to the problem is k elements zi, . . . ,z& such that Hz^loo < (3 and 

k 

^ a^ = 0 mod f . 


Definition 2.1 (Approximate shortest vector proble). Let A be 

corresponding to an ideal in the polynomial ring Z[x]/(f) and 7 > 1 
real. The f-SVP 7 (H) problem asks to find an element v G A such that 


mm ( 

wGA\{0} 


W 


>). 


The main result of [LM06] was a connection between the hardness of the 
f-SVP 7 problem for all lattices in Z[x]/(f) and the f-SIS^^^ problem. If the 
length of elements is defined by the || • ||oo function that simply looks at the 
largest coefficient, then the quality of the reduction has a dependency on a 
certain property of f that was called the “expansion factor”. This expansion 
factor explains how much the coefficients of a polynomial in Z[x] grow when 
reduced modulo f. 

For the purposes of the theorem, we define the value Of as 


Of 


max 

gGZ[x],deg(g)<3(deg(f)-l) 


||g mod fHoo 
llslloo 
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p - 1 

It was shown in [LM 06 ] that for polynomials such as x n + 1 and x 2 , the 

2 — 0 

value of Of is a small constant (3 and 6 respectively). The paper also showed 
how to put bounds on the expansion factor of other polynomials. We direct the 
interested reader to [LM 06 ] for a further discussion of this topic. 

Theorem 2.3. [LM06] For any monic, irreducible (over the integers) f and 
q > 20fj3kn 1 ' b logn, if there is a polynomial-time algorithm that solves the 
f-SISk,q,p problem with some non-negligible probability , then there is a 
polynomial-time algorithm that solves the f-SVP 7 problem with 7 = 

80f /3kn log 2 n for any lattice A that corresponds to an ideal in Z[x]/(f). 


2.3 The Discrete Normal (Gaussian) Distribution over Z m 
Definition 2.4. The continuous Normal distribution overW 71 centered atw with 

( \ m - 1| — v || 2 

-jA==\ e 2^2 

When v = 0, we will just write p™(x). The discrete Normal distribution over 
Z m is defined as follows: 

Definition 2.5. The discrete Normal distribution over Z m centered at some 
v G Z m with standard deviation a is defined as D™ a (x) = p™ a (x)/p™(Z m ). 

The below is a basic fact about the length of the discrete Gaussian distribu- 
tion over Z. 

Lemma 2 . 6 . For any r > 0 

Pr [\z\ > ra } < 2e~ r2/2 . 

Lemma 2.7 (Adapted from [Lyul 2 ]). Let V be a subset of Z m in which all 
elements have norms less than T, a be defined as 11 • T, and h : V — > M be a 
probability distribution. Then the probability that the following algorithm 

A: 

1: v 4- h 
2: z 4 

3: output (z, v) with probability min (^ 3 ^7/ , 1^ 

4: if nothing was output, goto Step 1 

terminates within 200 iterations is greater than 1 — 2 -90 (the expected number 
of iterations is 3 ), and conditioned on its termination, its distribution is within 
statistical distance 2 -95 of the distribution of the following algorithm 
T: 

1: v < — h 

2 . ■ zAc; 

3: output (z,v) 
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2.4 Digital Signatures 

Definition 2.8. A signature scheme consists of a triplet of polynomial-time 
(possibly probabilistic) algorithms (G,S,V) such that for every pair of outputs 
(s,v) of G( l n ) and any n-bit message m, 

Pr[V(v,m, S(s,m)) = 1] = 1 

where the probability is taken over the randomness of algorithms S and V. 

In the above definition, G is called the key-generation algorithm, S is the 
signing algorithm, V is the verification algorithm, and s and v are, respectively, 
the signing and verification keys. 

Definition 2.9. A signature scheme (G,S,V) is said to be secure if for every 
polynomial-time (possibly randomized) forger T , the probability that after seeing 
the public key and {(/ii, S(s, /h)), • • • , (/i g , S(s, /a q ))} for any q messages pii of 
its choosing (where q is polynomial inn), T can produce (/a f /q,cr) such that 
V(v,/a,a) = 1, is negligibly small. The probability is taken over the randomness 
of G, S, V, and T . 

A stronger notion of security, called strong unforgeability requires that in 
addition to the above, a forger shouldn’t even be able to come up with a different 
signature for a message whose signature he has already seen. The scheme in this 
paper satisfies this stronger notion. 


2.5 Auxiliary Lemmas 

Lemma 2.10. Let a be any monic polynomial in Z[x] of degree n. If b is a 
polynomial in Z[x] of degree m each of whose coefficients is chosen at random 
modulo q, then the coefficients of c = a • b mod q corresponding to the terms 
x n , . . . , x m+n are jointly uniformly random modulo q. 

Proof If we write c = Co + cqx + . . . + c m+n x m+n , then the coefficient c n+m _j 
for 0 < j < m is 

3 3 

C"m-\-n—j — ^ ^ ttn—i ’ & ^ m—j T ^ ^ CL n—i ' & 
i = 0 i= 1 

with the second equality being true because a is a monic polynomial. 

From the above equality, is not hard to see that once we generate the coef- 
ficients b m -j through b m , we will have completely determined the coefficients 
c m+n _j through c m+n of the product. We can now prove the claim of the lemma 
by induction. The coefficient c m+n = 6 m , and is therefore uniformly random 
modulo q. Now assume that we have already selected the coefficients b m -k 
through b m , and therefore completely determined the coefficients of c m+n _j 
through c m+n , and they are jointly uniformly random modulo q. Once we select 
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i + 1 

the coefficient i, we will have c m+n _ i _i = 6 m _j_ 1 + ^ a n _* • & m -j-i+ 2 - 

2=1 

Because the term b m -j- 1 was not used to determine c m through c m+n _j, we 
have 


Fh — T I • • • •> ^m+n-j] 

i +1 

bm—j—l — T ^ ^ Q"n—i ’ j— 1+2 I ^raj • • • 5 C m-\-n—j 


= Pr 


= Pr 


2=1 

i+i 


bm—j — l — T ^ ^ ^n—i ‘ b rn _j_ 


i — l+i 


2=1 


= 1/(Z 


□ 

Lemma 2.11. Te£ h : X — > T 6e a deterministic function where X and Y are 
finite sets and \X\ > 2 A |Y"|. If x is chosen uniformly at random from X , then with 
probability at least 1 — 2 _A ; there exists another x' E X such that h(x ) = h{x f ). 

Proof. There are at most \Y\ — 1 elements x in X for which there is no x' 
such that h(pc) = h{x'). Therefore the probability that a randomly chosen x has 
a corresponding x' for which h{pc) = h(x') is at least (\X\ — \Y\ + 1)/|X| = 
1-\Y\/\X\ + 1/\X\ > 1 — 2 _A . □ 

3 Ring- SIS over Z q [x] 

We will now present several average-case problems that are defined over the 
ring Z g [x] rather than Z q [x]/(f). The first such problem simply asks for a linear 
combination of the inputs that sum to 0 in Z g [x]. This is quite similar to the 
f-SIS problem from Definition 2.2, except that there is no reduction modulo f 
and we also limit the degrees of the solution polynomials. 

Definition 3.1. The homogeneous R <n -SlSk,d,p problem is defined as follows. 
An instance of R <n -SIS k,d,/3 consists of ai,...,afc R <n and a solution to 
the problem is k elements zi, . . . , z^ E Rp d such that at least one Zi ^ 0 and 
k 

E &iZi = o. 

2=1 

Notice that if deg(f) is n, then instances of the f-SIS k, q ,p and the R <n - 
SIS k,d ,/3 have exactly the same distributions. Furthermore, it should be clear 
that if zi,...,Zfc is a solution to the instance ai,...,a/e of the R <n -SISk,d,/3 
problem, then it is also a solution to the instance ai, . . . , a& of the f-SISk^p 
problem. The next simple lemma shows that one can also transform instance of 
the f-SIS k, q ,p problem for d < deg(f) < n into instances of the R <n -SISk,d,p 
problem such that solutions to the latter are still solutions to the former. 
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Lemma 3.2. If there is an algorithm that can solve the R <n -SlSk,d,p problem 
in time t with probability e , then there is an algorithm that can solve f-SlSk, q ,p 
problem in time t + poly{n) with probability e as long as d < deg(f) < n. 

Proof. Given ai,...,a/c that form an instance of the f-SISk, q ,p, we choose 
polynomials iq, . . . , iq G /£< n - de s( f ) and create a' a^ + f • iq. If we write 

n— 1 

a- = a j x G then Lemma 2.10 states that the coefficients a deg ^ through a n _i 

3=0 

are jointly uniformly random modulo q (because they are completely determined 
by f • !•*). And since all the a^ are uniformly random in R <de aW ? we have that 
all of the a' = a^ + f • iq are uniformly random in R <n . 

We feed the instance a' l5 . . . , a^ to the R <n -SlSk,d,p oracle. If he returns a 

k 

solution zi . . . , z k G R^ d such that a'z^ = 0 , then we claim that zi, . . . , z & is 

i= 1 

also a solution to the f-SlSk, q ,p problem. First observe that 

0 = E a'z i = ^(a* + rjf)zj = ^ a^z* + ^ r^fz* = ^ a^Z; mod f 


Furthermore, because deg(z^) < d < deg(f), we have that z i = z i mod f. Thus 
if at least one of the z i is non-zero, so is one of the z i mod f . □ 

We next define an approximate inhomogeneous version of the Ring-SIS prob- 
lem over Z g [x]. The exact reasoning for the particular definition is due to the 
particularities of the signature scheme that we will be constructing in the next 
section. Intuitively, the inhomogeneous version of Ring-SIS should ask to find a 
solution (zi, . . . , Zfc) that satisfies ^a^z* = I- In our definition below, we addi- 
tionally specify the distribution that the input t should have, and also allow an 
approximate solution to this equation - meaning that the sum J^a^ does n °t 
to equal exactly t, but could equal to tc for some element c G Z g [x] with a small 
I\ norm. 

Definition 3.3. We define the approximate inhomogeneous Ring-SIS problem 
as follows. An instance of the R <n -SIS k,d!,d 2 ,s,c,p problem consists of polynomi- 
$ k ? ? ? $ 

als ai, . . . , 3.k R <n and a t = a i s i where s i <— Rf dl . A solution to the 

problem is k elements zi, . . . , z& G Rp d2 and a c G R< d ^~ d i + 1 with 0 < ||c||i < c 
such that 

k 

^ a^ = tc. 

i= 1 

The next lemma relates the hardness of solving the inhomogeneous Ring- 
SIS problem to the homogeneous one. We show that under certain conditions, 
solving the particular version of the inhomogeneous problem implies being able 
to solve the homogeneous one. 
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Lemma 3.4. Suppose that the following relationships are satisfied: 

1. d\ < d 2 < n. 

A _ -i n + di 

2. s>2 kd i • q kd i 

3. sc < q / 4 

If there is an algorithm that solves the R^-SISk^^^^p problem in time t with 
probability e, there is an algorithm that solves the R <n -SIS k,d 2 , (3+ sc problem with 
probability at least \ • (e — 2 _A ) in time poly(n ) + t. 

Proof Given an instance ai, . . . , of an R <n -SIS k,d 2 ,0+sc problem, we select 

si, . . . , Sfc Rf dl and set t <— Y a i s i- We give the instance ai, . . . , a&, t to the 

oracle who can solve R <n -SIS k,d 1: d 2 ,s,c,/3- 

Suppose the oracle solves the problem and returns k elements zi, . . . , z& G 
Rp d2 and a c G R< d 2 - d i+ 1 with ||c||i < c such that 

k k 

Z! a iZi = tc = C 

2=1 2=1 

which implies that 

k 

XJ ai(zi-Sic) =0. 

Note that deg(z^ — s^c) < d 2 and 

||Z* - SiCHoo < llZiHoo + 1 1 S-j C 1 1 oo < (3 + IlSiHoo ' ||c||i < (3 + SC. 

Thus if for some i, z i — s^c ^ 0, we have a solution for R <n -SISk,d,/3+ sc - If 
we consider the function / : ( Rf dl ) k — > /jy< n +di-i defined as /(si, • • • , S&) = 
k 

Y a i s 2 , the domain size of this function is (2s + \} kdl , while the range is of size 

2=1 

g n+d i-i. Because we set s > 2 A /( /cdl ) _1 • q( n + d i-i) / ( fec h) ? the size of the domain 
is greater than 2 A • q 71 ^ 1 ^. By Lemma 2.11, there is probability at least 1 — 2 -A 
that there exists another s' l5 . . . , G Rf dl such that 

t = £a's,=£a's'. 

2=1 2=1 

Since it is perfectly indistinguishable whether si, . . . , s& or s' 1; . . . , were used in 
creating t (because both of them have the same posterior probability of having 
been chosen), the probability of the oracle outputting zi,...,Zfc,c such that 
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hi — SiC mod f = 0 is exactly the same if t were generated as in the reduction, 
but then after the adversary produced his output, the preimage of t was chosen 
at random among all the valid choices. We will now show that z i — s^c can only 
equal 0 for all i for at most one of these choices. 

If (si, . . . , s*;) 7^ (s' l5 . . . , sk), then there should be at least one s* 7^ s'. For 
this i, suppose that z i — s^c = 0 = z* — s'c. This implies that (s^ — s-)c = 0 . 
Since Z g [x] is an integral domain, this can only happen if either c = 0 or if 
s i = s'. This is a contradiction. Therefore with probability at least 1/2, some 

z i — SiC 7^ 0. □ 

4 The Signature Scheme 

We now formally describe our scheme via secret key generation, public key gen- 
eration, signing, and verification algorithms. 

The fixed, public parameters in our scheme are stated below. The values 
n, k, g, s, di, c are intuitively related to the parametrization of the R <n -SlS 
problem, with the standard deviation a being related to the parameter f3. We 
furthermore define a cryptographic function H whose range is the set C which 
consists of bounded-degree polynomials with small i\ norms. 


Fixed Parameters : 

- Positive integers n, &, g, s, di, c, a = Use • yjd^k 

- Ring R — 7L q [x] 

- Set C={ c e Rf d2 ~ d 1+ i with ||c||i < c} 

- Cryptographic hash function JT : {0, 1}* — > C7 


In Fig. 1, we give some sample parameters with which our scheme can be 
instantiated. For this, we use the reduction from breaking the signature scheme to 
the f-SIS problem that is given in the next section. In that section we show that 
breaking the scheme implies solving the f-SIS k, q ,/3 problem for f3 = 2sc + lOcr. 
Even though there is a reduction from every f whose degree is between d 2 and 
n, we instantiate the security based on the hardness of the f-SIS problem for 
f whose degree is close to n. Of course if one wants to be more conservative, 
one could set the parameters so that the scheme is even secure in practice for 
polynomials whose degrees are closer to cfo. 

To set the concrete parameters, we use the standard notion of the Hermite 
factor defined in [GN08] and the explanation for how to approximate it for the 
SIS problem given in [MR08]. 

The key generation algorithm generates ai, . . . , a/~ R <n and si, . . ♦ , s/~ <— 

k 

Rf dl , and then outputs (ai, . . . ,a/e,t = a i s i) as the public key. This is, in 

i= 1 

fact, an instance of the inhomogeneous R <n -SIS problem from Definition 3.3. 
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n 

1459 

k 

6 

q 

«2 30 

s 

1535 

di 

1111 

d 2 

1285 

c 

36 

a 

« 2 25 ' 7 

secret key size 

8.8 KB 

public key size 

9.6 KB 

signature size 

27 KB 

Hermite factor 

1.005 


Fig. 1 . Sample parameters for the signature scheme 


To generate a signature of /i, the signer selects “masking” variables y* 
from a particular distribution, computes c = H^a^y i,//), and then creates 
z i = SiC + y i. By the way the parameters were set, each z i is in R <d2 . Thus 
the concatenation of the k vectors z = (zi| ... |z&) can be thought of as a 
vector in Z kd2 . If we similarly define the vector s = (sic | . . . , s&c) G Z kd2 , then 
we can see that the vector z is distributed according to the discrete Gaussian 
distribution D kd2 . To get rid of the dependence on s, we use the rejection sam- 
pling procedure from [Lyul2] by running the Reject ionSample algorithm. By the 
way the parameters are set, there is a 1/3 probability that the signature will be 
output, and a 2/3 chance that the signing procedure will need to be restarted. 
After some (zi, . . . , z/~) eventually passes the rejection sampling procedure, its 
distribution will be exactly D kd 2 . 


Key Generation: 

1. Generate ai, . . . , R <n 

2. Generate si, . . . , s& Rf dl 

k 

3. Set t <— a i s i 

1=1 

4. Public Key (ai, . . . , a&, t), Secret Key (si, . . . , S&) 


Because the distribution is being sampled from Z kn , which is an orthogonal 
lattice, each coefficient of z i is distributed according to D\. Thus, by Lemma 2.6, 
the probability that some coefficient is larger than 5cr in absolute value is less 
than 2e -25 / 2 < 2 -17 . For simplicity, we would like to make sure that all z i 
are small, and so we check that each of their coefficients is less than 5 a. The 
probability that all kd 2 positions are less than 5 a is at least 1 — kd 2 • 2 -17 . In 
our sample instantiation, kd 2 < 2 13 , and thus the probability that this check is 
passed is greater than 15/16. So with probabilty at most 1/16, the procedure 
gets restarted. The signing algorithm finally outputs (zi, . . . , Z&, c). 


Digital Signatures Based on the Hardness of Ideal Lattice Problems 209 


Sign (fi, (ai, . . . , a fc , t), (si, . . . , s fc )) : 

1. Generate yi, . . . , yk € R <d ' 1 2 3 such that y i r ^~ J D d 2 

2. Set c = H a,y,;, /j) 

3. For i = 1 to k, set z i = s^c + 

4. b <— Rejections ampl e(zi, . . . , Z&, si, . . . , s&, c, a, cfe) 

5. If b = 0, then goto 1 

6. If for some i, jjz^loo > 5cr, then goto 1 

7. Output (zi, . . . , Zfc, c) 

RejectionSample(zi, . . . , Z&, si, . . . , s&, c, a, c^): 

1. Let z <— (zi | ... | Zfe) G Z*^ 2 

2. Let s (sic | ... | Sfcc) G Z kd2 

3. With probability D kd 2 (z) / (3-D kd2 (z)), output 1. Else output 0. 


The verification algorithm looks at the signature (zi, . . . , Z&, c) and accepts 

if and only if all the coefficients of the z i are less than 5a and c = 

( k 

H ]T dLiZi - tc, fi 

\i= 1 


Verify ((ai, . . ■ ,a fc ,t), (zi, . . . ,z fc ,c) ): 

1. If for some z, deg(z^) > or Hz^oo > 5a, then Reject 

2. If c 7^ H ^ a^ — tc, /j^j , then Reject 

3. Accept 


4.1 Security 

The main result of this section is a reduction from solving the R <n - 
SlSfc^^sc+iOo- problem to forging the signature scheme. We first show how one 
can simulate the signing algorithm without knowing the secret key si, . . . , s& by 
programming the random oracle (Lemma 4.1). 

We then show in Theorem 4.2 that an adversary who breaks the signature 
scheme that uses the signing algorithm from Lemma 4.1 can be used to solve 
either the R <n -SIS problem from Definition 3.1 or the one from Definition 3.3. 
By Lemma 3.4, this implies that the adversary can be used to solve the problem 
from Definition 3.1, and therefore any instance of the f-SIS problem for f of 
degree between d 2 and n. The latter then allows one to solve worst-case lattice 
problems in the ring Z[x]/(f). 

Lemma 4.1. Suppose that the random oracle H is already programmed on v 
values. Then the statistical distance between the output of the signing procedure 
and the following Hybrid signing algorithm, which does not take any secret keys 
s i as inputs, is at most 2 -95 + — l )~ d2 . 
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HybridSign(/q (a i? . . . , a fc , t) ) 

1. c^C 

2. Generate zi, . . . , z k G R <d2 such that z i ~ D d2 

3. If for some i, Hz^loo > 5a, then goto 1 

( k 

4- Program c = H I ^ a^z* — tc, fi 
\i = 1 

5. Output (zi, Zfc, c) 


Proof We first define another intermediate signing hybrid algorithm named 
HybridSign'. 

HybridSign' ( //, (ai, . . . ,a fc ,t), (si, . . . ,s fc )) 

1. Generate yi, . . . , y*, G i? <d2 such that y D d 2 

2. c^C 

3. For i = 1 to k, set z^ = s^c + y i 

4. b <— Rejections ample( zi, . . . , z^, Si, . . . , S&, c, cr, c^), 

5. if b = 0, then goto 1 

6. If for some i, jlz^jloo > 5a, hen goto 1 

/ fe 

7. Program c = H W a^ — tc, /a 

\i = 1 

8. Output (zi, . . . , Zfc, c) 


The difference between the real signing procedure and HybridSign' is that the 
value of 

c = H a;Zj - tc, fj = H HiYi, fj 

gets set uniformly at random in HybridSign', whereas in the real signature 

/ k 

scheme, H would first check whether H was already evaluated on I a^y^/i 

V i=l 

and only assign it a random value if it wasn’t. Therefore HybridSign' will differ 

k 

from the real scheme in the case that the value of a^y^ collides with one of 

the already- queried values. 

For any w, 


Pr 

$ rW-2 
y i^D a 2 



< Pr 

$ o 

zi 


azi 



< — 1) ^ 2 , 


where the last inequality holds because there is at most one possible zi that 
satisfies this equation (because Z g [x] is an integral domain) and because the 
likeliest element in the discrete Gaussian distribution is 0 which has probability 
less than (\f2i\o — l) -n . Thus if there were already v values of the random oracle 
that were set, there is less than a v • — l) - ^ 2 probability that there would 
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be a collision. In our sample instantiation, for example, a is approximately 2 25 
and d<i > 1200, and so this probability is extremely small. 

We now compare HybridSign' with Hybrid 2. Lemma 2.7 states that the 
distribution of the eventual value of (zi, . . . , z/~, c) after the first 5 steps of 
HybridSign' is within statistical distance 2 -95 of the distribution of (zi, . . . , z/~, c) 
after two steps of HybridSign. Since the rest of the steps in both hybrids is iden- 
tical, their statistical distance is at most 2 -95 . Thus the statistical distance of 
the distributions of the output of the real signing algorithm and HybridSign is 

2- 95 + (V / 2^t-1)-^. □ 


Theorem 4.2. Suppose there exists an adversary who makes a total oft queries 
to the Signing hybrid in Lemma 4-1 and the random oracle H during his attack 
and succeeds in forging with probability 5. Then there is an algorithm with the 
same time complexity that solves either the R <n -SISk, eg, d 2 ,s, 2c, lOo- problem or 
the i? <n -SIS M2 ,i 0 a problem with probability at least 


1 

2 ’ 


J_\ ( S-1/\C\ 
\C\) V t 



Proof Let (ai, . . . , a&, t) be an instance of the i? <n -SIS/ e ^ 1?< i 2?S5 2 c,i 0 cr prob- 
lem and (ai,...,a^.) be an instance of the R <n -SlSk,d 2 ,i 0 a problem. If we 
choose s ^ , . . . , and compute t' = J^a's', then the distribution of 
(ai, . . . , a/c, t) is exactly the same as that of (a' l5 . . . , a^, t'). The simulator then 
chooses one of those two sets at random and declares it as the public key of the 
signature scheme. If the adversary produces a forgery on a new message, then we 
will show that he will solve an instance of the i7 <n -SIS/ c? di,d 2 ,s,2c,io C r problem. 
If he produces a signature of a message he has already seen, then he will solve 
the i? <n -SIS M2 ,ioa problem. The simulator’s hope is therefore that if he gives 
the adversary the instance (ai, . . . , a^, t), the adversary will forge a signature 
on a new message, whereas if the simulator gives (a' x , . . . ,a^,t'), the adversary 
will forge on a message he has already seen. It’s easy to see that this lowers the 
success probability of the simulator by a factor of 2. 

For simplicity, we will now refer to the public key as (ai, . . . ,a£,t). During 
the attack, the adversary may interact with the Simulator in one of three ways. 
He may ask for a signature of a message g! for which the Simulator will use 
Hybrid 2, or query the hash function H on any element in {0, 1}*, or produce 
a forgery g. If the adversary asks for a signature of /i, the Simulator simply 
returns the output of Hybrid 2. If the adversary queries H on some value, then 
the Simulator first checks if that value was already assigned and returns it, or 
otherwise just chooses a random element cEC and programs it to be the output 
of H on the adversary’s input. 

If the adversary comes up with a signature (zi, . . . , Z&, c) for a message g, 
then this signature satisfies the equality c = H — tc, g^j . If the value 



for H 


has never been programmed during a signing query or 
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a random oracle query, then the adversary has only a 1/|C| chance of guessing 
the c that equals to H a^z i — tc, /j^j . So we will assume that the value for 

H ^2 a.iZi — tc,/i^ has already been set. 

We will first handle the case where it has been set during a signing query. In 
this case, the simulator already gave a signature (z' l5 . . . , z' k , c) for the message 
/i. In order for (zi, . . . , z&, c) to be a valid forgery for /q some z i must be different 
from z\. The adversary’s forgery therefore implies that 

k k 

^ ^ a^z* tc ^ ^ a^z^ tc, 

i= 1 i= 1 


and therefore 

k 

^ ai (zi-z') = 0 
i= 1 

and at least for one i, zi ^ z'. Since all ||z — z'Hoo < 10cr and deg(z^ — z') < 
they form a solution to the R <n -SIS n ^ q ,d 2 ,w°- Problem. 

We now move to the case where the adversary constructs a signature 
for a message he has not yet seen. If the adversary comes up with a 
valid forgery (zi, . . . , z&, c) for a new message /q then IJz^loo < 5 a and 

c = H ^2 — tc, /j^j . As before, if the adversary never queried H on 

a i z i — tc, ju'j , then he only has at most a 1/|C| chance of producing such a 

forgery. Thus let’s assume that the adversary did make such a “winning” query. 
We then “rewind” the adversary by rerunning him with the same random coins 
and responding to all the random oracle queries (both his and the ones used in 
the signing) the same way as before until the “winning” query. Starting from 
the “winning” query, however, we select uniformly random responses to all ran- 
dom oracle queries. Let c' be the new response to the “winning” query. By the 
General Forking Lemma of Bellare and Neven [BN06, Lemma 1], the probability 
that c/c' and the adversary again forges on the “winning” query is at least 


(/-jo) — 



With the above probability, then, the Simulator obtains another equation c' = 
/ k \ k k 

HI a^z' — tc', /i } where a i z i — tc' = a i z 2 — tc because the query was 
\i = 1 J i = 1 i = 1 

the same in both runs of the adversary. Therefore 


k 

^ai(z-z') =t(c-c') 
2=1 
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and so (zi — z' 1; . . . , z/~ — z' k , c — c') is a solution to the instance (ai, . . . , a/~, t) 
of the -R <n -SIS Mlid2)5i 2 c,io <7 problem. □ 

Putting Theorem4.2, Lemmas 3.4, and 4.1 together, we see that if the sig- 
nature scheme parameters satisfy the pre-conditions on the public parameters 
in Lemma 3.4, then an adversary who breaks the signature scheme either solves 
the -R <n -SISk,d 2 , 10 cr problem or the i? <n -SIS/ c ^ 2j 2 sc+i 0 cr problem (the latter is a 
strictly weaker problem). This implies that an adversary who breaks the signa- 
ture scheme can be used to break the f-SISk, q ,2sc+i0a problem for any polynomial 
f of degree between and n. By Theorem 2.3, this in turn gives a connection 
between breaking the signature scheme and finding short vectors for any lattice 
in any polynomial ring Z[x]/ (f) where the degree of f is between and n. 
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Abstract. Oblivious Transfer (OT) protocols were introduced in the 
seminal paper of Rabin, and allow a user to retrieve a given number of 
lines (usually one) in a database, without revealing which ones to the 
server. The server is ensured that only this given number of lines can 
be accessed per interaction, and so the others are protected; while the 
user is ensured that the server does not learn the numbers of the lines 
required. This primitive has a huge interest in practice, for example in 
secure multi-party computation, and directly echoes to Symmetrically 
Private Information Retrieval (SPIR). 

Recent Oblivious Transfer instantiations secure in the UC framework 
suffer from a drastic fallback. After the first query, there is no improve- 
ment on the global scheme complexity and so subsequent queries each 
have a global complexity of 0(\DB\) meaning that there is no gain com- 
pared to running completely independent queries. In this paper, we pro- 
pose a new protocol solving this issue, and allowing to have subsequent 
queries with a complexity of 0(\og(\DB\)) while keeping round optimal- 
ity, and prove the protocol security in the UC framework with adaptive 
corruptions and reliable erasures. 

As a second contribution, we show that the techniques we use for 
Oblivious Transfer can be generalized to a new framework we call Obliv- 
ious Language- Based Envelope (OLBE). It is of practical interest since 
it seems more and more unrealistic to consider a database with uncon- 
trolled access in access control scenarios. Our approach generalizes Obliv- 
ious Signature-Based Envelope, to handle more expressive credentials 
and requests from the user. Naturally, OLBE encompasses both OT and 
OS BE, but it also allows to achieve Oblivious Transfer with fine grain 
access over each line. For example, a user can access a line if and only if 
he possesses a certificate granting him access to such line. 

We show how to generically and efficiently instantiate such primitive, 
and prove them secure in the Universal Composability framework, with 
adaptive corruptions assuming reliable erasures. We provide the new UC 
ideal functionalities when needed, or we show that the existing ones fit 
in our new framework. 

The security of such designs allows to preserve both the secrecy of 
the database values and the user credentials. This symmetry allows to 
view our new approach as a generalization of the notion of Symmetrically 

PIR. 
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1 Introduction 

Oblivious Transfer (OT) is a notion introduced by Rabin in [53]. In its classical 
1-out-of-n version, it allows a user U to access a single line of a database while 
interacting with the server S owning the database. The user should be oblivious 
to the other line values, while the server should be oblivious to which line was 
indeed received. Oblivious transfer has a fundamental role for achieving secure 
multi-party computation: It is for example needed for every bit of input in Yao’s 
protocol [59] as well as for Oblivious RAM ([56] for instance), for every AND 
gate in the Boolean circuit computing the function in [35] or for almost all known 
garbled circuits [6]. 

Private Information Retrieval (PIR) schemes [25] allow a user to retrieve 
information from a database, while ensuring that the database does not learn 
which data were retrieved. With the increasing need for user privacy, these 
schemes are quite useful in practice, be they used for accessing records for email 
repositories, collection of webpages, music... But while protecting the privacy of 
the user, it is equally important that the user should not learn more information 
than he is allowed to. This is called database privacy and the corresponding 
protocol is called a Symmetrically Private Information Retrieval (SPIR), which 
could be employed in practice, for medical data or biometric information. This 
notion is closely related to Oblivious Transfer. 

Due to their huge interest in practice, it is important to achieve low com- 
munication on these Oblivious Transfer protocols. A usual drawback is that the 
server usually has to send a message equivalent to the whole database each time 
the user requests a line. If it is logical, in the UC framework, that an OT pro- 
tocol requires a cost linear in the size of the database for the first line queried. 
One may then hope to amortize the cost for further queries between the same 
server and the same user (or even another user, if possible), reducing the effi- 
ciency gap between Private Information Retrieval schemes and their stronger 
equivalent Oblivious Transfer schemes. We thus deal in this paper with a more 
efficient way, which is to achieve Adaptive Oblivious Transfer, in which the user 
can adaptively ask several lines of the database. In such schemes, the server 
only sends his database once at the beginning of the protocol, and all the sub- 
sequent communication is in o(n), more precisely logarithmic. The linear cost is 
batched once and for all in this preprocessing phase, achieving then a logarithmic 
complexity similar to the best PIR schemes. 

Smooth Projective Hash Functions (SPHF), used in conjunction with Com- 
mitments have become the standard way to deal with such secret message trans- 
fers. In a commitment scheme, the sender is going to commit to the line required 
( i.e . to give the receiver an analogue of a sealed envelope containing his value i) 
in such a way that he should not be able to open to a value different from the one 
he committed to ( binding property), and that the receiver cannot learn anything 
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about i ( hiding property) before a potential opening phase. During the opening 
phase, however, the committer would be asked to reveal i in such a way that the 
receiver can verify it was indeed i that was contained in the envelope. 

But, in our applications, there cannot be an opening phase, due to the obliv- 
ious requirements on the protocols and the secrecy of the database line i sent. 
The decommitment (opening phase) will thus be implicit, which means that 
the committer does not really open its commitment, but rather convinces the 
receiver that it actually committed to the value it pretended to. We achieve this 
property thanks to Smooth Projective Hash Functions [26,33], which have been 
widely used in such circumstances (see [1,2,8,9,45] for instance). These hash 
functions are defined in such a way that their value can be computed in two 
different ways if the input belongs to a particular subset (the language ), either 
using a private hashing key or a public projection key along with a private wit- 
ness ensuring that the input belongs to the language. The hash value obtained is 
indistinguishable from random in case the input does not belong to the language 
(. smoothness ) and in case the input does belong to the language but no witness 
is known (pseudo -randomness). 

In a nutshell, to ensure implicit decommitment, the sender will thus simply 
mask the database line with this hash value computed using the private hashing 
key. He will then send it along with the public projection key to the user, who 
will be able to compute the same hash value thanks to the randomness of the 
commitment of this line he sent in the first place (the randomness is the witness 
of the membership of the commitment to the language of commitments of this 
specific line). In order to ensure adaptive security in the universal composability 
framework, the commitments used are usually required to be both extractable 
(meaning that a simulator can recover the value i committed to thanks to a 
trapdoor) and equivocable (meaning that a simulator can open a commitment 
to a value i' different from the value i it committed to thanks to a trapdoor). 

In order to simplify these commitments, which can be quite technical, we 
choose here to rely on words in more complex languages rather than on simple 
line numbers. More precisely, the user will first compute an equivocable com- 
mitment on the line number required, which will be his word w in the language. 
This word will then be encrypted under a CCA encryption scheme, and the SPHF 
will be constructed for this word (rather than for the line number), which will 
be simpler. Furthermore, this abstraction consisting in encoding line numbers as 
words in more complex languages will reveal useful in more general contexts, not 
only Oblivious Transfer, the simplest of which being Oblivious Signature Based 
Envelope. 

Oblivious Signature- Based Envelope (OSBE) was introduced by Li, Du and 
Boneh in [49]. OSBE schemes consider the case where Alice (the receiver) is a 
member of an organization and possesses a certificate produced by an authority 
attesting she actually belongs to this organization. Bob (the sender) wants to 
send a private message P to members of this organization. However due to the 
sensitive nature of the organization, Alice does not want to give Bob neither her 
certificate nor a proof she belongs to the organization. OSBE lets Bob send an 
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obfuscated version of this message P to Alice, in such a way that she will be 
able to find P if and only if she is in the required organization. In the process, 
Bob cannot decide whether Alice does really belong to the organization. We even 
manage to construct a more general framework to capture many protocols around 
trust negotiation, where the user receives a message if and only if he possesses 
some credentials or specific accreditations. As a reference to OSBE, we call this 
framework Oblivious Language- Based Envelope (OLBE). 

1.1 Related Work 

Since the original paper [53], several instantiations and optimizations of OT pro- 
tocols have appeared in the literature [23,51], including proposals in the UC 
framework. More recently, new instantiations have been proposed, trying to reach 
round-optimality [41], and/or low communication costs [52]. Recent schemes like 
[1,9] manage to achieve round-optimality while maintaining a small communica- 
tion cost. Choi et al. [24] also propose a generic method and an efficient instan- 
tiation secure against adaptive corruptions in the CRS model with erasures, but 
it is only l-out-of-2 and it does not scale to 1-out-of-n OT, for n > 2. As far as 
adaptive versions of those protocols are concerned, this problem was first stud- 
ied by [37,47,50], and more recently UC secure instantiations were proposed, 
but unfortunately either under the Random Oracle, or under not so standard 
assumptions such as g-Hidden LRSW or later on g-SDH [17,20,39,43,54], but 
without allowing adaptive corruptions. 

Concerning automated trust negotiation, two frameworks have been pro- 
posed to encompass the symmetric protocols (Password-based Authenticated 
Key- Exchange, Secret Handshakes and Verfier-Based PAKE): The Credential 
Authenticated Key Exchange [16], and Language-based Authenticated Key 
Exchange (LAKE) [7] , in which two parties establish a common session key if and 
only if they hold credentials that belong to specific (and possibly independent) 
languages chosen by the other party. As for OSBE, the authors in [13] improved 
the security model initially proposed in [49], showing how to use Smooth Pro- 
jective Hash Functions to do implicit proof of knowledge, and proposed the first 
efficient instantiation of OSBE, under a standard hypothesis. It fits, as well as 
Access Controlled Oblivious Transfer [18,19], Priced Oblivious Transfer [4,54]) 
and Conditional Oblivious Transfer [28], into the generic notion of Conditional 
Disclosure of Secrets (see for instance [4,5,15,32,34,42,48,58]). 


1.2 Contributions 

Our first contribution is to give the first round-optimal adaptive Oblivious Trans- 
fer protocol secure in the UC framework with adaptive corruptions under stan- 
dard assumptions (MDDH) and assuming reliable erasures. We show how to 
instantiate the needed building blocks using standard assumptions, using or 
extending various basic primitives in order to fit the MDDH framework intro- 
duced in [30]. In our scheme, the server first preprocesses its database in a time 
linear in the length of the database and transfers it to the receiver. After that, 
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the receiver and the sender can run many instances of the protocol on the same 
database as input and adaptively chosen inputs from the receiver, with a cost 
sublinear in the database. 

It is interesting to note that our resulting adaptive Oblivious Transfer scheme 
has an amortized complexity in 0(log \ DB\), which is similar to current Private 
Information Retrieval instantiations [46], that have weaker security prerequisites, 
and much better than current UC secure Oblivious Transfer under standard 
assumptions (as they are in 0{\DB\). For a fair comparison it should be stated 
that the PIR schemes allow this complexity directly from the first query while 
in our case due to the preprocessing, this amortized cost is only reached after 
a high number of queries. However, it is interesting to see this convergence in 
spite of hugely different security models and expectation. Compared to existing 
versions cited above (either proven in classical security models, or in the UC 
framework but only with static corruptions and under non-standard assump- 
tions), we manage to prove its security under standard assumptions, like SXDH, 
and allow UC security with adaptive user corruptions. 

As a side result, it is worth noting that we follow some ideas developed in 
the construction explained in [37] around Blind Identity- Based Encryption and 
provide techniques in order to transform I BE schemes into blind ones, applying 
them to revisit the one given in [12], in order to show how we can answer blind 
user secret key-retrieval, which can be of independent interest. 

As a second contribution, we propose our new notion, that we call Oblivious 
Language-Based Envelope. We provide a security model by giving a UC ideal 
functionality, and show that this notion supersedes the classical asymmetric 
automated trust negotiation schemes recalled above such as Oblivious Transfer 
and Oblivious Signature-Based Envelope. We show how to choose the languages 
in order to obtain from our framework all the corresponding ideal functionali- 
ties, recovering the known ones (such as OT) and providing the new ones (such 
as OSBE, to the best of our knowledge). We then give a generic construction 
scheme fulfilling our ideal functionality, which directly gives generic construc- 
tions for the specific cases (OT, OSBE). Finally, we show how to instantiate the 
different simple building blocks in order to recover the standard efficient instan- 
tiations of these schemes from our framework. In addition to the two cases most 
studied (OT, OSBE), we also propose what we call Conditioned Oblivious Trans- 
fer , which encompasses Access Controlled Oblivious Transfer, Priced Oblivious 
Transfer and Conditional Oblivious Transfer, and in which the access to each 
line of the database is hidden behind some possibly secret restriction, be it a 
credential, a price, or an access policy. The advantage of the OLBE framework 
on the notion of Conditional Disclosure of Secrets is to allow generic construc- 
tions of a large subclass of schemes, as long as two participants are involved. It 
can be easily applied to any language expressing some new access control policy. 
Furthermore, those instantiations fit into a global security model, allowing to 
uniformize (for the better) the security expectations for such schemes. In par- 
ticular, we allow security in the UC framework with adaptive corruptions for 
all our constructions (which was already known for some primitives cited above, 
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but not all), and manage to achieve this level of security while staying in the 
standard model with standard hypothesis. 

2 Definitions and Building Blocks 

2.1 Notations for Classical Primitives 

Throughout this paper, we use the notation & for the security parameter. 

Digital Signature. A digital signature scheme S [29,36] allows a signer to 
produce a verifiable proof that he indeed produced a message. It is described 
through four algorithms a = (Setup, KeyGen, Sign, Verify). The formal definitions 
are given in the paper full version [10]. 

Encryption. An encryption scheme C is described through four algorithms 
(Setup, KeyGen, Encrypt, Decrypt). The formal definitions are given in the paper 
full version [10]. 

Commitment and Chameleon Hash. Commitments allow a user to com- 
mit to a value without revealing it, but without the possibility to later change 
his mind. It is composed of four algorithms (Setup, KeyGen, Commit, Decommit). 
Informally, it is extractable if a simulator knowing a certain trapdoor can recover 
the value committed to, and it is equivocable if a simulator, knowing another 
trapdoor, can open the commitment to another value than the one it actually 
committed to. This directly echoes to Chameleon Hashes, traditionally defined 
by three algorithms CH = (KeyGen, CH, Coll). The formal definitions are given 
in the paper full version [10]. 


2.2 Identity-Based Encryption, Identity-Based Key Encapsulation 

Identity Based encryption was first introduced by Shamir in [55] who was expect- 
ing an encryption scheme where no public key will be needed for sending a mes- 
sage to a precise user, defined by his identity. Thus any user wanting to send 
a private message to a user only need this user’s identity and a master public 
key. It took 17 years for the cryptographic community to find a way to realize 
this idea. The first instantiation was proposed in [14] by Boneh and Franklin. 
It can be described as an identity-based key encapsulation (IBKEM) scheme 
IBKEM which consists of four algorithms IBKEM = (Gen, USKGen, Enc, Dec). 
Every IBKEM can be transformed into an ID-based encryption scheme I BE using 
a (one-time secure) symmetric cipher. 

Definition 1 (Identity-based Key Encapsulation Scheme). An identity- 
based key encapsulation scheme IBKEM consists of four PPT algorithms 
IBKEM = (Gen, USKGen, Enc, Dec) with the following properties. 

- Gen(^); returns the (master) public/secret key (mpk, msk). We assume that 
mpk implicitly defines an identity space TV, a key space JCS, and ciphertext 
space CS. 
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- USKGen(msk, id): returns the user secret-key usk[id] for identity id G TV. 

- Enc(mpk, id): returns the symmetric key K G ICS together with a ciphertext 
C G CS with respect to identity id. 

- Dec(usk[id], id, C): returns the decapsulated key K G ICS or the reject symbol _L. 

For perfect correctness we require that for all ^gN, all pairs (mpk, msk) gener- 
ated by Gen(&), all identities id G TV, all usk[id] generated by USKGen(msk, id) 
and all (K, C) output by Enc(mpk, id): Pr[Dec(usk[id], id, C) = K] = 1. 

The security requirements for an IBKEM we consider here are indistinguisha- 
bility and anonymity against chosen plaintext and identity attacks (IND-ID-CPA 
and ANON-ID-CPA). Instead of defining both security notions separately, we 
define pseudorandom ciphertexts against chosen plaintext and identity attacks 
(PR-ID-CPA) which means that challenge key and ciphertext are both pseudo- 
random. Note that PR-ID-CPA trivially implies IND-ID-CPA and ANON-ID-CPA. 
We define PR-ID-CPA-security of IBKEM formally via the games given in Fig. 1. 


Procedure Initialize: 

(mpk, msk) 4 - Gen(A) 

Return mpk 

Procedure Enc(id*): 

/ / one query 

(K*, C*) Enc(mpk, id*) 

Procedure USKGen(id): 

Qxt> <r- Qxv> U {id} 

Return usk[id] USKGen(msk, id) 

K* A ICS; C* A CS 


Return (K*, C*) 

Procedure Finalize(/3): 

Return (id* 0 Qxx>) A f3 


Fig. 1 . Security Games PR-ID-CPA rea i and PR-ID-CPA ran d (boxed) used for defining 
P R- 1 D- C PA- security. 


Definition 2 (PR-ID-CPA Security). An ID-based key encapsulation scheme 
IBKEM is PR-ID-CPA -secure if for all PPT &/, the following advantage is negli- 
gible: Adv^ pa (^) := | Pr[PR-ID-CPA^ al => 1] - Pr[PR-ID-CPA rand *' => 1]|. 

2.3 Smooth Projective Hashing and Languages 

Smooth projective hash functions (SPHF) were introduced by Cramer and 
Shoup in [26] for constructing encryption schemes. A projective hashing fam- 
ily is a family of hash functions that can be evaluated in two ways: using the 
(secret) hashing key, one can compute the function on every point in its domain, 
whereas using the (public) projected key one can only compute the function on 
a special subset of its domain. Such a family is deemed smooth if the value of 
the hash function on any point outside the special subset is independent of the 
projected key. The notion of SPHF has already found applications in various 
contexts in cryptography {e.g. [2,33,44]). A Smooth Projective Hash Function 
over a language £ C X, onto a set Q, is defined by five algorithms (Setup, 
HashKG, ProjKG, Hash, ProjHash): 
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- Setup(l^) where A is the security parameter, generates the global parameters 
param of the scheme, and the description of an MV language £; 

- HashKG(£, param), outputs a hashing key hk for the language £; 

- ProjKG(hk, (£, param), VF), derives the projection key hp from 
the hashing key hk and the word W. 

- Hash(hk, (£, param), W), outputs a hash value v G G, using 
the hashing key hk and the word W. 

- ProjHash(hp, (£, param), W,w), outputs the hash value v' G Q, using the pro- 
jection key hp and the witness w that the word W G £. 

In the following, we assume £ is a hard-partitioned subset of X, i.e. it is 

computationally hard to distinguish a random element in £ from a random 

element in X \ £. An SPHF should satisfy the following properties: 

- Correctness : Let W G £ and w a witness of this membership. Then, for all 
hashing keys hk and associated projection keys hp we have 

Hash(hk, (£, param), W) = ProjHash(hp, (£, param), W, w). 

- Smoothness : For all W G X \ £ the following distributions are statistically 
indistinguishable : 


Aq = 


<|(£, param, IT, hp,u) 




j(£, param, W ] hp, v) 


param = Setup(l^), hk = HashKG(£, param), 
hp = ProjKG(hk, (£, param), W), 
v = Hash(hk, (£, param), W) 

param = Setup(l*^), hk = HashKG(£, param), 
hp = ProjKG(hk, (£, param), W),v Q 


This is formalized by: Adv|pH° F th (*^) = XVeG = V]— Pr/i 0 [u = V]\ is 

negligible. 


- Pseudo-Randomness : If IT G £, then without a witness of membership the 
two previous distributions should remain computationally indistinguishable. 
For any adversary A within reasonable time, this advantage is negligible: 


AdvgpHp = | Pr[*4(£, param, W, hp, v) = 1] — Pr[*4(£, param, W, hp, v) = 1] | 

’A i Aq 

Languages. The language £ C X used in the definition of an SPHF should be 
a hard-partitioned subset of X, i.e. it is computationally hard to distinguish a 
random element in £ from a random element not in £ (see formal definition 
in [3,33]). The languages used here are more complex and should fulfill the 
following properties 1 : 


1 We here mainly consider languages which are hard-partitioned subsets, for instance, 
encryptions of publicly verifiable languages. 
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- Publicly Verifiable: Given a word r in 1 , anyone should be able to decide in 
polynomial time whether x G £ or not. 

- Self-Randomizable : Given a word in the language, anyone should be able to 
sample a new word in the language 2 , and the distribution of this resampling 
should be indistinguishable from an honest distribution. This will be used in 
order to prevent an adversary, or the authority in charge of distributing the 
words, to learn which specific form of the word was used by the user. 

In case we consider several languages (£i,...,£ n ), we also assume it is a 
Trapdoor Collection of Languages: It is computationally hard to sample an ele- 
ment in £1 n- • -n£ n , except if one possesses a trapdoor tk (without the knowledge 
of the potential secret keys) 3 . For instance, if for all i, £^ is the language of the 
equivocable commitments on words in an inner language £^ = {i} (as we will 
consider for OT), the common trapdoor key can be the equivocation trapdoor. 

Depending on the applications, we can assume a Keyed Language , which 
means that it is set by a trusted authority, and that it is hard to sample fresh 
elements from scratch in the language without the knowledge of a secret language 
key sk£. In this case, the authority is also in charge of giving a word in the 
language to the receiver. 

In case the language is keyed, we assume it is also a Trapdoor Language : We 
assume the existence of a trapdoor tk^ allowing a simulator to sample an element 
in £ (without the knowledge of the potential secret key skg). For instance, for 
a language of valid Waters signatures of a message M (as we will consider for 
OS BE), one can think of sk^ as being the signing key, whereas the trapdoor tk^ 
can be the discrete logarithm of h in basis g . 4 


2.4 Security Assumptions 

Due to lack of space, instantiations of the primitives recalled above are given in 
the paper full version [ 10 ] and we only give here the security assumptions. 

Security Assumption: Pairing groups and Matrix Diffie-Hellman 
Assumption. Let GGen be a probabilistic polynomial time (PPT) algorithm 
that on input 1 *^ returns a description Q = (p, Gi, G2, G t, e, pi, <72) of asymmet- 
ric pairing groups where Gi, G2, G t are cyclic groups of order p for a .ft-bit prime 


2 It should be noted that this property is not incompatible with the potential secret 
key of the language in case it is keyed (see below). 

3 This implicitly means that the languages are compatible, in the sense that one can 
indeed find a word belonging to all of them. 

4 As another example, one may think of more expressive languages which may not rely 
directly on generators fixed by the CRS. In this case, one can assume that the CRS 
contains parameters for an encryption and an associated NIZK proof system. The 
description of such a language is thus supplemented with an encryption of the lan- 
guage trapdoor, and a non- interactive zero-knowledge proof that the encrypted value 
is indeed a trapdoor for the said language. Using the knowledge of the decryption 
key, the simulator is able to recover the trapdoor. 


226 O. Blazy et al. 


p, g\ and g 2 are generators of Gi and G 2 , respectively, and e : Gi x G 2 is an 
efficiently computable (non-degenerated) bilinear map. Define gr := e(gi,g2), 
which is a generator in G t- 

We use implicit representation of group elements as introduced in [30]. For 
s G {1,2,T} and a G Z p define [a] s = G G s as the implicit representation of 
a in G s . More generally, for a matrix A = (a^) G Z™ xm we define [A\ s as the 
implicit representation of A in G s : 




9s 11 ••• 9\ 


We will always use this implicit notation of elements in G s , i.e., we let [a\ s G 
G s be an element in G s . Note that from [a\ s G G s it is generally hard to compute 
the value a (discrete logarithm problem in G s ). Further, from [b]x G G t it is 
hard to compute the value [b] 1 G Gi and [b ] 2 G G 2 (pairing inversion problem). 
Obviously, given [a] s G G s and a scalar x G Z p , one can efficiently compute 
[ax] s G G s . Further, given [a] 1 , [6 ] 2 one can efficiently compute [ab]^ using the 
pairing e. For a, b G Z^ define e([a]i, [6)2) := [a T b] T G Gt- We recall the 
definition of the matrix DifHe- Heilman (MDDH) assumption [30]. 

Definition 3 (Matrix Distribution). Let k G N. We call V & a matrix distri- 
bution if it outputs matrices in Zp fc+1 ^ xfe of full rank k in polynomial time. 

Without loss of generality, we assume the first k rows of A 4- form an 
invertible matrix, we denote this matrix A , while the last line is denoted A. 
The Dfc-Matrix Diffie-Hellman problem is to distinguish the two distributions 
([A], [Aw]) and ([A], [n]) where w 4- Z^ and u 4- Z^ +1 . 

Definition 4 (X>fc-MatrixDiffie-Hellman Assumption X>fc-MDDH). LetV 
be a matrix distribution and s G {1,2,T}. We say that the Matrix Diffie- 
Hellman (Vk-N\DDH) Assumption holds relative to GGen in group G s if for all 
PPT adversaries V, 


Adv x>fc , GGen (fD ) := | Pr [V(Q, [A] a , [Aw] s ) = 1] - Pr[X>(0, [A] a , [u] a ) = 1] | = negl(A), 
where the probability is taken over Q 4- GGen(l A ), A A T>k : w A Z^u 4- Z^ +1 . 


For each k > 1, [30] specifies distributions Ck,Uk, ... such that the corre- 
sponding XVMDDH assumption is the /^-Linear assumption, the A;- uniform and 
others. All assumptions are generically secure in bilinear groups and form a hier- 
archy of increasingly weaker assumptions. The distributions are exemplified for 


k = 2, where ai, . . . , a§ Z p . 



It was also shown in [30] that Uk ~ MDDH is implied by all other D/c-MDDH 
assumptions. 
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Lemma 5 (Random self reducibility [30]). For any matrix distribution T>k, 
D/e-MDDH is random self -reducible. In particular, for any m > 1 and for all PPT 
adversaries V and V' , 

Adv Pfe , GGen (D) + > Adv^ iGGen (P0 

where Adv^ iGGen (D') := Pr [V{Q, [A], [AW\) => 1] - Pr [V(Q, [. A],[V \ ) =► 1], 
with Q GGen(l A ) ; A A V k , W A- z£ xm , U 4- zf +1)xm . 

Remark: It should be noted that C\,C 2 are respectively the SXDH and DLin 
assumptions. 


2.5 Security Models 

UC Framework. The goal of the UC framework [21] is to ensure that UC-secure 
protocols will continue to behave in the ideal way even if executed in a concur- 
rent way in arbitrary environments. It is a simulation-based model, relying on 
the indistinguishability between the real world and the ideal world. In the ideal 
world, the security is provided by an ideal functionality T , capturing all the 
properties required for the protocol and all the means of the adversary. In order 
to prove that a protocol 77 emulates T, one has to construct, for any polynomial 
adversary srf (which controls the communication between the players), a simula- 
tor 5? such that no polynomial environment Z can distinguish between the real 
world (with the real players interacting with themselves and srf and executing 
the protocol i r) and the ideal world (with dummy players interacting with 5? 
and T) with a significant advantage. The adversary can be either adaptive , i.e. 
allowed to corrupt users whenever it likes to, or static , i.e. required to choose 
which users to corrupt prior to the execution of the session sid of the proto- 
col. After corrupting a player, srf has complete access to the internal state and 
private values of the player, takes its entire control, and plays on its behalf. 

Simple UC Framework. Canetti, Cohen and Lindell formalized a simpler vari- 
ant in [22], that we use here. This simplifies the description of the functionalities 
for the following reasons (in a nutshell) : All channels are automatically assumed 
to be authenticated (as if we worked in the ^AuTH-hybrid model); There is no 
need for public delayed outputs (waiting for the adversary before delivering a 
message to a party), neither for an explicit description of the corruptions. We 
refer the interested reader to [22] for details. 

3 UC-secure Adaptive Oblivious Transfer 

As explained in the introduction, the classical OT constructions based on the 
commitment /SPHF paradigm (with so-called implicit decommitment), among 
the latest in the UC framework [1,9,24], require the server to send an encryption 
of the complete database for each line required by the user (thus 0(n) each 
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time). We here give a protocol requiring 0(log(n)) for each line (except the 
first one, still in O(n)), in the UC framework with adaptive corruptions under 
classical assumptions (MDDH). This protocol builds upon the more efficient 
known scheme secure in the UC framework [9] and we use ideas from [37] to 
make it adaptive. 

Using implicit decommitment in the UC framework implies a very strong 
commitment primitive (formalized as SPHF-friendly commitments in [1]), which 
is both extractable and equivocable. Our idea is here to split these two properties 
by using on the one hand an equivocable commitment and on the other hand 
an (extractable) CCA encryption scheme by generalizing the way to access a 
line in the database. But this is infeasible with simple line numbers. Indeed, we 
suggest here not to consider anymore the line numbers as numbers in {1, . . . , n} 
but rather to “encode” them (the exact encoding will depend on the protocol): 
For every line z, a word Wi in the language Xh will correspond to a representation 
of line i. This representation must be publicly verifiable, in the sense that anyone 
can associate i to a word Wi. We formalize this in the following definition of 
oblivious transfer 5 , given without loss of generality 6 (the classical notion of OT 
being easily captured using Xb = {&})• 


3.1 Definition and Security Model for Oblivious Transfer 

In such a protocol, a server S possesses a database of n lines (mi, . . . , m n ) £ 
({0, l} R ) n . A user U will be able to recover m k (in an oblivious way) as soon 
as he owns a word Wk £ £&. The languages (£i, . . . ,£ n ) will be assumed to 
be a trapdoor collection of languages, publicly verifiable and self-randomizable. 
As we consider simulation-based security (in the UC framework), we allow a 
simulated setup SetupT to be run instead of the classical setup Setup in order 
to allow the simulator to possess some trapdoors. Those two setup algorithms 
should be indistinguishable. 

Definition 6 (Oblivious Transfer). An OT scheme is defined by five algo- 
rithms (Setup, KeyGen, DBGen, Samp, Verify), along with an interactive protocol 
Protocol (S,U): 

- Setup(l^), where & is the security parameter, generates the global parameters 
param, among which the number n; 

or SetupT(l^), where A is the security parameter, additionally allows the exis- 
tence 7 of a trapdoor tk for the collection of languages (XSi, . . . , £ n ). 


5 The adaptive version only implies that the database (mi, . . . , m n ) is sent only once 
in the interaction, while the user can query several lines (i.e. several words), in an 
adaptive way. 

6 This formalization furthermore encompasses the variants of OT, such as condi- 
tioned OT, where a user accesses a line only if he knows a credential for this line. 

7 The specific trapdoor will depend on the languages and be computed in the KeyGen 
algorithm. 
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- KeyGen(param, R) generates, for all i E {1, . . . ,n}, the description of the lan- 
guage £{ (as well as the language key skg. if need be). If the parameters param 
were defined by SetupT, this implicitly also defines the common trapdoor tk 
for the collection of languages (£ 1 , . . . , £ n ). 

- Samp(param) or Samp(param,(sk£.) ie { 1) n }) generates a word W{ E £*; 

- Verify^Wi, £i) checks whether Wi is a valid word in the language £*. It out- 
puts 1 if the word is valid, 0 otherwise ; 

- Protocol (<S((£i, £ n ), (mi, m n )),W((£i, ..., £ n ), Wi)), which is exe- 
cuted between the server S with the private database (mi, . . . , m n ) and corre- 
sponding languages (£i, . . . , £ n ), and the userU with the same languages and 
the word Wi, proceeds as follows. If the algorithm Verify i (Wi,£i) returns 1, 
then U receives m^, otherwise it does not. In any case, S does not learn any- 
thing. 

The ideal functionality of an Oblivious Transfer (OT) protocol was given 
in [1,21,24], and an adaptive version in [38]. We here combine them and rewrite 
it in simple UC and using our language formalism (instead of directly giving a 
number line s to the functionality, the user will give it a word W s E £ s ). The 
resulting functionality Eq T * s given in Fig. 2. Recall that there is no need to give 
an explicit description of the corruptions in the simple version of UC [22]. 


The functionality Eq t is parametrized by a security parameter A and a set of 
languages (£i,...,£ n ) along with the corresponding public verification algorithms 
(Verify 1? . . . , Verify n ). It interacts with an adversary 5? and a set of parties tyi,. . • ,*Piv 
via the following queries: 

— Upon receiving from party 3-h an input (NewDataBase, sid, ssid, , 

(mi, . . . , rrin)) , with m k E {0,1}^ for all k: record the tuple (sid, ssid, 

4U, ( mi , . . . ,m n )) and reveal (Send, sid, ssid, *Pj) to the adversary 5? . Ignore 
further NewDataBase-message with the same ssid from 

- Upon receiving an input (Receive, sid, ssid, Wh) from party Vfij: 

ignore the message if (sid, ssid, (mi, • • • 5 m n )) is not recorded. Other- 

wise, reveal (Receive, sid, ssid, 4U) to the adversary 5? and send the mes- 
sage (Received, sid, ssid, 4U, m k) to <p j where m' k = m k if Verify fc (IU/ e , £&) 
returns 1, and m k = T otherwise. 

(Non- Adaptive case: Ignore further Receiv e-message with the same ssid from *p j .) 


Fig. 2. Ideal Functionality for (Adaptive) Oblivious Transfer Eq T 


3.2 High Level Idea of the Construction of the Adaptive Oblivious 
Transfer Scheme 

Our construction builds upon the UC-secure OT scheme from [9], with ideas 
inspired from [37], who propose a neat framework allowing to achieve adaptive 
Oblivious Transfer (but not in the UC framework). Their construction is quite 
simple: It requires a blind Identity-Based Encryption , in other words, an I BE 
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scheme in which there is a way to query for a user key generation without the 
authority (here the server) learning the targeted identity (here the line in the 
database). Once such a Blind I BE is defined, one can conveniently obtain an 
oblivious transfer protocol by asking the database to encrypt (once and for all) 
each line for an identity (the j-th line being encrypted for the identity j), and 
having the user do a blind user key generation query for identity i in order to 
recover the key corresponding to the line i he expects to learn. 

This approach is round-optimal: After the database preparation, the first 
flow is sent by the user as a commitment to the identity i, and the second 
one is sent by the server with the blinded expected information. But several 
technicalities arise because of the UC framework we consider here. For instance, 
the blinded expected information has to be masked, we do this here thanks to 
an SPHF. Furthermore, instead of using simple line numbers as identities, we 
have to commit to words in specific languages (so as to ensure extractability and 
equivocability) as well as to fragment the I BE keys into bits in order to achieve 
O(logn) in both flows. This allows us to achieve the first UC-secure adaptive OT 
protocol allowing adaptive corruptions. More details follow in the next sessions. 


3.3 Main Building Block: Constructing a Blind Fragmented 
IBKEM from an IBKEM 

Definition and Security Properties of a Blind IBKEM Scheme. Follow- 
ing [12], we recalled in Sect. 2.2 page 6 the definitions, notations and security 
properties for an IBE scheme, seen as an Identity-Based Key Encapsulation 
(IBKEM) scheme. We continue to follow the KEM formalism by adapting the 
definition of a Blind IBE scheme given in [37] to this setting. 

Definition 7 (Blind Identity-Based Key Encapsulation Scheme). A 

Blind Identity -Based Key Encapsulation scheme BlindIBKEM consists of four 
PPT algorithms (Gen, BlindUSKGen, Enc, Dec) with the following properties: 

- Gen, Enc and Dec are defined as for a traditional IBKEM scheme. 

- BlindUSKGen(((<S, msk)(£7, id, I\ p))) is an interactive protocol , in which an 
honest user U with identity id £ TV obtains the corresponding user secret key 
usk[id] from the master authority S or outputs an error message, while S ’s 
output is nothing or an error message (I is a label and p the randomness). 

Defining the security of a BlindIBKEM requires two additional properties, 
stated as follows (see [37, pages 6 and 7] for the formal security games): 

1. Leak- free Secret Key Generation (called Leak- free Extract for Blind 
IBE security in the original paper): A potentially malicious user cannot learn 
anything by executing the BlindUSKGen protocol with an honest authority 
which he could not have learned by executing the USKGen protocol with an 
honest authority; Moreover, as in USKGen, the user must know the identity 
for which he is extracting a key. 
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2. Selective- failure Blindness: A potentially malicious authority cannot learn 
anything about the user’s choice of identity during the Blind US KGen protocol; 
Moreover, the authority cannot cause the Blind US KGen protocol to fail in a 
manner dependent on the user’s choice. 

For our applications, we only need a weakened property for blindness: 8 

3. Weak Blindness: A potentially malicious authority cannot learn anything 
about the user’s choice of identity during the Blind US KGen protocol. 


High-Level Idea of the Transformation. We now show how to obtain a 
BlindIBKEM scheme from any IBKEM scheme. From a high-level point of view, 
this transformation mixes two pre-existing approaches. 

First, we are going to consider a reverse Naor transform [14,27]: He drew a 
parallel between Identity- Based Encryption schemes and signature schemes, by 
showing that a user secret key on an identity can be viewed as the signature 
on this identity, the verification process therefore being a test that any chosen 
valid ciphertext for the said identity can indeed be decrypted using the signature 
scheme. 

Then, we are going to use Fischlin [31] round-optimal approach to blind sig- 
natures, where the whole interaction is done in one pass: First, the user commits 
to the message, then he recovers a signature linked to his commitment. For sake 
of simplicity, instead of using a Non-Inter active Zero- Knowledge Proof of Knowl- 
edge of a signature, we are going to follow the [11,13] approach, where thanks 
to an additional term, the user can extract a signature on the identity from a 
signature on the committed identity. 

Omitting technical details described more precisely in the following sections, 
the main idea of the transformation of the IBKEM scheme in order to blind a 
user key request is described in Fig. 3. 

Generic Transformation of an IBKEM into a Blind IBKEM. It now remains 
to explain how one can fulfill the idea highlighted in Fig. 3. The technique to 
blind a user key request uses a smooth projective hash function (see Sect. 2.3), 
and is often called implicit decommitment in recent works: the IBKEM secret key 
is sent hidden in such a way that it can only be recovered if the user knows how to 
open the initial commitment on the correct identity. We assume the existence of a 
labeled CCA-encryption scheme £ = (Setup cca , KeyGen cca , Encrypt^, Decrypt^) 
compatible with an SPHF defined by (Setup, HashKG, ProjKG, Hash, ProjHash) 
onto a set G (where i is a label defined by the global protocol). By “compati- 
ble”, we mean that the SPHF can be defined over a language £f d C X, where 
££j = {C | 3p such that C = Encrypt^ ca (id; p)}. In the KeyGen algorithm, the 
description of the language £jd = {id} thus implicitly defines the language ££, of 


8 Two things to note: First, Selective Failure would be considered as a Denial of Service 
in the Oblivious Transfer setting. Then, we do not restrict ourselves to schemes where 
the blindness adversary has access to the generated user keys, as reliable erasures in 
the OT protocol provide us a way to forget them before being corrupted (otherwise 
we would need to use a randomizable base IBE). 
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1. A user commits to the targeted iden- 
tity id using some randomness p. 

2. The authority possesses an algo- 
rithm allowing it to generate keys 
for committed identities using its 
master secret key rusk, and some 
randomness £, in order to obtain a 
blinded user secret key busk[id] . 

3. The user using solely the random- 
ness used in the initial commitment 
is able to recover the requested se- 
cret key from the authority’s gener- 
ated value. 


Fig. 3. Generic Transformation of an IBKEM into a Blind IBKEM (naive approach) 


CCA-encryptions of elements of £jd- We additionally use a key derivation function 
KDF to derive a pseudo-random bit-string K G {0,1}^ from a pseudo-random 
element v G G. One can use the Leftover-Hash Lemma [40], with a random seed 
defined in pa ram during the global setup, to extract the entropy from u, then fol- 
lowed by a pseudo-random generator to get a long enough bit-string. Many uses 
of the same seed in the Leftover-Hash Lemma just lead to a security loss linear 
in the number of extractions. This gives the following protocol for Blind US KGen, 
described in Fig. 4. 

— The user computes an encryption of the expected identity id and keeps the ran- 
domness p\ C — Encrypt^ (id; p)}. 

— For every identity id', the server computes the key uskfid 7 ] along with a pair of 
(secret, public) hash keys (hk id /, hp id /) for a smooth projective hash function on the 
language £f d , : 

hk id / = HashKG(A ££,/, param) and hp id / = ProjKG(hk id / , £, (££, , param), id'). 

He also compute the corresponding hash value 

Hid' = Hash(hk id /, (£^ d ,, param ),(£, C)). 

Finally, he sends (h p id / , usk[id / ] ® KDF(if; d /)) for every id r , where ® is a compatible 
operation. 

— Thanks to hPid. the user is able to compute the corresponding projected hash value 
H id = ProjHash(hp id , (££, param), (£, C), p). He then recovers usk[id] for the initially 
committed identity id since Hid = H id . 

Fig. 4. Summary of the Generic Construction of BlindUSKGen(((<S, msk)(H, id, i\ p))) 
for a blind I BE 
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Theorem 8. //IBKEM is a PR-ID-CPA -secure identity-based key encapsulation 
scheme and £ a labeled CCA- encryption scheme compatible with an SPHF ; then 
BlindIBKEM is leak free and weak blind. 

Proof. First, BlindIBKEM satisfies leak-free secret key generation since it relies 
on the CCA security on the encryption scheme, forbidding a user to open it 
to another identity than the one initially encrypted. Furthermore, the pseudo- 
randomness of the SPHF ensures that the blinded user key received for id is 
indistinguishable from random if he encrypted id 7 7^ id. Finally, the weak blind- 
ness also relies on the CCA security on the encryption scheme, since an encryption 
of id is indistinguishable from a encryption of id 7 7^ id. □ 

Using a Blind IBKEM in our Application to Adaptive Oblivious Trans- 
fer. The previous approach allows to transform an IBKEM into a Blind IBKEM, 
but it has a huge drawback in our context: Since we assume an exponential 
identity space, it requires an exponential number of answers from the authority, 
which cannot help us to fulfill logarithmic complexity in our application. How- 
ever, if we focus on the special case of affine I BE with bitwise function 9 , a user 
key can be described as the list (usk[0], usk[0, ido], . . . , usk[m — 1 , id m _i]) if id^ is 
the i-th bit of the identity id. One can thus manage to be much more efficient 
by sending each “bit” evaluation on the user secret key, hidden with a smooth 
projective hash value on the language “the i-th bit of the identity is a 0 (or 1)”, 
which is common to all identities. We can thus reduce the number of languages 
from the number of identities (which is exponential) to the length of an identity 
(which is polynomial). For security reasons, one cannot give directly the evalua- 
tion value, but as we are considering the sum of the evaluations for each bit, we 
simply add a Shamir-like secret sharing, by adding randomness that is going to 
cancel out at the end. 

As a last step, we finally need to make our construction compatible with the 
UC framework with adaptive corruptions. In this context, interactions should 
make sense for any possible input chosen by the environment and learnt a pos- 
teriori in the simulation during the corruption of an honest party. From the user 
side, this implies that the last flow should contain enough recoverable informa- 
tion so that a simulator, having sent a commitment to an incorrect identity, can 
extract the proper user secret key corresponding to the correct identity recov- 
ered after the corruption. From the server side, this implies that the IBKEM 
scheme is defined such as one is able to adapt the user secret keys in order to 
correspond to the new database learnt a posteriori. Of course, not all schemes 
allow this property, but this will be the case in the pairing scenario considered 
in our concrete instantiation. 

To deal with corruptions of the user, recall that a simulated server (knowing 
the secret key of the encryption scheme) is already able to extract the identity 


9 They were defined in [12]. Affine I BE derive their name from the fact that only affine 
operations are done on the identity bits (no hashing, square rooting, inverting... are 
allowed) . 
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— The user computes a bit-per-bit encryption of the expected identity id and keeps 
the randomness p: C = Encrypt^ ca (id; p)}. 

— The server computes a fragmented version of all the keys uskfid'], i.e. all the values 
usk[z,6] for i from 0 up to the length m of the keys and b £ {0,1}. He also 
computes a pair of (secret, public) hash keys (hk^, hp^ b ) for a smooth projective 
hash function on the language £? b : “The i-th bit of the value encrypted into C is U\ 
i.e. hki } 6 = HashKG(^, £? b , param) and hp - b = ProjKG(hk^, £, (£? bl param)). He 
also computes the corresponding hash value Hi = Hash(hk^b, (££*,, param), C)) 
and chooses random values Zi. Finally, he sends, for each (z, 6), (hp^ b , busk[i, b]), 

where busk[z,6] = usk[z, b] ® KDF(Hi,b) ® Zi, together with Z = usko 0 ^ z^j , 
where 0 is a compatible operation and © its inverse. 

— Thanks to the h Pi,id, for the initially committed identity id, the user is able to 
compute the corresponding projected hash value 

Hi, id 4 = ProjHash(hp iiid .,(£? idi , param), (l,C),p), 
that should be equal to Hi^ for all i. From the values busk[z, id*], he then recovers 

usk[z, id^ © Zi. Finally, with the operation ^0^(usk[z, idi] © Zi)^j © Z , he recovers 
the expected usk[id] . 

Fig. 5. Summary of the Generic Construction of BlindUSKGen(((<S, msk)(ZY, id, i\ p))) 
for a Blind affine IBE 


committed to. But we now consider that, for all id, £jd is the language of the 
equivocable commitments on words in the inner language £jd = {id}. We assume 
them to be a Trapdoor Collection of Languages , which means that it is compu- 
tationally hard to sample an element in £i D • • • D £ n , except for the simulator, 
who possesses a trapdoor tk (the equivocation trapdoor) allowing it to sample an 
element in the intersection of languages. This allows a simulated user (knowing 
this trapdoor) not to really bind to any identity during the commitment phase. 
The only difference with the algorithm described in Fig. 5 is that the user now 
encrypts this word W (which is an equivocable commitment on his identity id) 
rather than directly encrypting his identity id: C = Encrypt l CCdi {W] p). This tech- 
nique is also explained as an application of our OLBE framework, in the paper 
full version [10]. We will directly prove this protocol during the proof of the 
oblivious transfer scheme. 


3.4 Generic Construction of Adaptive OT 

We derive from here our generic construction of OT (depicted in Fig. 6). We 
additionally assume the existence of a Pseudo- Random Generator (PRG) F with 
input size equal to the plaintext size, and output size equal to the size of the 
messages in the database and an IND-CPA encryption scheme £ = (Setup cpa , 
KeyGen cpa , Encrypt cpa , Decrypt cpa ) with plaintext size at least equal to the secu- 
rity parameter. First, the owner of the database generates the keys for such an 
IBE scheme, and encrypts each line i of the database for the identity i. Then 
when a user wants to request a given line, he runs the blind user key generation 
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algorithm and recovers the key for the expected given line. This leads to the 
following security result, proven in the paper full version [10]. 

Theorem 9. Assuming that BlindUSKGen is constructed as described above, the 
adaptive Oblivious Transfer protocol described in Fig. 6 UC-realizes the func- 
tionality Tq T presented in Fig. 2 with adaptive corruptions assuming reliable 
erasures. 


3.5 Pairing-Based Instantiation of Adaptive OT 

Affine Bit-Wise Blind IBE. In [12], the authors propose a generic framework 
to move from affine Message Authentication Code to IBE, and they propose a 


CRS generation: 

crs A SetupCom(l' a ), param cpa A Setup cpa (l*). 

Database Preparation: 

1. Server runs Gen (.ft), to obtain mpk, msk. 

2. For each line t , he computes (Dt, Kt) = Enc(mpk, £), and Lt = Kt ® DB{t). 

3. He also computes usk[z, b] for allz = 1 . . . , m and b = 0, 1 and erases msk. 

4. Server generates a key pair (pk, sk) KeyGen cpa (param cpa ) for £ , stores sk and 
completely erases the random coins used by KeyGen. 

5. He then publishes mpk, {(D t , pk. 

Index query on s: 

1. User chooses a random value S, computes R F(S) and encrypts S under pk: 
c A Encrypt cpa (pk, S) 

2. User computes C with the first flow of BlindUSKGen(((<S, msk)(W, s, i\ p))) with 
£ = (sid,ssid,^/,<S) (see Figure 5). 

3. User stores the random p s = { p *} needed to open C to s, and completely erases 
the rest, including the random coins used by Encrypt cpa and sends (c,C) to the 
Server 

IBE input msk: 

1. Server decrypts S 4— Decry pt cpa (sk, c) and computes R 4— F(S) 

2. Server runs the second flow of BlindUSKGen(((c>, msk)(Z^, s,£; p))) on C (see Fig- 
ure 5). 

3. Server erases every new value except (hp^ b )i,&, (busk[i, b])i } b, Z ® R and sends 
them over a secure channel. 

Data recovery: 

1. User then using, p s recovers usk[s] from the values received from the server. 

2. He can then recover the expected information with Dec(usk[s], s, D s ) ® L s and 
erases everything else. 


Fig. 6. Adaptive UC-Secure 1-out-of-n OT from a Fragmented Blind IBE 
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tight instantiation of such a MAC, giving an affine bit-wise IBE, which seems 
like a good candidate for our setting (making it blind and fragmented). 

We are thus going to use the family of IBE described in the following picture 
(Fig. 7), which is their instantiation derived from a Naor- Reingold MAC 10 . In 
the following, /q() are injective deterministic public functions mapping a bit to 
a scalar in Z p . 

A property that was not studied in this paper was the blind user key gener- 
ation: How to generate and answer blind user secret key queries? We answer to 
this question by proposing the k — MDDH-based variation presented in Fig. 8. 
To fit the global framework we are going to consider the equivocable language of 
each chameleon hash of the identity bits (cq, £q ?m .), and then a Cramer-Shoup 
like encryption of b into d (more details in the paper full version [10]). We denote 
this process as Har in the following protocol, and by £Har,i,idi the language on 
identity bits. We thus obtain the following security results. 

Theorem 10. This construction achieves both the weak Blindness , and the leak- 
free secret key generation requirements under the k — MDDH assumption. 

The first one is true under the indistinguishability of the generalized Cramer- 
Shoup encryption recalled in the paper full version [10], as the server learns 
nothing about the line requested during the first flow. It should even be noted 
that because of the inner chameleon hash, a simulator is able to use the trapdoor 
to do a commitment to every possible words of the set of languages at once, and 
so can adaptively decide which id he requested. The proof of the second result 
is delayed to the paper full version [10]. 

For sake of generality, any bit-wise affine IBE could work (like for exam- 
ple Waters IBE [57]), the additional price paid for tightness here is very small 


Gen (.ft): 

Enc(mpk, id): 

A Vk,B = A 

rA Z£ 

For i 6 [0,£] : Y t A- Z£ +1 ; Z t = Yj ■ A <E Z k 

c 0 = Are Z k+1 

y' ^Z k+ 1 ;z' = y ,T -A eZ k 

Cl = (Zo + J 2 i= 1 hi(\di)Zi) ■ r eZ p 

mpk := ( Q , [A\ i, ([Zi]i) i6[0 ,«], [z']i) 

K = z' ■ r e Z p . 

msk := (Vi)* 6 |[o,£i,y' 

Return [K]t 

Return (mpk, msk) 

and C = ([c 0 ]i, [ci]i) G G^ +1+1 

USKGen(msk, id): 

Dec(usk[id], id, C): 

s Zp,t = Bs 

Parse usk[id] = ([t] 2 , [11^2) 

w = (Y 0 + Eti hi(\di)Yi)t + y' e Z £ +1 

Parse C = ([c 0 ]i, [ci]i) 

Return usk[id] := ([£] 2, [w]2) € G 2 +/c+1 

K = e([co]i, M 2 ) ' e ([ c i]i, [thC 1 
Return K G Gt 


Fig. 7. A fragmentable affine IBKEM. 

10 For the reader familiar with the original result, we combine x, y into a bigger y to 
lighten the notations, and compact the ( x[,y [ ) values into a single y as this has no 
impact on their construction. 
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First flow: U starts by computing 



Then sets w 0 = Y 0 t + y' - Yfi=i fi G 

z £ +1 


a,d= Har(id ,£;p) e Z£ x Z p X(fc+3)£ , 


Returns busk := 


Sends C = ([o]i, [d\ 2 ) to S 
Second Flow: S then proceeds 


(W 2 ,[W0]2,{[Wi,6] 2 },{[hPi >b ]2}) 

- BlindUSKGen 3 : 


For each i E [1, [logn]J, b E [0, 1]: 



U then recovers his key 
For each i E [1, i\. 


hp- b = ProjKG(hk i) b,£ H ar ) i,b,C') 


hk^ m HashKG(£Har,z,6,C) 


m = 

ProjHash(hp- id . , £ H ar,i,id* , C, pi) 


Hifi — Hash(hki ) b, £Har,i,b, C) 
= (bY i)t + fi + Hi^ 


w 

And then recovers usk[id] := 
M2, M2 



Fig. 8. Blind USKGen(((<S, msk)(^/, id ,£\p))). 


and allows to have a better reduction in the proof, but it not required by the 
framework itself. 

Adaptive UC- Secure Oblivious Transfer. We finally get our instantiation 
by combining this k — MDDH-based blind IBE with a k — MDDH variant of 
El Gamal for the CPA encryption needed (see the paper full version [10] for 
details). The requirement on the IBE blind user secret key generation (being 
able to adapt the key if the line changes) is achieved assuming that the server 
knows the discrete logarithms of the database lines. This is quite easy to achieve 
by assuming that for all line 8, DB(s) = [db(s)] 1 where db(s) is the real line (thus 
known). It implies a few more computation on the user’s side in order to recover 
db(s) from DB(s ), but this remains completely feasible if the lines belong to a 
small space. For practical applications, one could imagine to split all 256-bit lines 
into 8 pieces for a decent / constant trade-off in favor of computational efficiency. 

For k = 1, so under the classical SXDH assumption, the first flow requires 
8 log \DB\ elements in Gi for the CCA encryption part and log(\DB\ + 1) in G 2 
for the chameleon one, while the second flow would now require 1 + 4 log \DB\ 
elements in Gi, 1 + 2 log \ DB\ for the fragmented masked key, and 2 log \ DB\ for 
the projection keys. 

4 Oblivious Language-Based Envelope 

The previous construction opens new efficient applications to the already known 
Oblivious- Transfer protocols. But what happens when someone wants some addi- 
tional access control by requesting extra properties, like if the user is only allowed 
to ask two lines with the same parity bits, the user can only request lines for 
whose number has been signed by an authority, or even finer control provided 
through credentials? 

In this section we propose to develop a new primitive, that we call Oblivi- 
ous Language-Based Envelope (OLBE). The idea generalizes that of Oblivious 
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Transfer and OS BE, recalled right afterwards, for n messages (with n polynomial 
in the security parameter R) to provide the best of both worlds. 


4.1 Oblivious Signature-Based Envelope 

We recall the definition and security requirements of an OS BE protocol given 
in [13,49], in which a sender S wants to send a private message m G {0,1}^ to 
a recipient 7 Z in possession of a valid certificate/signature on a public message 
M (given by a certification authority). 

Definition 11 (Oblivious Signature-Based Envelope). An OS BE scheme 
is defined by four algorithms (Setup, KeyGen, Sign, Verify), and one interactive 
protocol Protocol (<S, IZ): 

- Setup(l^), where R is the security parameter, generates the global parameters 

pa ram; 

- KeyGen(^) generates the keys (vk, sk) of the certification authority; 

- Sign(sk, M) produces a signature a on the input message M , under the signing 
key sk; 

- Verify (vk, M, a) checks whether cf is a valid signature on M, w.r.t. the public 
key vk; it outputs 1 if the signature is valid, and 0 otherwise. 

- Protocol (<S(vk, M, P), P(vk, M, a)) between the sender S with the private mes- 
sage P , and the recipient IZ with a certificate a. If a is a valid signature 
under vk on the common message M , then IZ receives m, otherwise it receives 
nothing. In any case, S does not learn anything. 

The authors of [13] proposed some variations to the original definitions from 
[49], in order to prevent some interference by the authority. Following them, an 
OS BE scheme should fulfill the following security properties. The formal security 
games are given in [13]. No UC functionality has already been given, to the best 
of our knowledge. 

- correct: the protocol actually allows IZ to learn P, whenever a is a valid 
signature on M under vk; 

- semantically secure: the recipient learns nothing about <S’s input m if it does 
not use a valid signature a on M under vk as input. More precisely, if Sq 
owns Po and S i owns Pi, the recipient that does not use a valid signature 
cannot distinguish an interaction with So from an interaction with S\ even if 
he has eavesdropped on several interactions (<S(vk, M, P), P(vk, M, a)) with 
valid signatures, and the same sender’s input P; 

- escrow-free ( oblivious with respect to the authority ): the authority (owner of 
the signing key sk), playing as the sender or just eavesdropping, is unable to 
distinguish whether IZ used a valid signature a on M under vk as input. 

- semantically secure w.r.t. the authority: after the interaction, the authority 
(owner of the signing key sk) learns nothing about m from a passive access to 
a challenge transcript. 
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4.2 Definition of an Oblivious Language-Based Envelope 

In such a protocol, a sender <S wants to send one or several private messages 
(up to n max < n) among (mi, . . . ,m n ) G ({0, 1 Y) n to a recipient 1Z in posses- 
sion of a tuple of words W = (W^, . . . , hF* nmax ) such that some of the words 
Wi j may belong to the corresponding language £q. . More precisely, the receiver 
gets each as soon as Wi. G £^. with the requirement that he gets at most 
Wmax messages. In such a scheme, the languages (£i, . . . , £ n ) are assumed to be 
a trapdoor collection of languages, publicly verifiable and self-randomizable (see 
Sect. 2.3 for the definitions of the properties of the languages). 

The collections of words can be a single certificate/signature on a message M 
(encompassing OS BE, with n = n max = 1), a password, a credential, a line num- 
ber (encompassing 1-out-of-n oblivious transfer 11 , with n max = 1), k line num- 
bers (encompassing k-out-of-n oblivious transfer, with n max = fc), etc. (see the 
paper full version [10] for detailed examples). Following the definitions for OS BE 
recalled above and given in [13,49], we give the following definition for OLBE. 
As we consider simulation-based security (in the UC framework), we allow a 
simulated setup SetupT to be run instead of the classical setup Setup in order 
to allow the simulator to possess some trapdoors. Those two setup algorithms 
should be indistinguishable. 

Definition 12 (Oblivious Language-Based Envelope). An OLBE scheme 
is defined by four algorithms (Setup, KeyGen, Samp, Verify), and one interactive 
protocol Protocol (<S, IZ): 

- Setup(l^), where & is the security parameter, generates the global parameters 
pa ram, among which the numbers n and n max ; 

or SetupT(l^), where & is the security parameter, additionally allows the exis- 
tence 12 of a trapdoor tk for the collection of languages (£i, . . . , £ n ). 

- KeyGen(param, A) generates, for all i G {1, . . . , n}, the description of the lan- 
guage (as well as the language key sk^. if need be). If the parameters param 
were defined by SetupT, this implicitly also defines the common trapdoor tk 
for the collection of languages (£i, . . . , £ n ). 

- Samp(param, I) or Samp(param, /, such that I C {l,...,n} and 

\I\ = n max , generates a list of words ( Wf)^ such that Wi G £* for all i G I ; 

- Verify^Wi, £*) checks whether Wi is a valid word in the language £^. It out- 
puts 1 if the word is valid, 0 otherwise ; 

- Protocol (S((£i, . . . ,£ n ), (mi, . . .,m n )),B((£i, . . . ,£ n ), (Wi) iG /)), which is 
executed between the sender S with the private messages (mi,...,P n ) and 
corresponding languages (£i, . . . , £ n ), and the recipient 1Z with the same lan- 
guages and the words ( Wi)i e i with I C {1 , ...,n} and \I\ = n max , proceeds 

11 Even if, as explained in the former section, we would rather consider equivocable 
commitments of line numbers than directly line numbers, in order to get adaptive 
UC security. 

12 The specific trapdoor will depend on the languages and be computed in the Key Gen 
algorithm. 
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as follows. For all i E I, if the algorithm Verify^W*, £*) returns 1, then 1 Z 
receives mi, otherwise it does not. In any case , S does not learn anything. 

4.3 Security Properties and Ideal Functionality of OLBE 

Since we aim at proving the security in the universal composability framework, 
we now describe the corresponding ideal functionality (depicted in Fig. 9). How- 
ever, in order to ease the comparison with an OS BE scheme, we first list the 
security properties required, following [13,49]: 

- correct: the protocol actually allows IZ to learn whenever (Wi)i e i are 

valid words of the languages (£i)ie/, where / C {1, . . . ,n} and \I\ = n max ; 

- semantically secure ( sem ): the recipient learns nothing about the input 

of S if it does not use a word in £*. More precisely, if So owns ra^o and S± 
owns m^i, the recipient that does not use a word in £^ cannot distinguish 
between an interaction with So and an interaction with Si even if the receiver 
has seen several interactions 


(<S((£i, . . . , £„), (mi, . . . , m n )),7Z((£i, £ n ), (W') jeI )) 

with valid words W[ E £^, and the same sender’s input 

- escrow free ( oblivious with respect to the authority ): the authority correspond- 
ing to the language £* (owner of the language secret key skg. - if it exists), 
playing as the sender or just eavesdropping, is unable to distinguish whether 
IZ used a word Wi in the language £^ or not. This requirement also holds for 
anyone holding the trapdoor key tk. 

- semantically secure w.r.t. the authority (sem*): after the interaction, the 
trusted authority (owner of the language secret keys if they exist) learns 
nothing about the values (ra*)^/ from the transcript of the execution. This 
requirement also holds for anyone holding the trapdoor key tk. 

Moreover, the Setups should be indistinguishable and it should be infeasible 
to find a word belonging to two or more languages without the knowledge of tk. 

The ideal functionality is parametrized by a set of languages (£i, . . . ,£ n ). 
Since we show in the following sections that one can see OS BE and OT as special 
cases of OLBE, it is inspired from the oblivious transfer functionality given in [1, 
21,24] in order to provide a framework consistent with works well-known in the 
literature. As for oblivious transfer (Fig. 2), we adapt them to the simple UC 
framework for simplicity (this enables us to get rid of Sent and Received queries 
from the adversary since the delayed outputs are automatically considered in 
this simpler framework: We implicitly let the adversary determine if it wants 
to acknowledge the fact that a message was indeed sent). The first step for the 
sender (Send query) consists in telling the functionality he is willing to take part 
in the protocol, giving as input his intended receiver and the messages he is 
willing to send (up to n max messages). For the receiver, the first step (Receive 
query) consists in giving the functionality the name of the player he intends to 
receive the messages from, as well as his words. If the word does belong to the 
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The functionality J-olbe is parametrized by a security parameter & and a set of 
languages (£ 1 , ...,£ n ) along with the corresponding public verification algorithms 
(Verify^ . . . , Verify n ). It interacts with an adversary 5? and a set of parties *Pi,. . . ,*}3jv 
via the following queries: 

— Upon receiving from party an input of the form (Send, sid, ssid, 

% (mi, . . . , rrin)) , with rrik G {0, 1}^ for all k: record the tuple (sid, ssid, 
(mi, . . . ,m n )) and reveal (Send, sid, ssid, tyj) to the adversary 5? . Ig- 
nore further Send-message with the same ssid from 

- Upon receiving an input of the form (Receive, sid, ssid, Sfij, (Wi)i^i) 

with the conditions I C and \I\ = n ma x from party : 

ignore the message if (sid, ssid, Vfij, (mi, . . . , m n )) is not recorded. Other- 
wise, reveal (Receive, sid, ssid, to the adversary 5? and send the message 

(Received, sid, ssid, ^Pj, (m' k )kei) to *Pj where m' k = m k if Verify k (Wk, £&) re- 
turns 1, and m' k = T otherwise. Ignore further Received- message with the same 
ssid from *P j. 


Fig. 9. Ideal Functionality for Oblivious Language-Based Envelope .Folbe 


language, the receiver recovers the sent message, otherwise, he only gets a special 
symbol _L. 


4.4 Generic UC-Secure Instantiation of OLBE with Adaptive 
Security 

For the sake of clarity, we now concentrate on the specific case where n max = 1. 
This is the most classical case in practice, and suffices for both OS BE and 1-out- 
of-n OT. In order to get a generic protocol in which n max > 1, one simply has 
to run n max protocols in parallel. This modifies the algorithms Samp and Verify 
as follows: Samp(param, {i}) or Samp(param, {i}, {skg.}) generates a word W = 
Wi G Zi and Verify -(W, Zj) checks whether W is a valid word in Zj. 

Let us introduce our protocol OLBE: we will call 7 Z the receiver and S the 
sender. If 7 Z is an honest receiver, then he knows a word W = W{ in one of 
the languages Zi. If S is an honest sender, then he wants to send up a mes- 
sage among (mi, . . . , ra n ) G ({0, l}^) n to 7 Z. We assume the languages Zi to 
be self-randomizable and publicly verifiable. We also assume the collection of 
languages (£i, . . . , Z n ) possess a trapdoor, that the simulator is able to find by 
programming the common reference string. As recalled in the previous section, 
this trapdoor enables him to find a word lying in the intersection of the n lan- 
guages. This should be infeasible without the knowledge of the trapdoor. Intu- 
itively, this allows the simulator to commit to all languages at once, postponing 
the time when it needs to choose the exact language he wants to bind to. On 
the opposite, if a user was granted the same possibilities, this would prevent the 
simulator to extract the chosen language. 

We assume the existence of a labeled CCA-encryption scheme £ = (Setup cca , 
KeyGen cca , Encrypt^, Decrypt^) compatible with an SPHF onto a set G. In the 
Key Gen algorithm, the description of the languages (£i, . . . , Z n ) thus implicitly 
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defines the languages (£f,...,£^) of CCA-encryptions of elements of the lan- 
guages (£ 1 , . . . , £ n ). We additionally use a key derivation function KDF to derive 
a pseudo-random bit-string K E {0, 1}^ from a pseudo-random element v E G. 
One can use the Leftover-Hash Lemma [40], with a random seed defined in 
pa ram during the global setup, to extract the entropy from v, then followed by 
a pseudo-random generator to get a long enough bit-string. Many uses of the 
same seed in the Leftover-Hash Lemma just lead to a security loss linear in 
the number of extractions. We also assume the existence of a Pseudo- Random 
Generator (PRG) F with input size equal to the plaintext size, and output size 
equal to the size of the messages in the database and an IND-CPA encryption 
scheme £ = (Setup cpa , KeyGen cpa , Encrypt cpa , Decrypt cpa ) with plaintext size at 
least equal to the security parameter. 

We follow the ideas of the oblivious transfer constructions given in [1,9], 
giving the protocol presented on Fig. 10. For the sake of simplicity, we only give 
the version for adaptive security, in which the sender generates a public key pk 


CRS: param 4- Setup(l*), param cca Setup cca (l' s ), param cpa 4- Setup cpa (l*). 

Pre-flow: 

1. Sender generates a key pair (pk, sk) KeyGen cpa (param cpa ) for £, stores sk and 
completely erases the random coins used by KeyGen. 

2. Sender sends pk to User. 

Flow From the Receiver 1Z: 

1. User chooses a random value J, computes R <— F(J ) and encrypts J under pk: 
c4- Encrypt cpa (pk, J). 

2. User computes C 4- Encrypt c C3 ,(W',r) with t = (sid, ssid, 1Z, S). 

3. User completely erases J and the random coins used by Encrypt cpa and sends C 
and c to Sender. He also checks the validity of his words: the receiver only keeps 
the random coins used by Encrypt cca for the j such that Verify,, (VF, £j) = 1 (since 
he knows they will be useless otherwise). 

Flow From the Sender <S: 

1. Sender decrypts J E- Decry pt cpa (sk, c) and then R «— F(J). 

2. For all j E {l,...,n}, sender computes hk, = HashKG(£, £!•, param), hp^ = 
ProjKG(hkj, £, (£?, param)), Vj = Hash(hk, , (£p param), (£, C)), Qj = mj © 
KDF (vj)®R. 

3. Sender erases everything except ( Qj , hp^)^^ and sends them over a secure 
channel. 

Message recovery: 

Upon receiving (Qj, hp^)^! . . ?n }, 1Z can recover rrii by computing rrii = Qi © 

ProjHash(hp i7 (££, param), C),r) © R. 


Fig. 10. UC-Secure OLBE for One Message (Secure Against Adaptive Corruptions) 


Adaptive Oblivious Transfer and Generalization 243 


and ciphertext c to create a somewhat secure channel (they would not be used 
in the static version). 

Theorem 13. The oblivious language-based envelope scheme described in 
Fig. 10 is UC -secure in the presence of adaptive adversaries , assuming reliable 
erasures, an IND-CPA encryption scheme, and an IND-CCA encryption scheme 
admitting an SPHF on the language of valid ciphertexts of elements of Zi for alii, 
as soon as the languages are self-randomizable, publicly -verifiable and admit a 
common trapdoor. The proof is given in the paper full version [10]. 


4.5 Oblivious Primitives Obtained by the Framework 

Classical oblivious primitives such as Oblivious Transfer (both 1-out-of-n and k- 
out-of-n) or Oblivious Signature-Based Envelope directly he in this framework 
and can be seen as examples of Oblivious Language-Based Envelope. We provide 
in the paper full version [10] details about how to describe the languages and 
choose appropriate smooth projective hash functions to readily achieve current 
instantiations of Oblivious Signature-Based Envelope or Oblivious Transfer from 
our generic protocol. The framework also enables us to give a new instantiation 
of Access Controlled Oblivious Transfer under classical assumptions. In such a 
primitive, the user does not automatically gets the line he asks for, but has to 
prove that he possesses one of the credential needed to access this particular 
line. 

For the sake of simplicity, all the instantiations given are pairing-based but 
techniques explained in [9] could be used to rely on other families of assumptions, 
like decisional quadratic residue or even LWE. 

Acknowledgments. This work was supported in part by the French ANR EnBid 
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Abstract. In the realm of public- key encryption, the confidentiality 
notion of security against selective opening (SO) attacks considers adver- 
saries that obtain challenge ciphertexts and are allowed to adaptively 
open them, meaning have the corresponding message and randomness 
revealed. SO security is stronger than IND-CCA and often required when 
formally arguing towards the security of multi-user applications. While 
different ways of achieving SO secure schemes are known, as they gen- 
erally employ expensive asymmetric building blocks like lossy trapdoor 
functions or lossy encryption, such constructions are routinely left aside 
by practitioners and standardization bodies. So far, formal arguments 
towards the SO security of schemes used in practice (e.g., for email 
encryption) are not known. 

In this work we shift the focus from the asymmetric to the symmet- 
ric building blocks of PKE and prove the following statement: If a PKE 
scheme is composed of a key encapsulation mechanism (KEM) and a 
blockcipher-based data encapsulation mechanism (DEM), and the DEM 
has specific combinatorial properties, then the PKE scheme offers SO 
security in the ideal cipher model. Fortunately, as we show, the required 
properties hold for popular modes of operation like CTR, CBC and CCM. 
This paper not only establishes the corresponding theoretical framework 
of analysis, but also contributes very concretely to practical cryptog- 
raphy by concluding that selective opening security is given for many 
real-world schemes. 


1 Introduction 

Public key encryption in the multi-user setting. The most important security 
notion for public key encryption is indistinguishability under chosen ciphertext 
attacks (IND-CCA). The modeled setting is as follows: One user generates a key 
pair, a second users encrypts one out of two messages to her, and the adversary 
shall find out which one it was. Here, importantly, the adversary controls the 
distribution of the two messages and may request decryptions of ciphertexts of 
its choice. 

The definition of selective opening (SO) security is more general as it takes 
into account the fact that the public key setting allows for more than two parties. 
Concretely, in the SO setting one user generates a key pair, many users encrypt 
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messages to her key (of course using fresh and independent random coins), and 
the adversary’s goal is to derive any information about any of the messages. 
Again the adversary controls the message distribution (individually for each 
participant, but also joint distributions are possible) and may have arbitrary 
ciphertexts decrypted. On top of that the adversary is allowed to ‘open’ any 
subset of ciphertexts, i.e., to corrupt the encrypters, for instance by breaking into 
their computers, and thereby reveal the messages they encrypted and the random 
coins they used. (In some applications, like in secure multi-party computation, 
users even deliberately reveal their messages and randomness to make their 
computations publicly verifiable.) Selective opening security is provided if in 
this situation the confidentiality of the remaining ‘unopened’ ciphertexts is still 
provided. Intuitively, as all the encryptions occur independently of each other, 
IND-CCA should imply SO security. Unfortunately, formal analysis reveals that 
this is not the case. 

Notions of Selective Opening security. Formalising suitable notions of SO secu- 
rity has proven to be highly non-trivial. Since encrypted messages may depend 
on each other, opening some ciphertexts might readily leak information on mes- 
sages encrypted in other (unopened) ciphertexts. Thus, it is not even clear what 
it means for unopened messages to remain confidential. Two flavours of SO secu- 
rity have been studied in prior work: notions based on indistinguishability (IND) 
and notions based on simulat ability (SIM). For IND based notions an adversary 
may open arbitrary ciphertexts and is challenged to tell apart the originally 
encrypted messages from fresh messages that occur as likely as the original mes- 
sages. One usually restricts the distribution on the messages to be efficiently 
conditionally resamplable to ensure an efficient security game (weak- IND-SO). 
We obtain the security experiment for full- IND-SO if arbitrary distributions may 
occur in the experiment. 

In contrast, SIM based notions (capturing semantic security in the SO set- 
ting) do not suffer from such a restriction. In a nutshell, a scheme is SIM-SO 
secure if for every SO adversary there exists a simulator that can compute the 
same output without seeing any ciphertexts. Importantly, such simulators may 
corrupt senders to learn the messages they (virtually) encrypted. 

Both flavours may be considered for passive (CPA) and active (CCA) adver- 
saries whereby, in contrast to the CPA setting, a CCA adversary has access to a 
decryption oracle (with the usual restrictions). While any of IND-SO-CPA/CCA 
and SIM-SO- CPA/CCA implies standard IND- CPA/CCA security, the converse 
does not hold in general. Only partial results are known for the reverse direction, 
as discussed below. We give more details on the relations amongst the notions 
of selective opening security at the end of Sect. 2. 

Motivation and contribution. Considering that users in practice may be exposed 
to the threats modeled in the SO context, and given that the classical indis- 
tinguishability notions are formally weaker than notions of SO security, the fol- 
lowing question is immediate: Are users ‘safe’ if they trust in a PKE scheme 
designed towards the goal of ‘only’ indistinguishability? At least in theory, if the 
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security proof of the scheme considers exclusively indistinguishability, informa- 
tion about encrypted messages is potentially exposed to the adversary in S O-like 
attack scenarios. This observation calls for a thorough SO analysis of all encryp- 
tion schemes covered by international standards. The facts that all PKE schemes 
that so far were formally confirmed to be SO secure require heavy building blocks 
like lossy trapdoor functions (except for one work discussed in Previous work ) 
and that practitioners systematically avoid such building blocks for reasons of 
efficiency suggest that likely most practical schemes would not withstand SO 
attacks. Fortunately, however, in this paper we show that virtually all practical 
PKE constructions provably do meet SO security. 

Our approach is complementary to that of prior works: Instead of analysing 
the asymmetric building blocks of constructions, we observe that SO security is 
tightly linked to the security of the symmetric building blocks (i.e., symmetric 
encryption). We particularly show that in the KEM/DEM paradigm for hybrid 
encryption certain properties of blockcipher-based DEMs suffice to render the 
overall PKE scheme SO secure (in the ideal cipher model for the blockcipher) 
independently of the properties of the KEM. 

In a nutshell, our result is: We introduce a specific property called simu- 
latability for blockcipher-based DEMs that is met by virtually all DEMs used 
in practice and guarantees that if a corresponding DEM is combined with any 
IND-CCA secure KEM then the overall hybrid PKE scheme achieves SIM-SO- 
CCA security (in the ideal cipher model). Intuitively, simulatable DEMs can be 
thought of as some form of non-committing encryption in the realm of symmet- 
ric cryptography, while non-committing encryption is usually considered in the 
public-key setting. 

Previous work. The SO problem dates back to [12] where the selective decommit- 
ment problem was studied for commitment schemes. SO notions for encryption 
first appeared in [3,6]. The first IND-SO-CPA secure encryption scheme in the 
standard model was given in [3] and is based on lossy encryption (cf. [29]). 

Also deniable encryption [7] and techniques from non- committing encryp- 
tion [8,21] already allow for constructing SO secure PKE ([11]). Lots of sep- 
aration and implication results for SO and standard notions were studied in 
[2,5,6,26]. While it was known that IND-CPA implies u>ea£;-IND-SO-CPA when 
messages are drawn pair-wise independently (cf. [5,12]), the implication does 
not hold for arbitrary (efficiently conditionally resamplable) distributions as 
recently reported [25]. The result makes use of heavy machinery as public-coin 
differing-inputs obfuscation and correlation intractable hash functions. However, 
IND-CPA implies wea£;-IND-SO-CPA for low-dependency distributions such as 
Markov chains [19]. Further, SIM-SO secure constructions in the standard model 
usually (cf. [28]) suffer in efficiency from bit-wise encryption to ensure efficient 
openability. See [24] for current research. SIM-SO-CCA secure PKE schemes are 
constructed in [18] employing extended HPS s and cross- authentication codes. 
This line of research continued in [28] identifying special properties of a KEM, 
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allowing to construct SIM-SO-CCA secure PKE, when combined with strength- 
ened cross- authentication codes. 

Note that we only consider SO security under sender corruption. Only 
recently, security under receiver corruption gained some attention [20] while 
already defined in [1]. 

Work analysing the SO security of standardised widely-used encryption 
schemes appeared only recently (in the random oracle model). Concretely, Heuer 
et al. [22] consider Hashed ElGamal encryption (standardised under the name of 
DHIES) and RSA-OAEP. Unfortunately, the considered versions of these PKE 
schemes assume messages that are not longer than the output lengths of the used 
random oracle, i.e., less than 128 bytes. This severely limits the results of [22] 
for practical considerations. 


Paper organization. In Sect. 2 we recall some important cryptographic notions, 
including the definition of SO security that we use in this paper. We then, in 
Sect. 3, identify certain combinatorial properties of DEMs that suffice to achieve 
SO security of hybrid PKE; more precisely, we expose the central claim of this 
paper which states that any DEM that has these properties in combination with 
any KEM results, in the ideal cipher model, in a SIM-SO-CCA secure PKE 
scheme. In Sect. 3 we also sketch the arguments required for proving this claim. 
We continue in Sect. 4 with checking whether widely- used DEMs (in particular 
the NIST standardised: CTR, CBC, CCM) have these properties, and come to 
the conclusion that they do. We work out the full details of our main claim and 
its proof in Sect. 5. We conclude in Sect. 6. 

In the full version of this paper [23] we further show that also the (NIST 
standardised) GCM mode of operation possesses the combinatorial properties 
identified in Sect. 3. 

2 Preliminaries 

For n e N let [n\ := {1 ,...,n}. We distinguish the following operators for 
assigning values to variables: We use symbol ’ when the assigned value results 
from a constant expression (including the output of a deterministic algorithm), 
we write when the value is sampled uniformly at random from a finite 

set, and we write when the assigned value is the output of a randomised 
algorithm. If / is a function or a deterministic algorithm that maps elements from 
a set A to a set B we use notations / : A — > B and A — + / — » B interchangeably. 
If / is a randomised algorithm we correspondingly write A — > / H, or 
simply / — B in case the algorithm takes no input. IfAxH— >/— >Cis 
a function then for any a G A we write f a = /(a; •) for the partially applied 
function B —> f a —> C] b i— ► /(a, b). If R denotes the randomness space of a 
(randomised) algorithm A — > / — H, we may write A x R — » / — » B for its 
deterministic version. If A — » / — > B is a function or a deterministic algorithm 
we let [/] := f(A) C B denote the image of A under /; if A — > / B has 
randomness space R we correspondingly let [/] := f (Ax R) C B denote the set 
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of all its possible outputs. When the union A U B of two sets A, B is a disjoint 
union, i.e., if AO B = 0, we annotate this with Ah)B. For a bitstring x of length 
at least l we write msbj(x) for its left-most l bits and lsbj(x) for its right-most 
l bits (‘most/least significant bits’). 

Our security definitions are based on games played between a challenger and 
an adversary. These games are expressed using program code and terminate 
when a ‘Stop’ command is executed; the argument of the latter is the output of 
the game. We write Pr[G => 1] for the probability that game G terminates by 
running into a ‘Stop with 1’ instruction. 

We next define partial permutations and blockciphers. In our proofs, the 
former play an important role for the abstraction of the latter. 

Definition 1 (Permutation, partial permutation, blockcipher). For a 

finite domain V we denote the set of all permutations on V with V(V) and the 
set of all partial permutations on V with W{V). Precisely, a relation R C V x V 
is a partial permutation if aR3, a' R3 => a = a' and aR/3,aR3' => 3 = 3'; 
relation R is a permutation if in addition |i?| = \V\ holds. A blockcipher with 
key space JC and domain V is a family (Ek)keJC of permutations Ek E V(V). 

We associate with a partial permutation R E WfD) the partial functions 
V — > R + — > V and V — > R~ — > V that evaluate R left-to-right and right-to-left, 
respectively. For instance, if (a,/?) E R then R + (a) = f3 and R~{f3) = a. We 
write Dom (R) and Rng(i?) for the domain and range of R + , i.e., for the sets 
{o E V | 3/3 : (a,/?) E R} and {(3 E V \ 3a : (a,/?) E R }, respectively. If 
a f Dom (R) and f3 £ Rng (R) we denote with R R U {(<a,/3)} the operation 
of ‘programming’ R such that R + (o) = j3 and R~(/3 ) = a for the updated R , 
which is again a partial permutation. Note that any partial permutation can 
be completed to a (full) permutation by adding sufficiently many such pairs 
(o,/3) to it. More importantly, if a partial permutation is selected according to 
the uniform distribution over some subset of W(V ), it can be extended to a 
permutation uniformly distributed in V{V) by adding random such pairs (a,/?) 
to it. 

Our definition of keyed hash functions subsumes both message authentication 
codes and universal hash functions. 

Definition 2 (Keyed hash function). A keyed hash function for a messaqe 
space A4 consists of a key space 1C, a tag space T, and an efficient function khf 
of the form JC x M — » khf — > T . 

We proceed with specifying the syntax and functionality of DEMs. As a 
corresponding notion of authenticity we define integrity of ciphertexts [4]. In a 
nutshell, a DEM offers this feature if no adversary with access to an encapsu- 
lation oracle can find a fresh ciphertext that corresponds to a valid message, 
i.e., is not rejected by the decapsulation algorithm. Relevant in our work is in 
particular the corresponding one-time notion where the adversary can pose at 
most one encapsulation query. 
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Definition 3 (DEM). A data encapsulation mechanism (DEM) for a messaqe 
space M. consists of a finite key space JC, a ciphertext space C, and a pair of 
efficient algorithms DEM = (D.Enc, D.Dec) of the form 

K x M -> D.Enc -+ C JC x C -+ D.Dec -► M U {X} , 

where symbol ‘_L’ may be used to indicate errors. Correctness requires that for 
all k e JC and m G M, if D.Enc(&, m) — c then D.Dec (fc, c ) = m. 

Definition 4 (INT-CTXT secure DEM). A data encapsulation mechanism 
is (r, q<i, e)-OT-INT-CTXT secure if all r-time adversaries A that interact in the 
OT -I NT -CTXT experiment from Fig. 1 and issue at most q ( 4 queries to the D.Dec 
oracle have an advantage of at most e, where we define 

Adv° T ~ INT_CTXT := Pr[OT-INT-CTXT => 1], 

This definition can be generalised to (r, q e , qd, e)-INT-CTXT security by remov- 
ing line 04 from the experiment and bounding the number of queries to the D.Enc 
oracle by q e . 


Game OT-INT-CTXT 

00 C^0 

01 k i — u /C 

02 ^4 d - Enc » d - Dec 
03 Stop with 0 


Oracle D.Enc(?ti) 

04 If \C\ > 0: Abort 

05 cf- D.Enc(/c, m) 

06 CeCujc} 

07 Return c 


Oracle D.Dec(c) 

08 If c G C: Abort 

09 m 4— D.Dec(fc, c) 

10 If m ^ X: 

11 Stop with 1 

12 Return _L 


Fig. 1 . Security game for defining OT-INT-CTXT security of DEMs. We write ‘Abort’ 
as an abbreviation for ‘Stop with O’. Observe that line 04 ensures that the D.Enc 
oracle is queried at most once. 


In most applications a DEM is combined with a KEM to obtain (hybrid) 
PKE [10]. We recall the concepts of KEMs and PKE below, and include an 
indistinguishability definition for KEMs. 

Definition 5 (KEM). A key encapsulation mechanism (KEM) for a finite key 
space JC consists of a public-key space VIC, a secret-key space SJC, a ciphertext 
space C, and a triple of efficient algorithms KEM = (K.Gen, K.Enc, K.Dec) of the 
form 

K.Gen VJCxSJC VIC -> K.Enc JCxC SJCxC K.Dec -> /CU{_L}, 

where symbol S JL J may be used to indicate errors. The randomness space of K.Enc 
is typically denoted with 1 Z. Correctness requires that for all ( pk,sk ) G [K.Gen], 
if (k,c) G [K.Enc(pfc)] then K.Dec(sk,c) = k. 
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Definition 6 (IND-CCA secure KEM). A KEM is (: r,q d ,e)-IND-CCA 
secure if all r-time adversaries A = (Ai, A 2 ) that interact in the IND-CCA 6 
experiments from Fig. 2 and issue at most q ( $ queries to the K.Dec oracle have 
an advantage of at most e, where we define 

Adv IND " CCA (.4) := |Pr[IND-CCA° => 1] - PrpND-CCA 1 =► 1]|. 


Game IND-CCA 6 

Oracle K.Dec(c) 

00 

C 0 

08 

If c G C: Abort 

01 

(ph, sk) <(— $ K.Gen 

09 

k K.Dec(s£;, c) 

02 

st <-$ Af BEC (pk) 

10 

Return k 

03 

(&A C *) ^— $ K.Enc (pk) 



04 

k\ i — u JC 



05 

C ^CU{c*} 



06 

b' ^— $ A 2 DEC (st, c*, kl) 



07 

Stop with b' 




Fig. 2. Security games for defining IND-CCA security of KEMs. We write ‘Abort’ as 
an abbreviation for ‘Stop with O’. 


Definition 7 (PKE). A scheme for public-key encryption (PKE) for a mes- 
sage space M consists of a public-key space VIC , a secret-key space SJC, a cipher- 
text space C, and a triple of efficient algorithms PKE = (P.Gen, P.Enc, P.Dec) of 
the form 

P.Gen VJC xSJC, VKxM^ P.Enc C, SIC x C -> P.Dec -> M U {A}, 

where symbol ‘A’ may be used to indicate errors. The randomness space of P.Enc 
is typically denoted with 1Z. Correctness requires that for all ( pk,sk ) G [P.Gen] 
and m G M , if c G [P.Enc(p£;, m)\ then P.Dec(s£;, c) = m. 

Construction 1 (Hybrid encryption). Take a DEM for a message space Ai 
and a KEM for the key space of the DEM. Then the algorithms in Fig. 3 form 
the hybrid PKE scheme. The randomness space of P.Enc coincides with the ran- 
domness space of K.Enc. 

We present now the main security definition of this paper: confidentiality 
under selective opening attacks. Our model is based on works of [6,18] Find a 
discussion of its details below. 

Definition 8 (SIM-SO-CCA secure PKE). Consider the experiments from 
Fig. f. For a function e: N — > R-° we say that a PKE scheme is (r,r',^,e)- 
SIM-SO-CCA secure if for all r-time adversaries A = (Ai, A 2 ) that interact in 
the r -SO -CCA experiment and issue at most q t 4 decryption queries there exists a 
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Proc P.Gen(r) 

00 (pk,sk) <r- K.Gen(r) 

01 Return (pk, sk) 


Proc P.Enc (pk,m,r) 

02 (k, ci) K.Enc(p£;, r) 

03 C 2 V- D.Enc(/c, m) 

04 Return (ci,C 2 ) 


Proc P.D ec(sk, (ci,C 2 )) 

05 k Jr- K.Dec(sk, a) 

06 If k = ±: Return JL 

07 m <— D.Dec(/c, C 2 ) 

08 Return m 


Fig. 3. Hybrid construction of PKE from a KEM and a DEM. We write (ci, C 2 ) for the 
encoding of two ciphertext components into one. For clarity we make the randomness 
used by P.Gen and P.Enc explicit. 


Game r-SO-CCA^ 

Game i-SO-CCA^ 

00 X<^0; C<K0 

15 X •<— 0 

01 (pk, sk) $ P.Gen 


02 (D, st) <- $ Ai BEC (pk, n) 

16 (£), st) i — $ Si(n) 

03 (mi, . . . , m n ) <-$ D 

17 (mi, . . . , m n ) «- $ D 

04 For i 1 to n: 


£ 

b 

£ 

LO 

O 


06 Ci P.Er\c(pk,rrii,ri) 


07 C<-CU {ci} 


j- , a Open, P. Dec / , \ 

08 out 4— $ A 2 (st, Ci, . . . , C n ) 

18 out <(— $ S 2 Pm (st, mi |, . . . , \m n \) 

09 Stop w/ Pred(£), mi, . . . , m n ,X, out) 

19 Stop w/ Pred (2), mi, ..., m n ,X, out) 

Oracle Open(z) 

Oracle OPEN(i) 

10 X i — X U { 2 } 

20 X i — X U { 2 } 

11 Return (m»,ri) 

Oracle P.Dec(c) 

12 If c 6 C: Abort 

13 mf- P.D ec(sk, c) 

14 Return m 

21 Return rrii 


Fig. 4. Security experiments for defining SIM-SO-CCA security of PKE. With D we 
denote a randomised circuit that induces a distribution over M n . The randomness 
space of P.Enc is denoted with 1Z. Oracle Open may be called for all i G [n]. We write 
‘Abort’ as an abbreviation for ‘Stop with O’. We show the lines of i-SO-CCA aligned to 
the ones of r-SO-CCA for easier comparison. 


(roughly) r-time simulators = (<Si, £ 2 ) that interacts in the i-SO-CCA experi- 
ment such that for all r' -time predicates {0, 1}* — > Pred — > $ {0, 1} and all n G N 
the advantage Adv^|^p^ e ^ CA (n) is at most e{n), where we define 

Adv” ed CCA (n) := |Pr[r-SO-CCA^ =* 1] - Pr[i-SO-CCAf =* 1]|. 

We give rationale on this formalisation of SO security. The notion compares 
the information an adversary can deduce about a set of challenge messages in 
two settings: a real setting (game r-SO-CCA) and an idealised setting (game 
i-SO-CCA). The real experiment starts with the generation of a key pair. The 
adversary receives the public key and specifies a message distribution, repre- 
sented by a randomised circuit T>. Messages are sampled accord- 

ing to this distribution and encrypted using fresh randomnesses tr, . . . ,r n , and 
the ciphertexts are given to the adversary which derives some information out 
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about the hidden messages. The adversary is supported by two oracles: one that 
decrypts arbitrary ciphertexts and one that opens honest ciphertexts by reveal- 
ing the corresponding message and the randomness used to encrypt it (this is 
meant to model sender corruption). 

The ideal experiment is similar but with all the artifacts of public key encryp- 
tion removed: there is no key generation, no ciphertext generation, and no 
decryption oracle. Beyond that, the adversary (in this context called ‘simula- 
tor’) performs as above: it specifies a message distribution, adaptively requests 
openings, and derives some information out about unopened messages. 

Clearly, in the ideal setting the confidentiality of unopened messages is 
granted (only their lengths leak in line 18, but this is unavoidable for any practi- 
cal PKE scheme and implicitly also happens in line 08). We thus deem a public 
key encryption scheme secure under selective opening attacks if the adversary in 
the real setting cannot draw more conclusions about unopened messages than 
can be drawn in the ideal setting. Formally, it is required that for every A for 
r-SO-CCA there exists a corresponding S for i-SO-CCA that derives the same 
information. This is tested by distinguishing predicate Pred, which also takes 
further environmental information into account, for instance the recorded open- 
ing history X. We proceed with some remarks on the model. 

In prior works that give simulation-based definitions of SO security there does 
not seem to be concensus on the order of quantification of S and Pred. While 
most papers (cf. [22,28]) allow for the simulator to depend on the distinguish- 
ing predicate, the work of [6] implicitly defines a stronger notion that requires 
the existence of a simulator that is universal. (Interestingly, many papers that 
exclusively consider the weaker notion actually do construct universal simula- 
tors.) We adopt the stronger notion and require the simulator to work for any 
distinguisher. 

In the upcoming sections we construct several PKE schemes that are secure 
under selective opening attacks. The corresponding proofs will idealise a central 
building block of the schemes, concretely a blockcipher. By consequence, ideal- 
cipher oracles have to be added to Fig. 4. There are various options how and 
where to do this: It is clear that adversary A should have access to the ideal 
cipher, but what about <S, what about Pred, and what about D? It seems that 
each configuration somehow makes sense and gives rise to an individual variant 
of SIM-SO-CCA security. 1 Each such notion might have particular strengths 
and weaknesses, so declaring any of them right or wrong is arbitrary. Ultimately, 
when proving the SO security of our schemes, we decided to go for a model where, 
besides the relevant algorithms of the encryption scheme itself, only adversary A 
gets access to the ideal cipher. 

Notions of SO security under active Attacks. As mentioned in the introduction, 
three notions for SO security under active attacks exist: {weak-IND, full- IND, 

1 A similar situation emerges with NIZK proofs in the random oracle model: In the 
corresponding ZK definition, shall the distinguisher have access to the random oracle 
or not? See [31] for a formal treatment and a comparison of the many possible 
notions. 
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SIM}-SO-CCA. Non of them has emerged as a de-facto standard notion, yet. 
Clearly, wea£;-IND-SO-CCA suffers from the unnatural restriction to efficiently 
conditionally resamplable message distributions and security implications for 
practical applications are unclear. While full- IND-SO-CCA would provide secu- 
rity for arbitrary underlying message distributions, as of today, no even a full- 
IND-SO-CPA secure scheme is known. 

We note that SIM-SO-CCA does not suffer from any of the above disad- 
vantages (there is no resampling involved) and seems to offer a strong security 
guarantee. 

Only few results relating the SO-CCA notions are known; [26] shows that 
IND-CCA is strictly weaker than weak- IND-CCA in general. 

3 Simulatable DEMs and Our Main Result 

In this section we present our main result on hybrid public key encryption. We 
define a combinatorial property of a DEM called simulatability and show that 
any KEM and any DEM satisfying standard security notions, if the DEM is in 
addition simulatable, when composed yield a SIM-SO-CCA secure PKE, in the 
ideal cipher model [9,17,27]. 

3.1 Simulatable DEMs 

Many practical DEMs are constructed from blockciphers, possibly in combi- 
nation with further symmetric building blocks like universal hash functions or 
MACs. We formalise next what it means for a DEM to make use of a blockci- 
pher in a black-box way. Virtually all blockcipher-based DEMs, and in particular 
those specified by the major standardisation bodies, are of this type. In our def- 
inition, 1C denotes the key space of the blockcipher and JC denotes the cartesian 
product of the key spaces of the remaining cryptographic primitives used by the 
scheme. For instance, in an encrypt-then-MAC construction, 1C would be the 
key space of the message authentication code; if the construction requires no 
further keyed primitive, JC would be the trivial set containing a single element. 

Recall from Definition 1 that VfD) and VT(V) denote the sets of all permu- 
tations and partial permutations, respectively, on domain V. 

Definition 9 (Oracle DEM). An 

(oDEM) for a domain V and a message space M. consists of a finite key space 1C' , 
a ciphertext space C , and efficient algorithms O.Enc and O.Dec that have oracle 
access to a permutation on V (in both directions) and are of the form 

1C' xM^ O.Enc^ -> C 1C' x C -> O.Dec^ -> M U {A}, 

where symbol ‘A’ may be used to indicate errors. Correctness requires that for all 
7 r G V(V), k' G 1C , and m G M., if O.Enc n (k', m) = c then O.Dec n (k', c ) = m. 
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Definition 10 (Permutation-driven DEM). A DEM for message space A4 
with keyspace JC " = JCxJC' is ( JC, V) -permutation- driven if there exists an oracle 
DEM for V and A4 with algorithms KJ x A4 — > O.Enc^ — > C and JC' x C — > 
O.Dec^ — > A4 U {T} and a blockcipher (Ek)keJC on domain V such that for all 
k' G JC' and m G M and c G C we have 

D.Enc ((ft, A/), m) = O.Enc Bfc (k', m) and D.Dec((fc, k'), c) = O.Dec Bfc (k 1 , c). 

( 1 ) 

According to this definition, for any specific permutation- driven DEM mul- 
tiple corresponding oracle DEMs, i.e., O.Enc and O.Dec algorithms, and blockci- 
phers E might exist. In practice, however, a single canonic specification of these 
algorithms will stick out. This holds, as we will see, in particular for the stan- 
dardised DEMs studied in Sect. 4. For the sake of a concise notation, in this 
paper we thus assume that suitable O.Enc, O.Dec, and E algorithms are always 
uniquely given. 

We next define a combinatorial property called simulatability that holds for 
an oracle DEM if, in principle, the encapsulation algorithm could commit to 
a ciphertext before seeing the corresponding message; intuitively, this is only 
possible if the permutation in the oracle is ‘flexible enough’, i.e., can be ‘pro- 
grammed’. We formalise this idea by splitting the encapsulation routine into two 
components, Fake and Make. First Fake outputs a ciphertext c without seeing 
the message m (but it does see the length of m), then Make, on input m, is 
meant to find a possible (partial) permutation instance ff under which indeed m 
would be encapsulated to c. To be useful in our later selective opening related 
proofs where we want to embed f f into an ideal cipher, ff is further required to 
be uniformly distributed (conditioned on the formulated requirements). 

Definition 11 (Simulatable oracle DEM). Consider an oracle DEM for a 
domain V and a message space M. that has an encapsulation algorithm of the 
form JC' x M — * O.Enc^ — ► C. Consider algorithms Fake and Make of the form 

1C' x N — > Fake x E and E x M — > Make — VV(V), 

where E is a state space shared between the two algorithms. We say that the 
oracle DEM is e^smrdadM (by Fake and Make) if for all k' G JC' and m G M, 
for the random variable (defined over the coins of Fake and Make) 

n% = {ff : (c, st) Fak e(A/, |m|); ff Make(sf, m)} 

we have 

(1) partial permutation II ff) can be extended to a uniformly distributed permuta- 
tion on V, i.e., by ‘filling up’ Ilff) with random pairs one obtains a permu- 
tation uniformly distributed in V(V); 

(2) the ciphertext output by Fake deviates from the one that would be output 
by O.Enc if invoked with an extension of the partial permutation output 
by Make with probability at most e. More precisely, for any uniformly distrib- 
uted extension n G V(V) of Ilff) we have Pr [c ^ O.Enc n (k',m)\ < e (where 
the probability is also taken over the random extension of Ilff to tt); 
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(3) the joint running time of Fake(k' , \m\) and Make(s£,ra) does not exceed the 
running time of O.Enc(&', m), not counting the latter’s oracle queries. 

In informal discussions, when we say that a data encapsulation mechanism is 
Simula ] >table^ we mean that it is permutation- driven and Fake, Make algorithms 
exist for which it is e-simulatable with a negligibly small value e. 

Concerning the above definition it is important to understand that the ran- 
dom coins of Fake and Make, and the coins used to extend the partial permutation 
in items (1) and (2), belong to the same probability space. We give an equivalent 
yet more verbose definition that makes this aspect more explicit in the Appendix 
of the full version [23] . 

In line with a comment made above, for all practical DEMs that are simu- 
latable, corresponding specifications for the Fake and Make algorithms emerge 
canonically. For the sake of notational clarity, from now on we thus assume 
uniqueness. 

Proving Simulatability. We discuss a general technique for proving the simulata- 
bility of an oracle DEM. The Fake and Make algorithms are typically explicitly 
provided in the proof. Fake’s strategy is to mimic the behaviour of O.Enc by exe- 
cuting it and answering blockcipher queries with random elements from V. Make 
constructs a partial permutation it that fits this random assignment by starting 
with the empty relation it = 0 and iteratively adding pairs (a, /3) E V x V to tt 
that help meeting the O.Enc 7r (/c / , m) = c goal, always taking care that also the 
ait (3, a'it/3 => a = a' and air (3, airf3' => (3 m f3 r requirements from Definition 1 
are not violated (Make aborts if simultaneously reaching these conditions turns 
out to be impossible). Simulatability requirement (1) is achieved by ensuring 
that for each addition of ( a , /?) to it either a or (3 are uniformly distributed, con- 
ditioned on the prior state of it. Proving the bound from condition (2) typically 
requires a combinatorial argument that assesses the probability of collisions. 
Requirement (3) follows by inspection of the specifications of Fake and Make. 


3.2 Selective Opening Security from Simulatable DEMs 

Our main result is on the SO security of public-key encryption obtained by 
combining an arbitrary KEM with a permutation-driven DEM. Our analysis is 
conducted in the ideal cipher model for the blockcipher underlying the DEM. 
We give an informal version of our main theorem and an outline of the proof. 
We caution that some technical preconditions are omitted in the statement as 
we give it here. See Sect. 5 for the full theorem statement and proof. 

Theorem 1 (informal). Combine any KEM and any permutation- driven 
DEM to obtain a PKE scheme. If the KEM is IND-CCA secure, the DEM is 
OT-INT-CTXT secure and the corresponding oracle DEM is simulatable, then 
the combined PKE scheme is SIM-SO-CCA secure, in the ideal cipher model. 
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Game r-SO-CCA ^ 1 

00 For all k £ /C: Ek 4 — 0 

01 X 0; C 0 

02 (pk, sk) <(— $ K.Gen 

03 (£),s£) 4— $ A^‘ Bec,E ( pk, n) 

04 (mi, . . . , m n ) ^-$ £> 

05 For i 4 — 1 to tv. 

06 Vi 4 — u E 

07 (hi, Ci,i) <— K.Enc(pk, n) 

08 (ki, k'i) 4— k" 

09 a t 2 «— O.Enc E ^ fei; '^ (fei,mi) 

10 Ci <- {Ci,l,Ci >2 ) 

11 C^CUjci} 

12 out ^— $ A 2 \Stj Ci , . . . , C n ) 

13 Stop w/ Pred(£>, mi, . . . , m n ,X, owt) 

Oracle Open(z) 

14 X 4 — X U {i} 

15 Return ( rrii,ri ) 


Oracle P.Dec((ci, C 2 )) 

16 If (ci , C 2 ) 6 C: Abort 

17 k" <- K.Dec{sk, Cl ) 

18 If k" = _L: Return X 

19 (fc, A;') V- fc" 

20 m O.Dec E( - A:; ‘' ) (/c / , C 2 ) 

21 Return m 

Oracle E + (k, a) 

22 If a £ Dom (Ek): 

23 /3 4—jj T> \ Rng (Ek) 

24 Ek 4— Ek U {(o;,/3)} 

25 Return E^ (a) 

Oracle E ~(k, (3) 

26 If ft £ Rng (E k ): 

27 ol 4 — u X \ Dom(Ek) 

28 Ek 4— Ek U {(cy,/3)} 

29 Return E^{(3) 


Fig. 5. Game r-SO-CCA adapted towards the analysis of a PKE scheme constructed fol- 
lowing the KEM/DEM paradigm using a permutation-driven DEM with corresponding 
oracle DEM algorithms O.Enc and O.Dec, in the ideal cipher model. We write ‘Abort’ 
as an abbreviation for ‘Stop with O’. We further abbreviate the pair E + ,E _ of ideal 
cipher oracles with just E. 


We proceed with the proof outline. The goal is to show that for every adver- 
sary A = (Vli, * 4 . 2 ) for the r-SO-CCA game there exists a simulator S = (<Si, £ 2 ) 
for the i-SO-CCA game that deduces the same information. In Fig. 5 we reproduce 
the r-SO-CCA game from Fig. 4 with the hybrid construction of the encryption 
scheme, the oracle DEM underlying the DEM, and the ideal cipher model made 
explicit. (In the i-SO-CCA game there is nothing to be adapted.) We correspond- 
ingly equip adversary A and the DEM algorithms with oracles E + and E - that 
implement an ideal blockcipher on domain V. In particular, for each key &, ora- 
cles E + (&; •) and E “(fc; •) are inverses of each other. For a concise notation, we 
typically just write E for the pair consisting of E + and E - . We implement ideal 
cipher E via lazy sampling and keep track of made assignments using a game 
internal family (Ek)keJC of partial permutations Ek G VV(V). Note that we do 
not also provide the KEM algorithms with access to E, meaning we assume the 
KEM does not use the same blockcipher as the DEM. See Sect. 5 for a discussion. 

When it comes to constructing S from A, the strategy is to let the former run 
the latter as a subroutine: Simulator S converts the own input to an input for A, 
uses the output of A as the own output, and answers, and in some cases relays, 
oracle queries posed by A. We give the footprint of a universal such simulator 
that leverages on the simulatability of the (permutation-driven) DEM in Fig. 6. 
For the sake of clarity, we simplified the specifications of algorithms Si and S 2 
quite a bit, removing many technicalities. While we briefly discuss the missing 
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Si (n) 

00 For all k G JC: Ek 4— 0 

01 C^0 

02 ( pk , s&) <(— $ K.Gen 

03 D yl^ DEC,E (pA:,n) 

04 Return £> 

5° PENs (|mi|,...,|m„|) 

05 For i 4— 1 to n: 

06 Ti i — u 71 

07 (/c'', Ci,i) K.Enc(pA:; n) 

08 ( ki , 

09 {c ij2 ,sti) *-$ Fake(/c', |m;|) 

10 Ci <— (Ci ; 1, Ci,2) 

11 (7^-CU{ci} 

12 OU t^ $ ^° PE ^' PDEC ' E ( Cl ,..., Cn ) 

13 Return out 


Oracle Open^(z) 

14 mi 4- Opens (i) 

15 fr i — $ Make(s^,mi) 

16 Ek i «— Eki U 7r 

17 Return ( rrii,ri ) 

Oracle P.Dec((ci, C 2 )) 
as in Figure 5 

Oracle E + (fc, a) 
as in Figure 5 

Oracle E - (/c, 0 ) 
as in Figure 5 


Fig. 6. Simplified version of simulator S — (<Si,c> 2 ), constructed from adversary A — 
(.Ai, * 4 . 2 ). We write Opens and Open^ for the opening oracles provided to & and A 2 , 
respectively. For simplicity we do not annotate the state information passed from Ai 
to A 2 and from <Si to &. 


parts below, for the full details of the simulator and a formal analysis we refer 
to Sect. 5. 

We walk the reader through the design principles of our simulator. What 
above we refered to as ‘deduces the same information’ formally requires that 
the inputs D, mi , . . . , m n , X, out of the Pred invocations in the r-SO-CCA and 
i-SO-CCA games be similar. This is achieved by letting S simulate for A the 
environment of r-SO-CCA in a way such that: S\ forwards the message distri- 
bution 2) obtained from A\ without modification (this also ensures that the 
distributions of mi, ... , m n match), £2 keeps the index sets X corresponding to 
*42 ’s and its own Open queries consistent (by forwarding the queries), and £2 for- 
wards *42 5 s output out without modification. The lines in Fig. 6 corresponding 
to these steps are 03,04 and 14 and 12,13, respectively. 

Running A as a subroutine leads to useful results only if A is exposed to an 
r-SO-CCA-like environment. Effectively this means that S has to ‘fill all the blank 
fines’ of the i-SO-CCA game in Fig. 4. Concretely this involves (a) generating and 
providing a public key for *4i, (b) providing ciphertexts to *42 that correspond 
to messages (c) providing adequate randomness when processing 

opening queries of *42, and (d) handling decryption queries of Ai and *42- Fur- 
ther, ideal cipher queries of *4i and *42 have to be taken care of. The latter 
is straight-forward when deploying lazy sampling, i.e., using the mechanisms of 
the r-SO-CCA version from Fig. 5. Also (a) and (d) are easy to deal with: The 
public key pk provided to *4i is a regular KEM key generated by S 1 (lines 02,03); 
in particular, secret key sk is known to S and can be used to process decryp- 
tion queries. Concerning (b), creating ciphertexts ci, . . . ,c n for *42 consists, in 
principle, of two parts: letting the KEM establish session keys and encapsulating 
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messages with the DEM. Component £2 of our simulator does the former accord- 
ing to the specification, i.e., by invoking algorithm K.Enc with fresh randomness 
(lines 06,07), while for the latter, as it cannot invoke D.Enc (or, more precisely, 
O.Enc) for not knowing the messages it needs to encapsulate, it leverages on the 
simulatability of the DEM and obtains the corresonding ciphertext from an exe- 
cution of the Fake algorithm (line 09). How £2 deals with (c) is now immediate: 
for each created ciphertext it knows the randomness used, so it can release it in 
an opening query (line 17). Note, however, that knowledge of this randomness 
brings A 2 into the position to verify the DEM ciphertext components generated 
by Fake (e.g., by decapsulating or re-encapsulating them); correspondingly, the 
Open oracle in addition runs the Make algorithm and embeds the partial per- 
mutation proposed by it into ideal cipher E (lines 15,16). By the definition of 
simulatability of a DEM, this fixes the ideal cipher such that overall consistency 
is established. 

As announced earlier, in Fig. 6 we leave out some details of our simulator. 
These are related to situations in which S cannot uphold a proper environment 
for A and has to abort its execution. This is the case when Fake and Make fail 
to properly simulate O.Enc (the definition of simulatability considers a small 
probability of failure), or if the partial permutation output by Make cannot 
be embedded into the ideal cipher (line 16). The latter condition can result 
from various actions of adversary A , for instance (explicitly) from queries to 
the E oracles, or (implicitly) from evaluations of E during the processing of a 
decryption query. In the full proof given in Sect. 5 we show that if the KEM is 
IND-CCA secure and the DEM is OT-INT-CTXT secure, then the probability 
is small that any of these conditions is met. (Very briefly speaking, we use the 
KEM notion for bounding the probability of explicit queries, and we use the 
DEM notion for bounding the probability of implicit ones.) 

4 Simulatability of Practical DEMs 

We prove that three blockcipher-based DEMs that were standardised by 
NIST are permutation-driven and simulatable. Concretely we analyse the 
CTR and CBC modes of operation (SP 800-38 A [13]), a CBC variant with 
ciphertext stealing (CTS) (Addendum to SP 800-38 A [16]) and the CCM mode 
(SP800-38C [14]). The fourth NIST standardised mode of operation, the GCM 
mode (SP800-38D [15]), is covered in the full version of this paper [23]. More 
precisely, as for our results on selective opening security only those DEMs are 
relevant that offer ciphertext integrity (cf. Definition 4), instead of plain CTR, 
CBC, and CBC/CTS encryption we actually analyse their encrypt-then-MAC 
variants, where we assume arbitrary strongly unforgeable MACs. Further, as 
CCM is an authenticated encryption scheme with associated data (AEAD [30]), 
we turn it into a DEM by using it with a fixed nonce No and an empty associ- 
ated data string Ao. As the three named modes follow different design principles, 
some of which might be incompatible with simulatability, analysing all of them 
is more than just a matter of diligence. While CTR mode encrypts by XORing 
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blockcipher outputs into the message, CBC mode encrypts by pushing message 
blocks through the cipher, and CCM combines both approaches is a MAC-then- 
encrypt design. 

In the following we specify the mentioned DEMs in their oracle DEM form, 
assuming that the underlying blockcipher (Ek)keJC is over domain V = {0,1}^. 
We show their simulatability by proposing and analysing corresponding Fake and 
Make algorithms, following the general strategy suggested at the end of Sect. 3.1. 


4.1 CTR-then-MAC 

We analyse the DEM obtained by first encrypting the provided message with 
the CTRO mode of operation of a blockcipher (counter mode with fixed initial 
counter value) and then appending a deterministic MAC tag to the ciphertext. 

We specify the O.Enc and O.Dec algorithms of CTRO-DEM in Fig. 7, where 
we assume that G : [1 .. V] — > V denotes a fixed injective function (a ‘counter gen- 
erator’) for some sufficiently large value V. The MAC is represented by a keyed 
hash function 1C' x {0, 1}* — » khf — » {0, 1} T . The message space of CTRO-DEM 
is M = {0, 1}* and the ciphertext space is C = {0, 1}- T . 


O.Enc 7r (/c / , m) 


O.Dec 7 ’ (k',c) 

00 

Write \m\ as (l - 

■ Y)£ + 1* 

12 

If c < T : Return © 

01 

Split m into mi . 

. . mi-imi 

13 

Split c into ct 

02 

mi mi 0 £ ~ z 


14 

If t ^khf(fc',c): 

03 

For i i — 1 to /: 


15 

Return _L 

04 

Ui i — G{i) 


16 

Write c as (l — 1)£ + l* 

05 

Vi <— 7 t(ui) 


17 

Split c into ci . . . ci-iCi 

06 

d 4— mi © Vi 


18 

ci <- c* ||0^“ r 

07 

c* msb/* (q) 


19 

For i 4— 1 to /: 

08 

C i — Cl ...Cl — iCi 


20 

Ui < — G(i) 

09 

t khf (A/, c) 


21 

Vi e- 7T (Ui) 

10 

c ct 


22 

mi «- d@ Vi 

11 

Return c 


23 

mi <— msbz* (mi) 




24 

m 4— mi . . . mi-im^ 




25 

Return m 


Fig. 7. CTRO-DEM. Lines 00 and 16 uniquely identify quantities l and l* such that 
l G N- 1 and 0 </*<£, and \m\ = (l — 1)£ + l * and |c| (l — 1)£ + T, respectively. 
Correspondingly, line 01 assumes \mi\ = . . . = \mi-i\ = £ and |ra*| = /*, and line 17 
assumes |ci| = . . . = |q_i| = £ and |c*| — l*. Further, line 13 assumes |£| = T. 


Lemma 1. CTRO-DEM is e-simulatable with e = (\L/f\ 2 — \L/C\)/2 i + 1 , where 
L is the maximum message length (in bits). 

Proof. Consider algorithms Fake and Make from Fig. 8. The idea of Fake is to 
compute intermediate ciphertext c on basis of uniformly distributed blockcipher 
outputs (see how line 01 of Fake replaces l - many iterations of line 06 of O.Enc), 
but to compute the MAC tag on c faithfully. Note that the correct length of c 
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is known to Fake as it coincides with the length of m. Inspection shows that, 
given ra, algorithm Make finds a minimal partial permutation 7 f such that Fake 
and Make jointly mimic the behaviour of O.Enc (see here how lines 15-18 of Make 
arrange the entries of ff such that they are consistent with lines 05-06 of O.Enc). 
In some invocations of the algorithms, the described process might fail (lines 
16, 17), namely when partial permutation 7 i would become inconsistent (i.e., 
the updated 7 f would stop being an element of VV). In such cases Make aborts, 
outputting the empty partial permutation tt = 0 . 

We next show that the conditions from Definition 11 are met. Observe that, 
as Fake picks values ci, . . . , q uniformly and independently of each other, the 
same holds for the values vi , . . . , vi computed in line 15. That is, in each iteration 
of line 18 a value Vi is added to Rng(7i) that is uniform conditioned on the then 
current state of Rng(7r). Thus condition (1) holds. To establish the correctness 
bound of condition (2) we analyse the probability that Make aborts. By the 
injectivity of function G the i^-values from line 14 are pairwise distinct, so the 
abort condition of line 16 is never met. Further, as values Vi computed in line 
15 are uniformly distributed and independent of each other, the abort condition 
of line 17 is met with probability e = (0 + ... + (/ — 1))/\V\ = ((/ 2 — l)/2)/\V\ 
(accumulated over all iterations of the loop). Plugging in the maximum value 
l = \L/f\ gives the bound claimed in the statement. Condition (3) is clear. □ 


Fak e(k' , \m\) 

00 Write \m\ as (l — 1)1 + 1* 

01 ci , . . . , ci 4 — u 

02 c\ 4 — msbj* (cz) 

03 c 4— ci . . . C 1 - 1 C 1 

04 t 4- khf(/c', c) 

05 c i — ct 

06 st 4— (ci, . . . , ci) 

07 Return c, st 


Make(s£, m) 

08 ft 4 - 0 

09 Write \m\ as (l — 1 )t + l* 

10 Parse st as (ci, . . . , ci) 

11 Split m into mi . . . mi-\m{ 

12 mi <r- mi || (F- z 

13 For i 4 — 1 to l: 

14 Ui i — G(i) 

15 Vi mi © Ci 

16 If Ui G Dornffr): Abort 

17 If Vi G Rng(7f): Abort 

18 7T 4 — 7T U {(Ui, Vi)} 

19 Return fr 


Fig. 8. Fake and Make for CTR0-DEM. We write ‘Abort’ as an abbreviation for 
‘Return 0’. 


4.2 CBC-then-MAC 

We consider the DEM obtained by encrypting the message with CBC0 mode 
(cipher block chaining with initialisation vector zero) and appending a MAC 
tag to the ciphertext. As a variant we also look at CBC0-CTS (CBC0 with 
‘ciphertext stealing’) that supports a complementary message space. 
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O.Enc 7r (/c / , m) 

00 Write |m| as li 

01 Split m into mi . . .mi 

02 Co f 

03 For i f— 1 to l: 

04 m «— mi ® Ci - 1 

05 Ci f— 7r(?Xi) 

06 c f— ci . . . ci 

07 t f— khf(A/, c) 

08 c 4 — ct 

09 Return c 


O.Dec 7r (/c / , c) 

10 If |c| < T: Return _L 

11 Split c into ct 

12 If t ^khf(fc',c): 

13 Return JL 

14 Write |c| as li 

15 Split c into a . . . q 

16 Co 4 — 0^ 

17 For i «— 1 to Z: 

18 Ui 7T _1 (Ci) 

19 m* f— Ui ® Ci_i 

20 mf- mi . . .mi 

21 Return m 


Fig. 9. CBC-DEM (for multi-block messages). Lines 00 and 14 identify quantity l © 
N-° such that |m| = li and |c| = li, respectively. Correspondingly, line 01 assumes 
\mi\ = ... = \mi\ — i and line 15 assumes \ci\ — ... — \a\ — i. Further, line 11 
assumes \t\ — T . 


O.Enc 7r (fc / , m) 

00 Write |m| as Zf + Z* 

01 Split m into mi . . . mim ; * +1 

02 m z + 1 f— m* + i || 0^ 

03 Co 4 — 0^ 

04 For i <— 1 to l + 1: 

05 Ui f— mi ® Ci - 1 

06 Ci f— 7r(u,i) 

07 c* f— msb z * (cz) 

08 c f— ci . . . cz_ic z *cz + i 

09 t <— khf(£/, c) 

10 c 4 — ct 

11 Return c 


O.Dec 7r (A: / , c) 

12 If |c| < T: Return _L 

13 Split c into ct 

14 If t 7^ khf(fc / , c): 

15 Return _L 

16 Write |c| as li + l* 

17 Split c into ci . . . c/-ic*cz+i 

18 ui+i <- 7t - 1 (q + i) 

19 m z * +1 f— msb i* (ui+ 1) © c\ 

20 ci f— Ci || lsR?_z* (ui+i) 

21 c 0 <- 

22 For i i — 1 to Z; 

23 mi- 7T _1 (Ci) 

24 mi <— Ui © Ci_i 

25 mf- mi . . . m/m* +1 

26 Return m 


Fig. 10. CBC-CTS-DEM (for messages that require padding). Lines 00 and 16 uniquely 
identify quantities l and 1* such that l © N- 1 and 1 < 1* < i, and |m| = li + 1* and 
|c| = li + r, respectively. Correspondingly, line 01 assumes |mi| = . . . = \rrii\ — £ and 
|m* +1 | — l* , and line 17 assumes |ci| — ... — \ci-i\ — i and |c*| — l* and |cz+i| — £. 
Further, line 13 assumes |t| = T. 


We specify the O.Enc and O.Dec algorithms of CBC-DEM in Fig. 9 and of 
CBC-CTS-DEM in Fig. 10. Similarly as for CTR0-DEM, the MAC is represented 
by a keyed hash function of the form K! x {0, 1}* — > khf — ► {0, 1} T . The mes- 
sage space of CBC-DEM consists of all messages that have a length that is a 
multiple of the blocklength i, i.e., M = Ua>^ £|a{^’ 1} A ; the ciphertext space 
is C = Ua>^|a(M} A+T In contrast, CBC-CTS-DEM supports all message 
lengths that are not a multiple of i, with a minimum value of i + 1; formally, 


266 F. Heuer and B. Poettering 


M = Ua>.£ 1} A an d C = Ua>^a{M} A+T Together, CBC-DEM and 

CBC-CTS-DEM can handle messages of any length not smaller than £. 2 

Lemma 2. CBC-DEM is e-sirrmlatable where e = ((L/C) 2 — (L/C))/ 2 £ , and 
CBC-CTS-DEM is e-simulatable with e = ([L/£\ 2 + \_L/£\)/2 l , where L is the 
maximum message length (in bits). 


Fak e(V, \m\) 

Make(s£, m) 

00 Write \m\ as It 

07 j r ^ 0 

01 ci, . . . , ci <— u T> 

08 Write \m\ as It 

02 c 4 — c\ ... ci 

09 Parse st as (ci, . . . , ci) 

03 t <— khf(V, c) 

10 Split m into m\ . . .mi 

04 c «— ct 

11 Cq i — 0 £ 

05 st <— (c i, . . . , ci) 

12 For i <— 1 to l: 

06 Return c, st 

13 m mi © Ci_x 

14 If m G Dornffr): Abort 

15 If Ci E Rng(ff): Abort 

16 7T 7T U {(u-i, Ci)} 

17 Return tt 


Fig. 11. Fake and Make for CBC-DEM. We write ‘Abort’ as an abbreviation for 
‘Return 0’. 


Proof. The proof is similar to the one of Lemma 1. Consider algorithms Fake 
and Make from Fig. 11. The idea of Fake is to compute intermediate ciphertext c 
on basis of uniformly distributed blockcipher outputs (see how line 01 of Fake 
replaces l - many iterations of line 05 of O.Enc), but to compute the MAC tag 
on c faithfully. Note that the correct length of c is known to Fake as it coincides 
with the length of m. Inspection shows that, given m, algorithm Make finds 
a minimal partial permutation tt such that Fake and Make jointly mimic the 
behaviour of O.Enc (see here how lines 13-16 of Make arrange the entries of % f 
such that they are consistent with lines 04-05 of O.Enc). In some invocations 
of the algorithms, the described process might fail (lines 14, 15), namely when 
partial permutation i f would become inconsistent. In such cases Make aborts, 
outputting the empty partial permutation tt = 0. 

We next show that the conditions from Definition 11 are met. Observe that, 
as Fake picks values ci, . . . , q uniformly and independently of each other, in each 
iteration of line 16 a value q is added to Rng(7r) that is uniform conditioned 
on the then current state of Rng(7f). Thus condition (1) holds. To establish 
the correctness bound of condition (2) we analyse the probability that Make 


2 Instead of specifying different algorithms for different classes of message length, one 
could also join them together to a single, more general algorithm. This is usually 
done in standards [16], but we abstain from doing so in this document to avoid rather 
obstructing case distinctions in the analysis. 
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aborts. With values ci, , q_i also the values U 2 , . . . , ui computed in line 13 

are uniformly distributed and independent of each other, so the abort condition 
of line 14 is met with probability (0 + ... + (/ — 1))/\V\ = ((/ 2 — l)/2)/\V\ 
(accumulated over all iterations of the loop). The same bound holds for line 
15. Plugging in the maximum value l = L/t gives the bound claimed in the 
statement. Condition (3) is clear. 

Algorithms Fake and Make for CBC-CTS-DEM are given in Fig. 12. The 
analysis is similar. Here, however, we have l = [L /£ J and for lines 16 and 17 the 
accumulated probabilities of abort amount to (0 + . . . + l)/[D\ each. □ 


Fak e(k' , \m\) 

00 Write \m\ as U + P 

01 ci, ... , ci + 1 «— u V 

02 c* msb i* ( ci ) 

03 C i Cl . . . Ci_iC*Ci+i 

04 t «— khf (A/, c) 

05 c V- ct 

06 st «— (ci, . . . , Cj+l) 

07 Return c, st 


Make(s£, m) 


08 f r 0 


09 Write \m\ as li + l* 

10 Parse st as (ci,. . . , q+ 1 ) 

11 Split m into m\ . . . mirrii +1 

12 mi+i e- m* +1 ||0 £_r 

13 Co i — 0 £ 

14 For i <r- 1 to l + 1: 

15 Ui rra ® Ci - 1 

16 If Ui G Dom(7r): Abort 

17 If Ci G Rng(7r): Abort 

18 7T 7T U {(iti, Ci)} 

19 Return 7r 


Fig. 12. Fake and Make for CBC-CTS-DEM. We write ‘Abort’ as an abbreviation for 
‘Return 0’. 


4.3 CCM 

We analyse the CCM mode of operation (‘CTR mode with CBC-MAC’) with 
fixed nonce and associated data field; we call this mode CCM0-DEM. CCM is 
parameterised by an authentication tag length T, a formatting function F : J\f x 
A x A4 — » (where J\f and A denote the nonce space and the associated data 
space, respectively), and a counter generation function G: J\f x [0..H] — ► £>, 
where V is a sufficiently large value. While only one set of instantiations of F 
and G is suggested in SP 800-38C (and if it is chosen the resulting version of CCM 
is the one used in wireless encryption standard IEEE 802.11), the specification 
is explicitly modular in the sense that it works with any F and G that meet 
certain conditions. Amongst others, the conditions listed in [14] imply that for 
all N G M the function G(N\ •) is injective and that for all (AT, A, m) G J\fxAx M 
and zo ... z r = F(N, A , m) we have that zo £ G(N , [0 .. V]). Now, if we fix any 
nonce Nq and any associated data string Aq (e.g., the all-zero string for Nq 
and the empty string for Aq) and define the restrictions Fq : A4 — ► D + ; m i— ► 
F(Ao, Ao,m) and Go: [0..V] — > T>\ i i— ► G(No,i)i then the algorithms of the 
resulting oracle DEM associated with CCM are given in Fig. 13. The message 
space of CCM0-DEM is M = {0, 1}* and the ciphertext space is C = {0, 1}- T . 
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O.Enc 7r (A/, m) 

O.Dec^fZc', c) 

00 

Zo . . . z r <- F 0 (m) 

19 

If c < T: Return _L 

01 

yo <- tt(z 0 ) 

20 

Write |c| as (Z — 1)£ + 1* + T 

02 

For i 1 to r: 

21 

Split c into ci . . . ci-ic*t* 

03 

Xi <- Zi® yi - 1 

22 

Cl <-cf ||0 <_r 

04 

Vi 7 r(xi) 

23 

For j <— 1 to Z: 

05 

uo <— Go( 0) 

24 

u j Go (j) 

06 

^0 7r(/Uo) 

25 

Vj <- n(uj) 

07 

t y r © vo 

26 

m 3 e- Cj ® Vj 

08 

t* <r~ msbT(t) 

27 

rn*i <r- msb/* (mi) 

09 

Write | m\ as (Z — 1)£ + l * 

28 

m mi . . . mi-imi 

10 

Split m into mi . . . mi-im* 

29 

z 0 . . • z r <- Fq (m) 

11 

mi m* 0 l ~ l 

30 

yo <- 7 t(z 0 ) 

12 

For j <r- 1 to Z: 

31 

For i 1 to r: 

13 

u j Go (j) 

32 

Xi <— Zi ® yi— i 

14 

Vj <- 7 x(Uj) 

33 

Vi 7T (Xi) 

15 

Cj <— mj ® Vj 

34 

Uo i — Uo(0) 

16 

Ci <- msb i*(a) 

35 

Vo 7T(uo) 

17 

C i — Cl . . .Cl — iCit 

36 

t y r ® Vo 

18 

Return c 

37 

If t* msbT(t): Return _L 



38 

Return m 


Fig. 13. CCMO-DEM. Lines 09 and 20 uniquely identify quantities Z and Z* such that 
Z G N- 1 and 0 < Z* < £, and \m\ = (l — 1)£ + Z * and \c\ = (Z — 1)£ + Z* + T, respectively. 
Correspondingly, line 10 assumes \rri\ | **... = \rrii-i\ — £ and \m*\ *= Z*, and line 21 
assumes | ci | = ... = |q_i| — ^ and |c*| — Z* and |t*| — T. 


Lemma 3. CCMO-DEM is e-simulatable with e < [L/£ \ 2 /2 £ 2 , where L is the 
maximum message length (in bits). 

Proof. Consider algorithms Fake and Make from Fig. 14. The idea of Fake is to 
compute the visible ciphertext components on basis of uniformly distributed 
blockcipher outputs while completely ignoring the blockcipher invocations of 
CCM’s internal CBC-MAC computation (see how line 07 and l - many iterations 
of line 15 of O.Enc (in Fig. 13) are replaced by lines 00 and 03 of Fake, while 
lines 01 and 04 of O.Enc have no counterpart). Inspection shows that, given ra, 
algorithm Make finds a minimal partial permutation j f such that Fake and Make 
jointly mimic the behaviour of O.Enc (see here how lines 24-27, 30-33, 35- 
38, 43-46 of Make arrange the entries of j f such that they are consistent with 
lines 01, 04, 06/07, 14/15 of O.Enc). In some invocations of the algorithms, the 
described process might fail (in lines 25/26, 31/32, 36/37, 44/45), namely when 
partial permutation j t would become inconsistent. In such cases Make aborts, 
outputting the empty partial permutation j f = 0. 

We next show that the requirements from Definition 11 are met. To see 
that condition (1) holds, observe that in Make the values yo, yi, Vo, and Vj 
are uniformly distributed and independent of each other at the point they are 
added to Rng(7r) in lines 27, 33, 38, 46. To establish the correctness bound 
of condition (2) we assess the probability that Make aborts. Using a similar 
analysis as in the proof of Lemma 1 we obtain the following (accumulated) 
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Fak e(k' , \m\) 

00 t i — jj R 

01 t* 4— msbrft) 

02 Write \m\ as {l — 1)1+1* 

03 ci, ... , ci 4 — u R 

04 c* 4— msR* ( ci ) 

05 c <— ci . . . ci-icft* 

06 st (t, ci, , ci) 

07 Return c, st 


Make(s£, m) 

20 ft <r~ 0 

21 Write \m\ as (l — 1 )£ + 1* 

22 Parse st as (t, ci, . . . , ci) 

23 zo ... z r 4— Fo(m) 

24 yo 4— u T> 

25 If zo £ Dom(7f): Abort 

26 If yo £ Rng(7r): Abort 

27 ft i ft U {( z 0 ,y 0 )} 

28 For i 4— 1 to r: 

29 Xi 4- Zi © yi-i 

30 yi 4 — u V 

31 If Xi £ Dom(7r): Abort 

32 If yi £ Rng(7r): Abort 

33 ft 4- ft U {(xi,yi)} 


34 uq 4 — Cto(0) 

35 vo 4- y r © t 

36 If uo £ Dom(7r): Abort 

37 If no £ Rng(7r): Abort 

38 ft i — ft U {(wo, uo)} 

39 Split m into mi . . . 

40 mi 4 — mi || 0 e ~ l 

41 For j £- 1 to l: 

42 Uj £- Go(j) 

43 Vj £- mj ® Cj 

44 If Uj £ Dom(7r): Abort 

45 If Vj £ Rng(7r): Abort 

46 ft 4 — 7T U { (Uj , Vj ) } 

47 Return ft 


Fig. 14. Fake and Make for CCM0-DEM. We write ‘Abort’ as an abbreviation for 
‘Return 0’. 

probabilities: The abort conditions in lines 25 and 26 are never met; for lines 
31 and 32 the probabilities are (1 + . . . + r)/|X>| each; by the properties of 
CCM’s functions F 0 and Go, for lines 36 and 37 the probabilities are r/\V\ and 
(r + l)/|D|; for line 44 the probability is lr/\V\] finally, for line 45 the probability 
is ( (r + 2) + . . . + (r + 1 + 1 ) ) / 1 V \ . If we assume reasonable behaviour of function Fq 
and let r = /, we obtain quantity Al 2 /\V\ as an upper bound for the sum of these 
probabilities. This establishes the claimed bound. Condition (3) is clear. □ 


5 A Formal Treatment of Our Main Result 

We anticipated the main result of this paper in Sect. 3: Any (hybrid) PKE 
scheme constructed from a KEM and a permutation-driven DEM offers SIM- 
SO-CCA security in the ideal cipher model, if the KEM provides confidentiality 
(IND-CCA), the DEM provides authenticity (OT-INT-CTXT), and the DEM is 
simulatable. Prerequisites like IND-CCA and OT-INT-CTXT on the KEM and 
DEM, respectively, are standard for proofs of the IND-CCA security of hybrid 
encryption, so the important finding is that the added constraint of simulatabil- 
ity suffices to lift security to the stronger notion of SO security. 3 

We discussed an informal version of our result in Sect. 3.2. Recall from the 
included proof sketch that an important subgoal was bounding the probability of 
the ideal cipher being evaluated on input a key established by the KEM before a 
corresponding Open query is posed. (If the cipher is evaluated earlier, the par- 
tial permutation found by Fake and Make cannot be smoothly embedded into it 
any more.) In the following we argue that without putting further restrictions on 


3 We note that a typical proof of IND-CCA security of hybrid PKE requires the DEM 
to also offer some kind of confidentiality (e.g., OT-IND-CCA). A corresponding 
notion appears only implicitly in our theorem statement, as it follows from the 
DEM’s simulatability (in the ideal cipher model). 
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the KEM, bounding this probability to any small value is in general impossible. 
Indeed, assume for a moment a KEM where K.Enc, before outputting a key k 
and a ciphertext c, evaluates the blockcipher used by D.Enc on input key k and 
a value do, where the latter is any fixed element do G V in the cipher’s domain, 
and assume K.Enc completely ignores the result. Even though this blockcipher 
evaluation is completely pointless and should not affect security of the overall 
design, for such a KEM our arguments would not work. Below, in the formal 
version of our theorem statement, we correspondingly restrict the set of consid- 
ered KEMs to those that do not evaluate the blockcipher at all. This admittedly 
is a limitation of our result, but we believe it is a mild one. Indeed, all practi- 
cal KEMs we are aware of do not (internally) invoke blockcipher operations at 
all. This holds in particular for Hashed ElGamal, PSEC-KEM, Cramer-Shoup 
KEM, and RSA-KEM. In the following theorem statement, if E is a blockcipher, 
we say a KEM is ^-independent if no KEM algorithm evaluates E + or E~ . 

We proceed with the statement and proof of our main theorem. 

Theorem 2. Let DEM be a (/C, X>) -permutation- driven DEM with corresponding 
oracle DEM oDEM and blockcipher E. Let KEM denote an E -independent KEM 
for the key space of the DEM. Let PKE denote the hybrid PKE scheme obtained 
when instantiating Construction 1 in Fig. 3 with KEM and DEM. 

Let DEM be (r, qd,e c txt)-OT-INT-CTXT secure and KEM be (r, g^,e cca )- 
IND-CCA secure. 

If oDEM is Csim-simulatable, then PKE is (t,t' , qd,qi c ,£)-SIM-SO-CCA 
secure where e can be upper-bounded by 

e{ri) Fi * ^3 • e cca T e c t x t T tsim T 2 

and E is modeled as an ideal cipher. 

See Sect. 3.2 for a proof sketch including the high-level ideas. We proceed 
with a detailed proof of Theorem 2. 

Proof. For the list of n challenge ciphertexts ((cpi, ci^), • • * 3 (c n ,i, c n , 2 )) and 
J C [n\ let Cj : i denote the set {cyi | j G J}. For the keys (&*, k[) <— k" output 
by the n iterations of K.Enc, and J C [n\ let Kj denote the set {kj \ j G J} of 
blockcipher keys ki for i G J . For the family of partial permutations (Ek)ke)C 
maintained by S to implement ideal cipher E, let supp(E?) := {k G /C | Ek ^ 0} 
denote the set of keys k G JC where partial permutation E^ is not empty. 

Fix any SIM-SO-CCA adversary A. We define a simulator (<Si, £ 2 ) by giving 
its pseudocode in Fig. 15. Simulator Si consists of lines 00 - 03, £2 consists of 
lines 04-11. Their code is enhanced by bookkeeping and abort events, while the 
explicit invocation of <Si, S 2 and their input/output behaviour is merged into 
the ideal game. Instructions in grey boxes are performed by the ideal game. 

We show that <S, when run in the ideal game, can simulate the real game for 
A. To this end we proceed in a sequence of experiments tracing M’s advantage 
of distinguishing two consecutive games. The sequence interpolates between the 


n + qic + qd\ 

m J 
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X<- 0 

00 For all k G /Ci Ek 4 — 0 

01 X 0; C 0 

02 (p&, sfc) ^— $ K.Gen 

03 ($, st) Al^ipk) 

(mi, . . . , m n ) X 

04 For z 1 to n: 

05 ri i — u 3Z 

06 4- K.Er\c(pk;n) 

07 (ki,k'i) 4— k'l 

08 If ki G U supp(F): Abort 

09 (ci >2 , sh) ^— $ Fake(fc', |mi|) 

10 Ci<-{a, i,ci, 2 ) 

out $ A -2 (st, ci, . . . ,c n ) 

Stop with P red (X , mi , . . . , m n , X, out ) 

Oracle Open(z) 

12 X i — X U {z} 

13 If ki G 7f[z-i] U supp(F): Abort 

14 fir 4 — $ Make(s^,mi) 

15 Ek^ i — 7T 

16 If Ci t 2 / O.Enc E( - fci; ')(fc', rrii): Abort 

17 Return (m^n) 


Oracle P.Dec((ci, C 2 )) 

18 If (ci , C 2 ) G C[ n ] : Abort 

19 If ci G C[ n ]\x,i: Return X 

20 k" «— K.Dec(sA:, ci) 

21 If AX = X: Return X 

22 (k, k') «— k" 

23 m <— O.D ec E(fc ’- ) (fe',C 2 ) 

24 Return m 

Oracle E + (/c, a) 

25 If G X[ n ]\x: Abort 

26 If a ^ Dom(E^“): 

27 (3 <— u X \ Rng (Ef ) 

28 Ek <— Ek U {(a, (3)} 

29 Return /3 

Oracle E _ (fc, (3) 

30 If k G K[ n ]\z: Abort 

31 If (3 £ Dom (E^): 

32 ol <~u X \ Rng (E k ) 

33 Ek <— Ek U {(a, f3)\ 

34 Return a 


Fig. 15. Proposed simulator S = (<Si, S 2 ) inlined into the i-SO-CCA experiment. <Si in 
lines 00 - 03, & given in lines 04 - 11. Instructions in grey boxes are executed by the 
ideal experiment. The whole code corresponds to the last game G6 in our proof. For 
J C [n] we denote Cj, 1 := {cyi | j G J} and Kj {kj \ j G J}. Further, we denote 
supp(F) :={keJC\ E k ^ 0}. ’ 


real game (Go = r-SO-CCA, cf. Fig. 5) and a simulated real game (Go, cf. Fig. 15) 
provided by the simulator S inlined into the ideal game. 

The whole sequence of experiments is given in Fig. 16. Lines ending with a 
range of experiments G^ - G j (resp. G^ if j = i) are only executed when an 
experiment within the range is run. 

Without loss of generality we assume that A does not make the same opening 
query twice. We proceed with detailed descriptions of the experiments. 

Game Go- The r-SO-CCA game as given in Fig. 5. 

Game Gi. Lines 28 and 29 are added: Any decryption query of the form (ci, C 2 ) is 
answered with _L if c\ G C f [ n ]\x,i- That is, there exists i G [n\ such that c\ = 1 

and A did not query OPEN(i). 

Claim. There exists an adversary B cca that (t, e cca )-breaks the IND-CCA 
security of KEM and an adversary B c txt that (r, -breaks the OT-INT- 

CTXT security of DEM with |Pr[Go =4> 1] — Pr[Gi => 1]| < n • ( e cca + e ctx t)- 

Proof. Games Go and Gi proceed identically, until A submits a ciphertext (ci, C 2 ) 
to decryption where c\ G C[ n ]\x and P.Dec(s£;, (ci, C 2 )) 7 ^ T. We fix some i G [n\ 
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Experiments Go — Go 


00 

For all k G /C: Ek <— 0 


01 

X ■<— 0; C •<— 0 


02 

bad «— 0 

II G 4 

03 (pk, sk) «— $ K.Gen 

04 (D,st) «— $ Ai' BEC,E (pk) 


05 (rm, . . . , m n ) D 


06 

For i 4 — 1 to Ti\ 


07 

Ti i — U E 


08 

(k'/^aA «— K.Enc (pk;n) 


09 

( ki , ki) <— ki 


10 

If ki G K[i- x] U supp(F): Abort 

// G 2 - Gq 

11 

Ci ,2 «— O.Enc E ( ki, '\ki,mi) 

H Go - G 2 

12 

(ci, 2 , sti) Fak e(k'i, \rm\) 

l/Gs-G 6 

13 

7 f «— $ Make(sX, m*) 

H G 3 - G 5 

14 

Eki <- 7 f 

//G 3 -G 5 

15 

If Ci >2 / O.Enc 

II G 3 - G 5 

16 

Abort 

//G 3 -G 5 

17 

Ci <— (c*,i,Ci >2 ) 


18 

out «— $ A 2 (st,Ci, . . . ,Cn) 


19 

If bad: Abort 

II G 4 


20 Stop with P red (£> , mi , . . . , m n , X, out ) 

Oracle Open(z) 

21 X 4 — X U fzf 

22 If ki G K[i- 1 ] U supp(X): Abort / G6 

23 7r i — $ W\ake(sti,rrii) // Go 

24 Eki <— 7 f H Go 

25 If Ci, 2 ^ Abort // Gs 

26 Return ( ) 


Oracle P.Dec((ci, C 2 )) 

27 If (ci , C 2 ) G C[ n ]: Abort 

28 If ci G C[ n ]\x,i: / Gi — Ge 

29 Return X //Gi -G 6 

30 k" <— K.Dec(s&, ci) 

31 If k" = X: Return X 

32 (/c, k ) 4 — & 

33 m O.Dec E( ' fc, ' ) (A; / , C 2 ) 

34 Return m 

Oracle E + (k : a) 

35 If k G K [n] \ X : // G 4 — Gq 

36 bad <— 1 / G 4 

37 Abort / G 5 - G 6 

38 If a ^ Dom(F^"): 

39 /3 -<— [/ X \ Rng (E^) 

40 Ek <— Ek U {(a,/3)} 

41 Return /3 


Oracle E ~ (k, /3) 

42 If k G K[ n ]\z* // G 4 — Gq 

43 bad «— 1 / G 4 

44 Abort / G 5 - Go 

45 If p (£l Dom(F A T): 

46 a V \ Rng(F“) 

47 Ek <— Ek U {(o;,/3)} 

48 Return a 


Fig. 16 . Experiments Go - G6 used in the proof of Theorem 2. We write ‘Abort’ as an 
abbreviation for ‘Stop with O’. 


and analyse the probability that A submits a ciphertext (ci,C2) where c\ G 
C {i)\X and P.Dec(s£;, (ci,C2)) /l we denote this event by ‘( c bT c 2) A’. 

At first, we replace h![ as output by the i th invocation of K.Enc with a uni- 
formly random key. We lose an additional summand of e cca in the bound on 
Pr[(ci j i,C2) A] as shown by the following reduction run by adversary B cca : It 
uses its decapsulation oracle to answer decryption queries from A\. Receiving 
(c*,A£), B cca parses (&&,&£) <— k£ and computes all ciphertexts faithfully except 
for c, <- (c*,O.Enc E(kb '’-\k' b ,rrii)). Decryption queries (ci, C2) by A2 are answered 
employing the decapsulation oracle for c\ 7^ c* and using key k b otherwise. 

The reduction perfectly simulates Gi until A queries Open(T) which the 
reduction cannot answer. Yet, to bound the probability of event ‘( c bT c 2) A’ 
happening, it suffices to make sure that the reduction ‘works’ as long as the event 
can occur. Observe that ‘(0,1^2) A’ cannot happen after query OPEN(i). 

We now show how to break the OT-INT-CTXT security of the DEM if 
‘(0,1^2) A’ happens. We construct B ctxt . The reduction performed by B ctxt 
runs K.Gen and starts Ai(pk). Decryption queries are answered using sk. Once 
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A\ outputs D, Bctxt samples messages but submits rrii to the D.Enc oracle of its 
OT-INT-CTXT game to obtain a data encapsulation c\ <— D.Enc(£;$ , m*) under 
a random key k§. Additionally, B ctx t runs K.Enc to obtain (fc,c*) and sends 
(ci, . . . , Ci- 1, (c* , C2 ),..., c n ) to M. Adversary answers all further decryp- 

tion queries on its own, unless the ciphertext is of the form (c*,C2) where it 
submits C2 to the decapsulation oracle of the OT-INT-CTXT experiment. If it 
receives A, it returns 1 to ^2- 

Clearly, B ctx t wins the OT-INT-CTXT game when A submits a ciphertext 
that causes ‘(0,1^2) A’ to happen. 

We obtain Pr[(Qq, C2) A] < e cca A e c t x t- The claim follows from the union- 
bound over all i G [n\. □ 

The next game hop ensures that (if it is not aborted) the i th invocation of 
the oracle data encapsulation, i.e., O.Er\c E( ^ ki] '\ has access to an empty partial 
permutation E^. This is a preparational step to ensure that later, when O.Enc 
is replaced with Fake and Make, the partial permutation output by Make can be 
embedded into E^. 

Game G2. Line 10 is added. That is, G2 aborts if the i th iteration of O.Enc would 
have oracle access to a non-empty permutation E(ki ; -). 4 

Claim. There exists an adversary B cca that (r, qa, e cca )-breaks the IND-CCA 
security of KEM with |Pr[Gi => 1] — Pr[G2 => 1] | < n • ( e cca + (n + qi c A qd) / |/C|). 

Proof. We bound Pr [ki G K[i-i] Usupp(A)] for fixed i G [n\. Again, we use KEM’s 
IND-CCA security to replace k'f output by the i th invocation of K.Enc with a 
uniform key. We construct adversary 6 cca . It receives pk and starts Ai(pk). 
Decryption queries are answered using the decapsulation oracle. When A\ halts, 
B C ca requests its IND-CCA challenge (c*, — let (&&, k' h ) <— — and runs the 

For loop 07 . In the i th iteration B cca halts and returns 1 iff G Usupp(A). 

Clearly, the reduction is perfect until B cca halts and we have |Pr[A^ G K[i-i] U 
supp(A)] - Pr [fc$ G U supp(A)]| < e cca where k$ 1 C. 

Note that each decryption query or query to the ideal cipher oracles adds 
at most one element to supp (A), hence \K^_^ U supp(A)| < n + q ic + q&. 
Thus, we obtain Pr [fc$ G U supp(A)] < (n A qi c A qd) / \E\ and Pr[fc* G 

U supp (A 1 )] < e cca A (n A qi c A qd) / (|/C|). The claim follows from the 
union-bound over i G [n\. □ 

Game G 3 . The faithful data encapsulation is replaced by algorithms Fake and 
Make. More precisely, for each iteration of the For loop (line 06) we replace 
the invocation O.Dec E ^ ki ' , '\k' il rrii) (line 11) with running Fake(/c', \rrii\) and 

4 As of now, in the i th iteration of the For loop, we have A[*_ X j C supp(A) as the 
invocation of O.Enc E ^ i; ^ adds elements to Ek i . Later, in game G6, we do not invoke 
code that (implicitly) adds elements to Ek i and rely on set K[i-i\ to detect collisions 
amongst the (blockcipher) keys. 
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Make(ra^) back to back (lines 12,13). gets assigned partial permutation 7 r 
as output by Make (cf. line 14) and a check is performed whether has been 
programmed ‘consistently’; if not, experiment G3 aborts (lines 15, 16). 

Claim. |Pr[G 2 =4> 1] - Pr[G 3 =4> 1] | < n • e sim . 

Proof. Fix i G [n\. Due to the modifications in games Gi and G 2 partial per- 
mutation Ek i is empty at the time of invoking O.Enc. Hence, once we replace 
O.Enc by Fake and Make, the partial permutation as output by Make can always 
be embedded into E ^ i . Particularly, partial permutations E^ accessed by O.Enc 
and 7 i output by Make are identically distributed when randomly extended to 
a full permutation on V. We conclude that the abort in line 16 happens with 
probability at most e s i m as oDEM is e^ m -simulatable. The claim follows from 
the union-bound over all i G [n\. □ 

Recall from the proof outline that, eventually, Make shall be run as part of 
the Open procedure. The upcoming modifications ensure that partial permuta- 
tion E^ remains empty until OPEN(i) is queried. 

Game G4. Line 02 is added to initialise a flag ‘bad’ as 0. Lines (35, 36) are added 
to the E + oracle, lines (42, 43) are added to the E _ oracle and line 19 is added. 
That is, if E + or E _ is queried on (^, z) for any 2 and i £ X, ‘bad’ is set to 1 
and the game aborts after the execution of A 2 (in line 19). 

Claim. There exists an adversary B CC a that (r, qa, e cca )-breaks the IND-CCA 
security of KEM with |Pr[G 3 =4> 1] - Pr[G 4 => 1] | < n • (e cca + (q ic + q d )/\JC\). 

Proof. Fix i G [n\ and let L k G iCp}\x’ denote the event that E + or E _ is queried 
on (fc, z) where k G (That is, the condition in lines 35 or 42 holds, even 

for FCrq\x). Again, we replace key k'( output in the i th invocation of K.Enc with 
a uniform key (fc$, k§) k§. The reduction run by B cca proceeds as in the proof 

to bridge Go and Gi. Here, B cca halts after *4 2 ’s execution and outputs 1 iff 
bad = 1. Clearly |Pr[fc G iCrq\x] — Pr[fc G {&$} \T]| < e cca for uniform JC. 

The reduction is perfect unless A 2 queries OPEN(i) which cannot be 
answered. Note that after query Open(z), ‘bad’ cannot be set to 1 as K{i}\x = 0- 
Similarly to before, it suffices to guarantee the correctness of the simulation as 
long as the abort in line 19 can potentially happen. 

Note that is uniform from *4’s view: Only ciphertext (q ? i,q ? 2 ) might 
contain information on &$ but 1 is independent of fc$ as it is sampled after 
K.Enc output Qq and data encapsulation q ?2 is independent of fc$ as we run 
Fak e(k / i ,rrii) to compute q j2 . Thus, Pr[fc G {/c$}\T] < {qi c + Qd)/ |/C| and collect- 
ing the probabilities and applying the union-bound gives the desired bound. □ 

Game G5. Lines 37 and 44 are added. Instead of aborting after the execution of 
A 2 if bad = 1, game G5 aborts as soon as bad (as introduced in game G4) is set 
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to 1. Now obsolete lines 02 , 19, 36 and 43 are removed for clarity. 

Claim. Pr[G 4 => 1 ] = Pr[Gs => 1]. 

Proof. The claim follows from observing that game G 5 aborts in lines 37 or 44 if 
and only if game G 4 aborts in line 19. □ 

Game G6- An abort event is added in line 22. The invocation of Make, the embed- 
ding of a partial permutation and the consistency check are moved from the For 
loop in lines 13 - 16 to the Open oracle (lines 23 - 24). 

Claim. Pr[G 5 => 1] = Pr[G 6 => 1]. 

Proof. The abort event in line 22 is solely added for clarity but never met: Assume 
that line 22 would cause an abort, then the condition in line 10, or lines 35/42 
would have been satisfied earlier. Hence, for all i G [n\: a) in game G 5 partial 
permutation E^. <— n as output by Make in line 13 is information-theoretically 
hidden from A until it queries Open and b) in game G 6 partial permutation E 
remains empty until A queries Open. Thus, embedding partial permutation tt 
into Ek i always succeeds. Further, moving the invocation of Make, the embed- 
ding and checking to the Open oracle is completely oblivious to A. □ 

We observe that the code as given in game G 6 in Fig. 16 matches the code of 
the simulator as given in Fig. 15. 

The claim of Theorem 2 follows by collecting the probabilities. □ 

6 Conclusion 

The most promising practical approach to public key encryption is through 
the hybrid KEM/DEM paradigm. Suitable KEMs include Hashed ElGamal, 
PSEC-KEM, Cramer-Shoup KEM, and RSA-KEM, and candidates for the DEM 
part are readily derived from the highly efficient encryption modes CTR, CBC, 
CCM standardised by NIST (to reach CCA security, the former two should be 
enhanced with a MAC, e.g., CMAC or HMAC). The last NIST standardised 
mode of operation, GCM, is covered in the full version of this paper [23], too. To 
compress the contribution of this paper into a single line: We effectively show 
that if any of these KEMs is combined with any of these DEMs in the sense 
of hybrid encryption, then the obtained PKE scheme offers a strong notion of 
selective opening security. Our result holds in the (heuristic) ideal cipher model 
for the underlying blockcipher. We thus recommend using modern blockciphers 
like AES as they come closest to meeting such requirements. 
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Abstract. We initiate the study of public- key encryption (PKE) secure 
against selective-opening attacks (SOA) in the presence of random- 
ness failures , i.e., when the sender may (inadvertently) use low-quality 
randomness. In the SOA setting, an adversary can adaptively corrupt 
senders; this notion is natural to consider in tandem with randomness 
failures since an adversary may target senders by multiple means. 

Concretely, we first treat SOA security of nonce-based PKE. After for- 
mulating an appropriate definition of SOA-secure nonce-based PKE, we 
provide efficient constructions in the non-programmable random-oracle 
model, based on lossy trapdoor functions. 

We then lift our notion of security to the setting of “hedged” PKE, 
which ensures security as long as the sender’s seed, message, and nonce 
jointly have high entropy. This unifies the notions and strengthens the 
protection that nonce-based PKE provides against randomness failures 
even in the non-SOA setting. We lift our definitions and constructions of 
SOA-secure nonce-based PKE to the hedged setting as well. 


1 Introduction 

Imagine that an adversary wants to gain access to encrypted communication that 
various senders are transmitting to a receiver. There are various ways to go about 
doing this. One is to try to subvert the random-number generator used by the 
senders. Another is to break-in to the senders’ machines, possibly in an adaptive 
fashion. Encryption schemes resisting the first sort of attack have been studied in 
the context of security under randomness failures [3, 7, 10, 18,23] while resistance 
to the second sort of attack corresponds to the notion of security against selective- 
opening attacks (SOA) [5,9, 11, 14-16]. 1 However, as far as we are aware, these 
notions have so far only been considered separately. We initiate the study of 

1 There are two forms of SOA security, called coin-revealing (corresponding to sender 
corruption) and key-revealing (corresponding to receiver corruption). This paper 
concerns the first one. 

© International Association for Cryptologic Research 2016 

J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 278-306, 2016. 
DOI: 10.1007/978-3-662-53890-6-10 


Selective-Opening Security in the Presence of Randomness Failures 279 


SOA-secure encryption in the presence of randomness failures, providing new 
definitions and constructions achieving these definitions in the public-key setting. 

There are currently three main approaches in the literature to dealing with 
randomness failures for PKE: (1) deterministic PKE [2], which does not use 
randomness at all but guarantees security only if plaintexts have high entropy, (2) 
hedged PKE, which is randomized and guarantees security as long as plaintexts 
and the randomness jointly have high entropy, and (3) the recently introduced 
notion of nonce-based PKE by Bellare and Tackmann (BT) [10], where each 
sender uses a uniform seed 2 in addition to a nonce, and security is guaranteed if 
either the seed is secret and the nonces are unique, or the seed is revealed and the 
nonces have high entropy. Hedged PKE and nonce-based PKE are incomparable 
and are useful in different scenarios, and part of our contribution is to unify 
them into a single primitive. We start by adding consideration of SO A security 
to nonce-based PKE. We then lift the resulting notions to the setting of hedged 
PKE (which subsumes deterministic PKE) as well, thereby adding consideration 
of SOA to a unified primitive with the guarantees of both nonce-based and 
hedged PKE. 

1.1 Our Results 

Selective-opening security for nonce-based PKE. As explained above, 
the first notion we consider for protecting against randomness failures is nonce- 
based PKE, recently introduced by Bellare and Tackmann [10]. For consistency 
with the definitions of SOA security we introduce for later notions (where new 
technical challenges arise), we formulate an indistinguishability-based (rather 
than simulation-based) definition, which we call N-SO-CPA, along the lines of the 
indistinguishability-based definition of SOA security for standard PKE [9]. Under 
our definition, the adversary can (i) learn the seeds of some senders, (ii) choose 
the nonces for all the other senders, as long as nonces of each individual sender 
do not repeat. Then, after seeing the ciphertexts, the adversary can adaptively 
corrupt some senders to learn their messages together with seeds and nonces. The 
definition asks that the adversary cannot distinguish between the plaintexts of 
the uncorrupted senders and a resampling of these plaintexts conditioned on the 
revealed plaintexts. 

The next question is whether N-SO-CPA security is achievable. Throughout 
our work, we focus on constructions in the so-called non-programmable random- 
oracle model (NPROM) [20]. Intuitively, this means that in a security proof, the 
constructed adversary must honestly answer (i.e., cannot program) the random 
oracle queries of the assumed adversary. The NPROM is arguably closer to the 
standard (random oracle devoid) model than the programmable random oracle 
model (PROM), since real-world hash functions are not programmable. In this 


2 The idea is that because a seed is chosen infrequently, it can be generated using 
high-quality randomness. 
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model, we give an efficient construction of N-SO-CPA-secure 3 nonce-based PKE 
based on any lossy trapdoor function [21]. The idea is to modify the nonce-based 
PKE scheme of Bellare and Tackmann, which encrypts a message m using public- 
key pk , seed xk , and nonce N by encrypting m using any standard (randomized) 
PKE scheme with public key pk and “synthetic” coins derived from a hash of 
(xk,N,m). Here, we use a specific randomized encryption scheme based on any 
lossy trapdoor function. The security proof of the resulting scheme, which we call 
NE1, relies on switching to the lossy key-generation algorithm and then using the 
random oracle to argue that the adversary’s choice of which senders to corrupt 
must be independent of the plaintexts. 

SOA+hedged security for nonce-based PKE. Unlike nonce-based PKE, 
hedged PKE [3] guarantees security as long as the message and randomness used 
by the sender jointly have high entropy. Indeed, viewing the sender’s seed and 
nonce together as the sender’s randomness, nonce-based PKE as defined in [10] 
lacks such a guarantee. To get the best of both worlds, we would like to add 
such a guarantee to nonce-based PKE. This strengthens the protection provided 
against randomness failures even in the absence of SO A; however, sticking with 
the main theme of this work, we aim to achieve it in the SOA setting as well. 
This leads to a definition that we call HN-SO-CPA, which incorporates both 
hedged and SOA security into the existing notion of nonce-based PKE. 

Modeling SOA in the hedged setting is technically challenging. Indeed, 
Bellare et al. [4] recently showed that a simulation-based notion of SOA security 
for deterministic PKE (which is a special case of hedged PKE) is impossible to 
achieve. They also noted that a natural indistinguishability-based definition is 
(for different reasons) trivially impossible to achieve, and left open the problem 
of defining a meaningful (yet achievable) definition. To that end, we introduce 
a novel “comparison-based” definition of SOA for nonce-based PKE, inspired 
by the comparison-based definition of SOA for deterministic PKE [2,6] com- 
bined with the indistinguishability-based definition of SOA for standard PKE [9]. 
Roughly, the definition requires that the adversary cannot predict any function 
of all the plaintexts (i.e., including those of the uncorrupted senders) with much 
better probability than by computing the same function on a resampling of 
all the plaintexts conditioned on the revealed plaintexts. For technical reasons, 
HN-SO-CPA does not protect partial information about the messages depending 
on the public key, so we still require N-SO-CPA to hold in addition. 

We provide two approaches for achieving HN-SO-CPA + N-SO-CPA-secure 
nonce-based PKE. The first is a generic transform inspired by the “randomized- 
then-deterministic” transform of [3] in the setting of hedged security. Namely, 
we propose a “Nonce-then-Deterministic” (NtD) transform in which one obtains 
a new nonce-based PKE scheme by composing an underlying nonce-based PKE 
scheme with a deterministic PKE scheme. We require that the underlying deter- 
ministic PKE scheme meet a corresponding special case of the HN-SO-CPA def- 
inition that we call D-SO-CPA, and achieve it via a scheme DEI in the NPROM. 

3 In the main body of the paper we treat both CPA and CCA security. For simplicity, 
we do not discuss CCA here. 
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Interestingly, the scheme DEI is exactly the recent construction of Bellare and 
Hoang [7], except that they assume the hash function is UCE-secure [8] and 
achieve standard security (not SOA). Again, the analysis is quite involved and 
deals with subtleties neither present in SOA for randomized PKE nor in prior 
work on deterministic PKE. Alternatively, we show that the scheme NE1 directly 
achieves both HN-SO-CPA and N-SO-CPA in the NPROM. 

Separation results. Finally, to justify our developing new schemes in the set- 
ting of selective-opening security in the presence of randomness failures rather 
than using existing ones, we show that the N-SO-CPA and D-SO-CPA are 
not implied by the standard notions (non-SOA) of nonce-based PKE [10] and 
D-PKE [2], respectively. Our counter-examples rely on the recent result of 
Hofheinz, Rao, and Wichs (HRW) [15] that separates IND-CCA security from 
SOA security for randomized PKE. We also show that N-SO-CPA does not imply 
HN-SO-CPA for nonce-based PKE, meaning the hedged security does strengthen 
the notion considered for nonce-based PKE in [10]. 

Open question. We leave obtaining standard- model (versus NPROM) schemes 
achieving our notions as an open question. Note that our NtD transform is in 
the standard model, so if we had standard-model instantiations of the underly- 
ing primitives we would get a standard-model HN-SO-CPA + N-SO-CPA- secure 
nonce-based PKE as well. 

1.2 Organization 

In contrast to the order in which we explained the results above, in the main 
body of the paper we first present our results on SOA security for deterministic 
PKE, then move to our results on SOA security for nonce-based PKE, and then 
finally present our results on hedged security for SOA-secure nonce-based PKE. 
This is because the results for deterministic PKE constitute the technical core 
of our work, and form a basis for the results that follow. 

2 Preliminaries 

Notation and conventions. An adversary is an algorithm or tuple of algo- 
rithms. All algorithms may be randomized and are required to be efficient unless 
otherwise indicated; we let PPT stand for “probabilistic, polynomial time.” For 
an algorithm A we denote by x A(- • • ) the experiment that runs A on the 
elided inputs with uniformly random coins and assigns the output to x, and 
x $ A(- • • ; r) to denote the same experiment, but under the coins r instead of 
randomly chosen ones. If A is deterministic we denote this instead by x <— A(- • • ). 
We let [A(- • • )] denote the set of all possible outputs of A when run on the elided 
arguments. If S is a finite set then s S denotes choosing a uniformly random 
element from S and assigning it to s. We denote by Pr [ P(x) : . . . ] the prob- 
ability that some predicate P is true of x after executing the elided experiment. 

Let N denote the set of all non-negative integers. For any n G N we denote 
by [n\ the set {1, . . . , n}. For a vector x, we denote by |x| its length (number of 
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components) and by x[i] its i-th component. For a vector x of length n and any 
/ C [n], we denote by x[/] the vector of length \I\ such that x[7] = (x[z])* e /. For 
a string X, we let |X| denote its length. For any integer 1 < i < j < |X|, we 
write X[i\ to denote the ith bit of X, and X[i,j] the substring from the i-th to 
the j - th bit (inclusive) of X. 

Public-key encryption. A public-key encryption scheme PKE with message 
space Msg is a tuple of algorithms (Kg, Enc, Dec). The key-generation algorithm 
Kg on input l k outputs a public key pk and secret key sk. The encryption 
algorithm Enc on inputs a public key pk and message m G Msg(fc) outputs a 
ciphertext c. The deterministic decryption algorithm Dec on inputs a secret key 
sk and ciphertext c outputs a message morl. We require that for all (pk, sk) G 
[Kg(l /c )] and all m G Msg(l /e ), the probability that Dec(s£;, (Enc (pk,m)) = m is 
1. We say PKE is deterministic if Enc is deterministic. 

Lossy trapdoor function. A lossy trapdoor function [21] with domain LDom 
and range LRng is a tuple of algorithms LT = (LT.IKg, LT.LKg, LT.Eval, LT.Inv) 
that work as follows. Algorithm LT.IKg on input a unary encoding of the security 
parameter l k outputs an “injective” evaluation key ek and matching trapdoor 
td. Algorithm LT.LKg on input l k outputs a “lossy” evaluation key lk. Algo- 
rithm LT.Eval on inputs an (either injective or lossy) evaluation key ek and 
x G LDom(k) outputs y G LRng(l /c ). Algorithm LT.Inv on inputs a trapdoor td 
and a y' G LRng(k) outputs x' G LDom(k). We require the following properties. 

Correctness: For all k G N and any (ek,td) G [LT.IKg(l /c )], it holds that 
In v(td, LT.Eval(e£;, x)) = x for every x G LDom(k). 

Key indistinguishability : For every distinguisher D , the advantage Adv 1 ^^ (k) 
= Pr [ D(ek) => 1 : (ek,td) ^ LT.IKg(l fe ) ] - Pi[D(lk)=>l : lk] <-$ 

LT.LKg(l /c ) is negligible. 

Lossiness: The size of the co-domain of LT.Eval (Ik, •) is at most |LRng(fc)|/2 r ( fe ) 
for all k G N and all lk G [LT.LKg(l fe )]. We call r the lossiness of LT. 

If the function LT.Eval(e£;, •) is a permutation for any k G N and any ( ek,td ) G 
[LT.IKg(l /c )] then we call LT a lossy trapdoor permutation. Both RSA and Rabin 
are lossy trapdoor permutations under appropriate assumptions [19,22]. 

Message samplers. A message sampler M. is a PPT algorithm that takes as 
input l k and a string par am G {0, 1}*, and outputs a vector m of messages and 
a vector a of the same length. Each a[i] is the auxiliary information that an 
adversary gains in addition to m[i], if it breaks into the machine of the sender 
of m[z]. For example, if each m[I] is a signature of some string x[i], then the 
adversary may be able to obtain even x[i] in its break-in. We require that M. 
be associated with functions v(-) and n(-) such that for any param G {0, 1}*, for 
any k G N, and any m G [M.(l k , param)], we have |m| = v(k) and |m[i]| = n(k), 
for every i < |m|. 

A message sampler M is ( p,d)-entropic if 

- For any k G N, any / C {1 ,...,v(k)} such that \I\ < d , any param G 
{0,1}*, and (m, a) M(l k , param), conditioning on messages m [I] and 
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their auxiliary information a [I] and param, each other message m [j] (with 

j G {1, ,v(k)}\I) must have conditional min-entropy at least (i. Note that 

here (m, a) is sampled independent of the set I. 

- Messages m[l], . . . , m[|m|] must be distinct, for any param G {0, 1}* and any 
m G [M(l k , param)]. 

In this definition d can be oo, which corresponds to a message sampler in which 
the conditional distribution of each message, given param and all other messages 
and their corresponding auxiliary information, has at least fi bits of min-entropy. 

Resampling. Following [9], let Coins[/c] be the set of coins for M.( l fe , *), and 
Coins[/c, m*, a*, I, param] = {uo G Coins[&] | m '[I] = m* and a! [I] = a*, where 
(m',a') <— M(l k , param; a;)}. Let Resamp >1 (l /c , /, m*, a*, param) be the algo- 
rithm that first samples r Coins[&, m*, a*, /, param], then runs (m',a') <— 
A4(l k , param; r), and then returns mb (Note that Resamp^ may run in expo- 
nential time.) A resampling algorithm of M. is an algorithm Rsmp such that 
Rsmp(l /c , /, m*, a*, param) and Resamp A/l (l /c , /, m*, a*, param) are identically 
distributed. 4 A message sampler M is fully resamplable if it admits a PPT 
resampling algorithm. 

Partial resampling. We also introduce a new notion of “partial resampling.” 
Let 5 be a function and let Resamp^ 5 (l fe , /, m*, a*, param) be the algorithm 
that samples r Coins[/c, m*, a*, /, param], runs (in', a') Ai(l k , param; r), 
and then returns 5(m', param). We say that M. is 8 -partially resamplable if there 
is a PT algorithm Rsmp such that Rsmp(l fc , /, m*, a*, param) is identically dis- 
tributed as Resamp^ ^(1^, /, m*, a*, param). Such an algorithm Rsmp is called 
a S -partial resampling algorithm of Ad. If a message sampler is already fully 
resamplable then it’s (Lpartially resamplable for any PT function 8. 

3 Selective-Opening Security for D-PKE 

3.1 Security Notions 

Bellare, Dowsley, and Keelveedhi [4] were the first to consider selective-opening 
security of deterministic PKE (D-PKE). They propose a “simulation-based” 
semantic security notion, but then show that this definition is unachievable 
in both the standard model and the non-programmable random-oracle model 
(NPROM), even if the messages are uniform and independent. To address this, 
we introduce an alternative, “comparison-based” semantic-security notion that 
generalizes the original PRIV definition for D-PKE of Bellare, Boldyreva, and 
O’Neill [2]. In particular, our notion follows the IND-SO-CPA notion of Bel- 
lare, Hofheinz, and Yilek (BHY) [9] in the sense that we compare what partial 


4 Here for simplicity, we only consider M and Rsmp such that the distributions of 
Rsmp(l fe , /, m*, a*, param) and Resamp A/1 (l /e , /, m*, a*, param) are identical. Follow- 
ing [9], one might also consider A4 and Rsmp such that the two distributions above 
are statistically close. 


284 V.T. Hoang et al. 


information the adversary learns from the unopened messages, versus messages 
resampled from the same conditional distribution. 


D-SO-CPA1 security. Let PKE = (Kg, Enc, Dec) be a D-PKE scheme. To a 
message sampler M and an adversary A = (Apg, A. cor, Ag, Af), we associate 
the experiment in Fig. 1 for every k E N. We say that DE is D-SO-CPA1 secure 
for a class of resamplable message samplers and a class srf of adversaries if 
for every Ad E and any A E 


Adv^T.T) 


= Pr 


'DE ,A,M 

D-CPAl-REAL^ 


(•) 


— Pr 


D-CPAl-IDEAL^ 


(•) 


is negligible. In these games, the adversary Apg first creates some parameter 
param to feed the message sampler Ad. Note that Apg is not given the public 
key, and thus messages mi created by Ad are independent of the public key, a 
necessary restriction of D-PKE pointed out by Bellare et al. [2]. Next, adversary 
A. cor will be given both the public key and the ciphertexts c, and decides which 
set I of indices that it’d like to open c [/]. It then passes its state to adversary Ag. 
The latter is also given a[/]) and has to output some partial information 

l jJ of the message vector mi . 

Game D- CPA 1-REAL ^ A returns 1 if the string uj above matches the out- 
put of Af(mi, param) which is the partial information of interest to the adver- 
sary. On the other hand, game D-CPAl-IDEAL^ A returns 1 if a; is matches 
the output of Af(mo, param), where mo is the resampled message vector by 
Resamp ;V/t (l /e , mi [/], a[/], /, param). Note that in both games, Af is not given 
the public key pk, otherwise it can encrypt the messages it receives and output 
the resulting ciphertexts, while Ag outputs c. Again, this issue is pointed out 
in [2]: since encryption is deterministic, the ciphertexts themselves are some par- 
tial information about the messages. D-PKE can only hope to protect partial 
information of m that is independent of pk , and Af is therefore stripped of 
access to pk. 


Discussion. For selective-opening attacks against a D-PKE scheme in which 
an adversary can open d messages, it is clear that the message sampler must 
be (/i, d)-entropic, where 2 “ A) i s a negligible function, for any meaningful pri- 
vacy to be achievable. For convenience of discussion, let’s say that a scheme 
is D-SO-CPAl[d] secure if it’s D-SO-CPA1 secure for all (/i, d)-entropic, fully 
resamplable message samplers and all PT adversaries that open at most d cipher- 
texts, for any fi such that 2 _ A) i s a negligible function. (The resamplability 
restriction is dropped for d = 0.) The D-SO-CPA1[0] security corresponds to the 
PRIV notion of Bellare et al. [2]. 5 

We note that it is unclear if D-SO-CPAl[oo] security implies the classic PRIV 
security: the latter doesn’t allow opening, but it can handle a broader class of 

5 A technical difference is that, to be consistent with [4], we require the “partial infor- 
mation” to be an efficiently computable function of the messages. This formulation 
can be shown equivalent to a definition in the style of [2] up to a difference of one 
in the size of the message vectors output by A4, following [6, Appendix A]. 
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Game D-CPAl-REAL^^/c) 
param A. pg(l k ) 

(pk, sk ) Kg(l /c ) 

(mi, a) M (l k , param) 

For i = 1 to |m| do 
c[i] <— Enc(pk, mi[i]) 

(state, I ) <— $ A. cor (pk , c, param ) 
a; A.g(state, mi[J],a[/]) 
Return (a; = A. f(mi, param)) 


Game D-CPAl-IDEAL^^/c) 

param <— $ A.pg(l fe ) ; (pfe, sfc) Kg(l /c ) 
(mi, a) <—$ M(l k , param) 

For i = 1 to |m| do 
c[z] Enc(pfc, mi[z]) 

(state, I) A.cor(pk, c, param) 
m 0 Resamp 7V i(l /c , mi [I] , a[I] , I, param) 

us A.g(state, mi[J], a[/]) 

Return (a; = A. f( mo, param)) 


Fig. 1 . Games to define D-SO-CPA1 security. 


message samplers. Our goal is to find D-PKE schemes that offer D-SO-CPAl[d] 
security for any value of d, including the important special cases d = 0 (PRIV 
security) and d = oc (unbounded opening). 

Separation. In the full version, we show that the standard PRIV notion of 
D-PKE doesn’t imply D-S0-CPA1. Our construction relies on the recent result 
of Hofheinz, Rao, and Wichs [15] that separates the standard IND-CPA notion 
and IND-SO-CPA of randomized PKE. Specifically, we build a contrived D-PKE 
scheme that is PRIV-secure in the standard model, but subject to the following 
D-SO-CPA1 attack. The message sampler picks a string s {0, l} 1 ^ and then 
secret-share it to v(k) shares x[l], . . . , x.[v(k)] such that any t(k) shares reveal no 
information about the secret s. Let m[i] x[i] || u [i\ for every i E {1 , ... ,v(k)}, 
where u [i] {0, \] 2 ^ k \ Since s is uniform, any t + 1 shares x[i] are uniform 

and independent. Thus, this message sampler is (3£, £)-entropic. We show that it 
is also efficiently resamplable. Surprisingly, there is an efficient SOA adversary 
(A. cor, A. g) that opens just t ciphertexts and can recover all strings x[i]. Next, 
A.g outputs x[l]0 • • • ®x[u(fc)], and A. f outputs the checksum of the first i bits 
of the given messages. The adversary A thus wins with advantage 1 — 2 £ ( k ) . 

D-SO-CPA2 security. The D-SO-CPA1 security notion only guarantees to pro- 
tect messages that are fully resamplable. The D-SO-CPA2 notion strengthens 
that protection, requiring privacy of 5 (m, param) for any entropic message sam- 
pler A4 and any 6 such that M. is ci-partially resamplable. In Sect. 5, we’ll see 
a concrete use of this extra protection, where (i) we have a sampler M. that is 
not fully resamplable, but (ii) each message itself is a ciphertext, and there’s a 
function S such that the plaintexts underneath m are 5 (m, param) and M is 
^-partially resamplable. Formally, let 


AHv d_so_cpa2 M 

-ct-CIV nn A A /i \ ) 


= Pr 


'DE , A , M , 5 \ 

D-CPA2-REALd|- m> ' 5 


(•) 


— Pr 


D-CPA2-IDEALd|- m> ' 5 


(•) 


where games D-CPA2-REALq|' A/I ’ <5 and D - C P A 2 - 1 D E A L q A ' ’ are defined in 
Fig. 2. In these games, adversary A. f is given either S( mi) in the real game, 
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Game D-CPA2-REAL^ M ’ <5 (/c) 
par am A. pg(l /c ) 

(pk, sk) Kg(l /c ) 

(m, a) M(l k , param) 

For i = 1 to |m| do 
c[i] Enc(pA;, m[z]) 

( state , 7 ) A.cor(pA;, c, par am) 

w A.g(state , m[7], a[/]) 
Return (a; = Af(<5(m), param)) 


Game D-CPA2-LDEAL^’ <5 (/c) 
param A.pg(l /c ) ; (pfe, sfc) Kg(l fe ) 
(m, a) Ad (l fc , param) 

For i = 1 to |m| do 
c[i] <— Enc(p£;, m[z]) 

( state , /) A.cor(pk , c, param) 
z Resamp^ 5 (l fe , m[7], a[/], 7, param) 
uj <— $ A.g(state, m[7], a [7]) 

Return (a; = A.f(z, param)) 


Fig. 2. Games to define D-S0-CPA2 security. 


or the output of Resamp^ mi [7], a [7], 7, param) in the ideal game. We say 

that DE is D-S0-CPA2 secure if AdvQ E so A c ^(-) is negligible for any (p,d)- 
entropic message sampler Ad such that 2 _At is a negligible function, any PT 
adversary A that opens at most d ciphertexts, and any PT functions S such that 
Ad is ^-partially resamplable. 

Weak equivalence. Clearly, the D-S0-CPA2 notion implies D-S0-CPA1: the 
latter is the special case of the former for fully resamplable samplers, and for a 
specific function 5(m, param) that simply returns m. Below, we’ll show that if 
we just restrict to fully resamplable samplers, the D-S0-CPA1 notion actually 
implies D-S0-CPA2. This is expected, because on an entropic, fully resamplable 
Ad, both notions promise to protect any partial information of m that is inde- 
pendent of the public key. 

Proposition 1. Let Ad be a fully resamplable sampler, and let S be a PT 
function. Then for any adversary A , there is an adversary B such that 

AHv d " so " cpa2 M < AHv d-so-cpal (A 
^ aV DE,A,M,(5V ) — ^ aV DE ,B,M V ) • 

The adversary B opens as many ciphertexts as A , and its running time is about 
that of A plus the time to run S. 

Proof. Let B be the adversary that is identical to A , but B.f behaves as follows. 
When it’s given a vector m and parameter param , it’ll run z 5(m, param) 
and then outputs A.f(z, param). Then Adv^ 0 ^^-) = Adv^ 0 ^ 2 ^-). □ 

In the remainder of the paper, we’ll have 6 other notions. Any notion xxx consid- 
ers an arbitrary message sampler Ad with a function S such that Ad is 5-partially 
resamplable. One can consider a variant xxxl of xxx, in which the message sam- 
pler is fully resamplable and only the specific function S(m, param) = m is con- 
sidered, and then establish a weak equivalence between xxxl and xxx. However, 
it will lead to a proliferation of 12 definitions. We therefore choose to present 
just the stronger notion xxx. 
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DE.Kg(l fc ) 

DE.Enc (pk, m) 

DE.Dec (sk, c ) 

( ek,td ) ^sLT.IKg(l fc ) 

(. hk , ek) pk 

(. hk , td) sk 

hk ^${0,l} fc 

r H(hk 0 m, LT.il(fc)) 

(trap, y) <- c 

Return ((hk, ek), (hk, td)) 

trap LT.Eval (ek,r) 

r LT.Inv(td, trap) 


y H(hk 1 r, \m )®m 

Return ( trappy ) 

Return H (hk 1 r, \y\)®y 


Fig. 3. D-PKE scheme DEI [if, LT]. 


CCA extension. To add a CCA flavor to D-SO-CPA2, a notion which we 
call D-SO-CCA, one would allow adversaries A. cor and A . g oracle access to 
Dec(s£;, •) with the restriction that they are forbidden from querying a ciphertext 
in the given c to this oracle. Let D-CCA-REAL and D-CCA-IDEAL be the 
corresponding experiments, and define 


A j,,.d-so-cca 
Aav DE,A,Ad,(5 


(') 


= Pr 


D-CCA-REAL; 


A,M,S 

DE 


(')=>! — Pr 


D-CCA-IDEAL 


A,M,d 

DE 


(') 


We say that DE is D-SO-CCA secure if Ad is negligible for any 
(p, d)-entropic message sampler M such that 2 _M is a negligible function, any 
PT adversary A that opens at most d ciphertexts, and any PT functions 5 such 
that M. is (Lpartially resamplable. 


3.2 Achieving D-SO-CPA2 Security 

While the simulation-based definition of Bellare et al. [4] is impossible to achieve 
even in the non-programmable random-oracle model (NPROM), we show that it 
is possible to build a D-SO-CPA2 secure scheme in the NPROM. A close variant 
of our scheme is shown to be PRIV-secure in the standard model [7]. Our scheme 
can handle messages of any length, and is highly efficient: the asymmetric cost is 
fixed and thus the amortized cost is about as cheap as a symmetric encryption. 
It’s also highly practical on short messages. The only public-key primitive that 
it uses is a lossy trapdoor function [21], which has practical instantiations, e.g., 
both Rabin and RSA are lossy [19,22]. 

Achieving D-SO-CPA2 security. To handle arbitrary-length messages, we 
use a hash function H of arbitrary input and output length. On input (x,£) G 
{0,1}* x N, the hash returns y = H(x,£) G {0,1}^. Our scheme DEl[iL, LT] is 
shown in Fig. 3, where LT is a lossy trapdoor function with domain {0, 1} LT |1 . 
Theorem 2 below shows that DEI is D-SO-CPA2 secure in the NPROM. The 
proof is in the full version. We stress that for (p, oo)-entropic message samplers, 
our scheme allows the adversary to open as many ciphertexts as it wishes. 
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Theorem 2. Let LT be a lossy trapdoor function with lossiness r. Let Ad be 
a (/i, d)-entropic message sampler, and let S be a function such that Ad is 5- 
partially resamplable. Let DEl[iJ, LT] be as above. In the NPROM, for any 
adversary A opening at most d ciphertexts, there is an adversary D such that 


Adv 


d-so-cpa2 

DE1[H,LT],A,M,$ 


(*)< 


4 q(k) 

2 k 


4 q(k)v(k) 
2^(k) 


v(k)(v(k) + 4 q(k)) 

2 r ( k ) 


H-2AdvLj ,£>(&)> 


where q(k) is the total number of random-oracle queries of A and Ad, and v(k) 
is the number of messages that Ad produces. The running time of D is about 
that of A plus the time to run S and an efficient ^-partial resampling algorithm 
of Ad plus the time to run DEl[iL, LT] to encrypt Ad’s messages. Adversary D 
makes at most q random-oracle queries. 


Proof ideas. Let R 0 i,R 02 ,R 03 , and RO 4 denote the oracle interface of 
(A.pg, Ad), A. cor, A.g, and Af respectively. Initially, each interface simply calls 
RO. In game-based proofs of ROM-based D-PKE constructions, one often 
considers the event that Apg or A4 queries (hk \\x,i) to ROi, and then 
let the interface lies, instead of calling KO(hk\\x,£). This allows the coins 
r[z] RO(hk || 0 || m[i], LT.il (fc)) to be independent of the messages m. The 
discrepancy due to the lying is tiny, since the chance that Apg or Ad can make 
such a query is at most q(k)/ 2 k . However, in the SOA setting, this strategy 
creates the following subtlety. For the resampling algorithm to behave correctly, 
one has to give it access to ROi. Yet the adversary A. cor can embed some infor- 
mation of hk in /, and therefore it’s well possible that the resampling algorithm 
queries ROi(hk || •, •). This issue is unique to SOA security of D-PKE: prior 
papers of SOA security for randomized PKE never have to deal with this. While 
getting around the subtlety above is not too difficult, it shows that a rigorous 
proof for Theorem 2 is not as simple as one might expect. 

Suppose that Apg and Ad never query ROi (hk || •, •). The first step in the 
proof is to move from an injective key ek of LT to a lossy key lk. Next, recall 
that the adversary A. cor is given LT.Eval(Ik, r[i]). Since each synthetic coin r[i] 
is uniformly random and LT has lossiness r, in the view of A. cor, each r[i] 
has min-entropy at least r(k). Suppose that A. cor doesn’t make any query in 
{hk || 0 || m[i], hk || 1 1 | r[i] | 1 < i < |m|}; this happens with probability at least 
1 — q(k)v(k)/ 2 ^) — q(k)v(k) /2 T ( k \ Then A .cor knows nothing about m, and 
thus I is conditionally independent of m, given param. Hence in the view of A.g, 
each m[i] (for i & I) still has min-entropy /q and thus the chance that A.g can 
make a query in {hk || 0 || m[i\ \ i 0 1} is at most v(k)q(k)/ 2^ k \ 

The core of the proof is to bound the probability that the adversary A.g 
can make a query in {hk || 1 || r[i] | i 0 /}. Let Xi be the random variable for 
the number of pre-images of LT. Eva I (Ik, r[z]). Although in the view of A. cor, the 
average conditional min-entropy of each r[i] is r(fc), the same claim may not hold 
in the view of A.g. For example, the adversary A. cor may choose to open all but 
the ciphertext of m [7], where j is chosen so that Xj = min{Xi, . . . , X v ^}: while 
E(l/X^) < 2 _r W for each fixed i G {1, . . . ,u(k)}, the same bound doesn’t work 
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for E(l/min{Xi, . . . , X v ^}). To get around this, note that the chance that A g 
can make a query in {hk || 1 || r[i] | i 0 1} is at most 


«(*> - e (E 7) s « (t) ■ b (E y ) s ■ E E (7) s 

igj z i=l 2 i=l z 


q{k)v{k) 

2r(/e) 


Finally, if / is conditionally independent of m given param, then the re-sampled 
string 2 is identically distributed as 5(m, param), even conditioning on hk, /, and 
param. 6 Hence Af can query RO^hk || •, •) with probability at most q(k)/2 k . If 
all bad events above don’t happen then (i) in the joint view of Ag and Af , the 
strings S(m, param) and z are identically distributed, and (ii) the output of Af 
will be conditionally independent of the ciphertexts and the public key, given 
param. This means the d-so-cpa2 advantage of A is 0. 


3.3 Achieving D-SO-CCA Security 

To achieve D-SO-CCA security, we modify DEI construction as follows: In the 
decryption, once we recover the message m, we’ll re-encrypt it and return _L if 
the resulting ciphertext doesn’t match the given one, or the hash image of the 
message doesn’t match the string obtained via inverting the trapdoor function. 
The resulting construction DE2 is shown in Fig. 4. The scheme DE = DE2 [H, LT] 
is unique- ciphertext, as formalized by Bellare and Hoang [7]: for every k G N, 
every (pk, sk) G [DE.Kg(l fe )], and every m G {0, 1}*, there is at most a string c 
such that DE.Dec(sA;, c) = m. Theorem3 below shows that DE2 is D-SO-CCA 
secure in the NPROM. The re-encrypting trick for lifting CPA to CCA security 
in the random-oracle model dates back to a paper of Fujisaki and Okamoto [13], 
but that work only considers randomized PKE and there’s no opening. Still, the 
proof ideas are quite similar. 


Theorem 3. Let LT be a lossy trapdoor function with lossiness r. Let At be a 
(p, d)-entropic message sampler and let S be a function such that At is ^-partially 
resamplable. Let DE2[iL, LT] be as above. In the NPROM, for any adversary A 
opening at most d ciphertexts, there is an adversary D such that 


Adv 


d-so-cca 

DE2[H,LT],A,M,5 


(*)< 


2 \p(k) 10 q(k) 4 q(k)v(k) 

2 LT.ii(fc) 4 2 * 1 2m(*0 

v(k)(v(k) + 8 q(k)) 


+ 


2 T (0 


2Adv 


ltdf 

LT.D 


(fc). 


where p(k) is the number of decryption-oracle queries of A , q(k) is the total 
number of random-oracle queries of A and M, and v(k) is the number of messages 

6 Even for the simple case that At is fully resamplable and outputs empty auxiliary 
information, and £(m, param) = m, note that if I is correlated to m then m and the 
re-sampled m / may have completely different distributions. For example, consider 
At that outputs (mi, m 2 ), with m± {00,01} and m 2 $ {10, 11}. Since mi and 
m 2 are independent, At is fully resamplable. Let I = {1} if mi = 00, and I = {2} 
otherwise. Then P^m' = (00, 11)] = 3/8, whereas Pr[m as (00, 11)] — 1/4. 
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DE.Kg(l fc ) 

DE.Enc (pk, m) 

DE.Dec(5h, c) 

(■ ek,td ) <-* LT.IKg(l fc ) 

(. hk , ek) pk 

(hk, eh, td) sk 

hk <- $ {0, l} fc 

r H(hk | 0 | m, LT.il(k)) 

(trap, y) <- c 

pk (hk, ek) 

trap LT.Eval (ek,r) 

r LT.In v(td, trap) 

sk (hk, eh, td) 

y <— H(hk | 1 | r, \m )©m 

trap' LT.Eval (eh, r) 

Return (pk, sk) 

Return (trap,y) 

m ^ H(hk\\l\\r, \y\)@y 
r' H(hk 0 m, LT.il(h)) 

If r' r or trap' / trap then 
Return JL 

Return m 


Fig. 4. D-PKE scheme DE = DE2 [H, LT]. If LT is a lossy trapdoor permutation then 
in the decryption algorithm, the computation of trap' and the check trap' ^ trap can 
be omitted. 


that M. produces. The running time of D is about that of A plus the time to 
run S and an efficient ^-partial resampling algorithm of Ai, plus the time to 
run DE2 [H, LT] to encrypt M. ’s messages and decrypt A’ s decryption queries. 
Adversary D makes at most 2 q random-oracle queries. 

Proof. Let Rsmp be an efficient ^-partial resampling algorithm for A4. Consider 
games G\ and G 2 in Fig. 5. Then 

Ad v DE 2 [lr,LT],A,At(') = 2Pr[Gi(-) => 1] 1- 

Game G 2 is identical to game G\, except for the following. In procedure Dec(c), 
instead of using the decryption of DE2 to decrypt c, we maintain the set Dom 
of the suffixes of random-oracle queries (x,£) that A. cor and A.g make such 
that x[l,k + 1] = hk || 0 and £ = LT.il(fc). If there’s m G Dom such that the 
corresponding ciphertext of m is c then we return m; otherwise return _1. Wlog, 
assume that A. cor stores all random-oracle queries/answers in its state; that 
is, both A. cor and A.g also can track Dom and implement the Dec procedure 
of game G 2 on their own, without calling the decryption oracle. 7 Let Range = 
{DE2.Enc (pk,m) \ m G Dom}. On a query c G Range, the procedures Dec of 
both games have the same behavior, due to the correctness of the decryption 
of DE2. Wlog, assume that both A. cor and A.g never query c G Range to the 
decryption oracle. (Adversaries A. cor and A.g are thus assumed to maintain the 
corresponding ciphertexts of messages in Dom. But this needs additional queries 
to the random oracle, so the total random-oracle queries of these two adversaries 
is now at most 2 q.) 

7 This assumption crucially relies on our use of a domain separation in hashing the 
coins r and the messages m: we employ H(hk || 0 || *, •) for m, but H(hk || 1 || •, •) 
for r. In contrast, BH’s variant [7] doesn’t use domain separation, and one can’t 
make this assumption anymore: building the corresponding ciphertexts may create 
additional queries to H(hk || 0 || •, LT.il(h)), leading to a possible exponential blowup 
on the number of random-oracle queries. 
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Games Gi(fc), G 2 (k) 

param $ Apg RO (l fc ) ; (m, a) M RO (l k , param) ; z\ S(m, param) 

hk <- $ {0, l} k ; (ek, td ) LT.IKg(l fc ) 

For i — 1 to |m| do 

r[z] RO (hk || 0 || m[i], LT.il(/c)) ; trap LT.Eval (ek, r[z]) 

y <- ROi(hF || 1 || r [i], |m[z]|)®m[z] ; c[i] <- (trap,y) 

Dom 0 ; (state, I) Acor DEC,ROSlM ((M:, ek), c, param) 
lj A.g BEG,ROSlM (state, m[7], a[7]) 

zo Rsmp RO (l A: , m[I], a [7], I, param) ; b ${0,1}; t A.i RO (zb, param) 

If (uj — t) then return b else return 1 — 7 


Procedure ROSim(;c,7) 

If |x| > k + 1 and x[l, k + 1] = hk || 0 then Dom Dom U {x[k + 2, |x|]} 
Return RO(x,7) 


Procedure Dec(c) ft of game G 1 

Procedure Dec(c) ft of game G 2 

sk (hk, td) 

For m C Dom do 

m <- DEl[H,U].Dec(sk,c) 

If c = DEI [77, LTJ.Enc (pk,m) then 

Return m 

Return m 


Return T 


Fig. 5. Games Gi and G 2 of the proof of Theorem 3. Their procedures Dec are in the 
bottom- left and bottom-right panels, respectively. 


Assume that Apg and M never make a random-oracle query (x, £) such that 
the k- bit suffix of x is hk. This happens with probability at least 1 — q(k)/2 k . The 
adversaries can distinguish the games if and only if they can trigger Dec of game 
Gi to produce non-T output. Let c = (trap, y) be a decryption-oracle query. Let 
r = LT.In v(td, trap ) and m = RO(hk || 1 || r)(By- Due to the unique- ciphertext 
property of DE2, if this can trigger the Dec procedure of game Gi to return a 
non-T answer, we must have m 0 {m[l], . . . , m[|m|]} U Dom. Then there is no 
prior random-oracle query (x, LT.il (k)) such that x = hk || 0 || m. Hence procedure 
Dec of game Gi will return a non-T answer only if r = KO(hk || 0 || m, LT.il(fc)), 
which happens with probability 2 -LT,l| ( fe ). Multiplying for p(k) decryption-oracle 
queries, 

Pr[Gi(jfe) => 1] - Pr [G 2 (k) => 1] < q(k)/ 2 k + p(fc)/2 LT i ' w . 

Now in game G 2 , the decryption oracle always return _L, and thus wlog, assume 
that the adversaries never make a decryption query, meaning that they only 
launch a D-SO-CPA2 attack. Hence 

2Pr[G2(’) 1] = ^^ V DE2[iCLT], A, ' 

But DE2 and DEI only differ in the decryption algorithms, which doesn’t affect 
the D-SO-CPA security. Hence from Theorem 2, we can construct a distin- 
guisher D of the claimed running time such that 
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A , ,d-so-cpa2 fh \^ 8( l( k ) 8 q(k)v(k) v(k)(v(k) +8q(k)) 

AaV DE2[_f/,LT],A,M ) 5V K / - + 2' l( » + 2 T ( fc ) 

+2Adv[_j ll £) (fc) . 

(Note that the bound above is for adversaries who make at most 2 q random- 
oracle queries.) Summing up, 


Adv 


d-so-cca 

DE2[H,LT],A,M,6 


( k ) < 


2p(k) 
2LT.ii (fc) 


10q(k) 4 q{k)v{k) 

2 k + 2 * 4*0 


v(k)(v(k) + 8q(k)) 
2 T ( k ) 


+ 2 Adv^j^ (k ) . 


□ 


4 Selective-Opening Security for Nonce-Based PKE 

Recall that D-PKE protects only unpredictable messages, but in practice, mes- 
sages often have very limited entropy [12]. Hedge PKE tries to improve this 
situation by adding the unpredictability of coins. However, the coins generated 
by Dual EC are completely determined by Big Brother, and those by the buggy 
Debian RNG have only about 15 bits of min-entropy. In a recent work, Bellare 
and Tackmann (BT) [10] propose the notion of nonce-based PKE to address this 
limitation, supporting arbitrary messages. In this section, we extend the notion 
of nonce-based PKE for SO A setting, and then show how to achieve this. 


4.1 Security Notions 

Nonce generators. A nonce generator NG with nonce space AT is an algorithm 
that takes as input the unary encoding l k of the security parameter, a current 
state St , and a nonce selector a. It then probabilistically produces a nonce 
N E J\f together with an updated state St. That is, (A, St) NG(l /e , St, a). A 
good nonce generator needs to satisfy the following properties: (i) nonces should 
never repeat, and (ii) each nonce is unpredictable, even if all nonce selectors are 
adversarially chosen. Formally, let Advf^ A {k) = Pr[RPj^ G (fc)], where game RP 
is defined in Fig. 6. We say that NG is RP-secure if for any PT adversary A, 
AdvjyJ^ A (-) is a negligible function. 

Nonce-based PKE. A nonce-based PKE with nonce space A is a tuple 
NE = (NE.Kg, NE.Sg, NE.Enc, NE.Dec). The key generator NE.Kg(l /c ) generates 
a public key pk and an associated secret key sk. The seed generator NE.Sg(l /c ) 
produces a sender seed xk. The encryption algorithm NE.Enc takes as input a 
public key pk, a sender seed xk, a nonce N E Af, and a message m, and then 
deterministically returns a ciphertext c. The decryption algorithm NE.Dec(s£;, •) 
plays the same role as in traditional randomized PKE; it’s not given the nonce 
or the sender seed. 

Nonce-based PKE can be viewed as a way to harden the randomness at the 
sender side; the receiver is oblivious to this change. Security of nonce-based PKE 
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Game RP^ G (fc) 

Procedure Gen(ct) 

St 4 — £ ; coll false 

(N, St) <— * NG(l fc , St, <x) 

Dom <— 0 ; N^$A Gw (l k ) 

If N e Dom then coll true 

Return ( N £ Dom) V coll 

Dom <— Dom U {N} ; Return N 


Fig. 6. Game to define security of a nonce generator NG. 


should hold when either (i) the seed xk is secret and the nonces are unique, or 
(ii) the seed is leaked to the adversary, but the nonces are unpredictable to the 
adversary. 8 

Discussion. To formalize security of nonce-based PKE, BT define two notions, 
NBP1 and NBP2. Both notions are in the single-sender setting and use nonces 
generated from a nonce generator NG. The former notion considers the situation 
when the seed xk is secret, and there’s no security requirement from NG, except 
the uniqueness of nonces. The latter notion considers the case when the seed xk is 
given to the adversary; now nonces generated from NG have to satisfy RP security. 

When we bring SO A extension to nonce-based PKE below, there will be many 
changes. First, since there are multiple senders and only some of them can keep 
their seeds secret, one has to merge the SOA variants of NBP1 and NBP2 into a 
single definition. Next, because the adversary learns the seeds of some senders, 
the nonce generator NG must be RP-secure. If we let senders whose seeds are 
secret use unpredictable nonces from NG then our notion will fail to model the 
possibility that the adversary can corrupt the nonce generator. Therefore, in 
our notion, for senders whose seeds are secret, we’ll let the adversary specify 
their nonces. We require the adversary to be nonce-respecting , meaning that the 
nonces of every single sender must be distinct. 

N-SO-CPA. Let NE be a nonce-based PKE scheme and NG be a nonce generator 
of the same nonce space AT . Let Ad be a message sampler, but the generated 
messages don’t have to be distinct or unpredictable. Let S be a function such 
that A4 is ^-partially resamplable. The game N-SO-CPA defining the N-SO-CPA 
security is specified in Fig. 7. 

Initially, the game picks seed xk[j] NE.Sg(l /c ) and sets state st[j] <— 5 
for sender j, with j = 1,2, — The adversary is then given the public key pk 
and has to specify the list J of senders that it wishes to get the seeds. It’s then 
granted xk[J] and then has to provide some parameter param for generating 
(m, a) A4 (l k , param), together with a vector N of nonces, a map U that 


8 The definition of BT [10] requires that if the seed xk is secret then security should 
hold as long as the message/nonce pairs are unique. If one directly extends this 
to the SOA setting, there will be some pesky issue, as the adversary can detect 
equality within the message vectors by repeating the nonces. Here for simplicity, 
we only demand that nonces should be unique, which is analogous to nonce-based 
symmetric encryption. Nevertheless, our constructions are specific instantiations of 
BT construction, and thus meet their requirement. 
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Game N-SO-CPA^^(fc) 

For j = 1, 2, ... do xk[j\ NE.Sg(l fc ) ; st\j] s 
(pk, sk) NE.Kg(l fc ) ; ( J, state) A(l k ,pk) 

(param, AT, U, cr, state) A(state , 2 cfe[J]) 

(m, a) param) ; 21 <5(m, param) 

For i — 1 to |m| do 

J - u[i\ 

If j G J then (iV, st[j]) <— $ NG(l fc , s£[j], cr[i\) ; AT[i] iV 
c[z] NE.Enc(pk,xk\j], N[i],m.[i]) 

(I, state) A(state , c) ; b <— $ {0, 1} 

For z G /, j = 1 to |m| do 

If C/[i] = [/[j] then J <- J U { j } 
zo ^ Resamp <Mj 6 (l fe ,m[/],a[/], param) 
b' <—$ A(state,m[I], a{I],N [I], xk[U [I]], Zb) ; Return (b = b') 


Fig. 7. Game defining N- SO- CPA security. 


specifies message m[i] belongs to sender U[i], and a vector cr of nonce selectors for 
NG. Note that the messages m here can depend on the public key. We require that 
the adversary be nonce-respecting , meaning that (2V[1], ?7[1]), (2V[2], C/[2] ) , . . . 
are distinct. 

The game then iterates over i = 1, . . . , |m| to encrypt each message m[i]. If 
i G J then N[i\ is overwritten by a nonce N generated by NG as follows. Let 
j <— U[i]. The nonce generator NG will read the current state st[j] of sender j 
and the nonce selector cr[i\ for the message m[i\, to generate a nonce N and 
update st\j]. The adversary then is given the ciphertexts and has to output a 
set / to indicate which ciphertexts it wants to open. Note that opening c[i] 
returns not only (m[i],a[i]) but also the associated nonce and sender seed. 
Moreover, if the adversary opens a message belonging to sender j, then any 
other messages of this sender are considered open. Finally, the game resamples 
zo, and let z\ <S(m, param). It picks b {0, 1}, and gives the adversary 
and (m[I],a.[I],xk[U[I]\,N[I]). The adversary has to guess the challenge bit b. 
Define 

= 2 Pr [N-SO-CPA N e jN g (^)] — -*-• 

We say that NE is N-SO-CPA secure, with respect to NG, if for any message 
sampler AA and any PT adversary A , and any PT function S such that M. is 
^-partially resamplable, Adv}J E so N ^ M (5 (-) is a negligible function. 

N-SO-CCA. To add a CCA flavor to N-SO-CPA, one would give the adversary 
oracle access to Dec(s£;, •). Once it’s given the ciphertexts c, it’s not allowed to 
query any c[z] to the decryption oracle. Let N-SO-CCA be the corresponding 
game, and define Adv^c" ,M,s( k ) = 2 Pr[N-SO-CCA^ (k)] - 1. 
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Simulation- based security. One could also define an appropriate simulation- 
based notion of SOA security for nonce-based PKE, which unlike N-SO-CPA 
would not require the unrevealed messages to be efficiently resampleable, analo- 
gously to the SIM-SOA definition for randomized PKE in [9]. However, we con- 
jecture that such a definition is impossible to achieve. We leave this as an open 
question. In any case, a simulation-based definition of SOA security for nonce- 
based PKE will indeed be impossible to achieve later when we lift the primitive 
to the hedged setting, where an existing impossibility result for a simulation- 
based notion of SOA security for deterministic PKE [4] applies (because hedged 
PKE generalizes deterministic PKE). 


4.2 Separation 

We now show that the standard notions for nonce-based PKE of BT [10] do 
not imply N-SO-CPA. Our separation is based on the recent result of Hofheinz, 
Rao, and Wichs (HRW) [15] to show that IND-CCA doesn’t imply the notion 
IND-SO-CPA for randomized PKE. 

HRW construction. Our counterexample is based on the recent (contrived) 
construction REbad = (REbad-Kg, REbad-Enc, REbad-Dec) of HRW. The scheme 
REbad is IND-CCA secure, but is vulnerable to the following SOA attack. The 
message sampler M(l k , param) ignores param, picks a secret ^ ^ — $ {0, 1}^ and 
then secret-shares it to v(k) messages m[l], . . . , m [v(k)] so that any t(k) shares 
reveal no information of the secret s. In other words, it picks ao, ai, . . . , a t uni- 
formly from GF(2^), the finite field of size 2^, and computes m[i] <— f(i) for 

every i G {1, . . . , v(k)}, where f{pc) = ao + a\x H b a t x l is the corresponding 

polynomial in GF(2 £ )[X}. Recall that any t + 1 shares will uniquely determine 
the polynomial / (via polynomial interpolation), and thus any t + 1 shares are 
uniformly and independently random. The auxiliary information is empty. Sur- 
prisingly, there’s an efficient adversary that opens only t ciphertexts and can 
recover all messages. We note that HRW’s counter-example is based on public- 
coin differing-inputs obfuscation [17], which is a very strong assumption. 

Results. Let H be a hash function. One can model it as a random oracle, or, 
for a standard- model result, a primitive that BT call hedged extractor. BT show 
that one can build a nonce-based PKE achieving their notions from an arbitrary 
IND-CCA secure PKE RE as follows. Given seed xfc, nonce AT, and message m, 
one uses H((xk, N,m)) to extract synthetic coins r, and then encrypt m via 
RE under coins r. Now, use the scheme REbad above to instantiate RE, and let 
N Ebad [-H, REbad] be the resulting nonce-based PKE. This NEbad [^C REbad] achieves 
BT’s notions. 

We now break the N-SO-CPA security of NEbad- The message sampler M 
is as described in HRW attack, and let A be the adversary attacking REbad as 
above. Note that M is fully resamplable, and let <S(m, param) = m. Consider the 
following adversary B attacking NEbad - It specifies J = 0, meaning that it doesn’t 
want to get any sender seed before the opening. It then lets N[i] = U[i] = i, for 
every i. That is, each sender has only a single message. Then, when B gets the 
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NEl.Kg(l fc ) 

(ek, td ) LT.IKg(l fc ) ; hk <- * {0, l} fc 

pk <— (hk, ek) ; sk <— (hk, td) ; Return (pk, sk) 

NEl.Sg(l fc ) 

xk {0, l} k ; Return xk 

NEl.Enc(p&, xk, A, m) 

(hk, ek) pk 

r H(hk 0 | (xk, A, m), LT.il(k)) 

trap LT.Eval(ph, r);y <— H(hk 1 | r, \mn )®m 

Return ( trap,y ) 

NEl.Dec(5h, c) 

(hk, td) sk ; (trap, y) c 

r LT.Inv(sh, trap) 

m H(hk || 1 || r, \y\)@y 

Return m 


Fig. 8. Nonce-based PKE scheme NE1[A, LT]. 


ciphertexts c, it runs A on those c. Note that c are ciphertexts of REbad, although 
the coins are only pseudorandom. Still, adversary A can recover all messages by 
opening just t ciphertexts. When B is given the messages (real or resampled), 
it compares that with what A recovers. Then AdvjJ E so N ^ M 6 (k) > 1 - 2 -£ W, 
where £ is the length of each message. 

4.3 Achieving N-SO-CPA Security 

BT’s construction of nonce-based PKE is simple. To encrypt a message m under 
a seed xk , a nonce A, and public key pk, we hash (xk, A, m) to derive a string r, 
and then uses a traditional randomized PKE to encrypt m under the synthetic 
coins r and public key pk. Here we’ll use BT’s construction, but the underlying 
randomized PKE is a randomized counterpart of the D-PKE scheme DEI in 
Sect. 3.2. 

Formally, let A be a hash of arbitrary input and output length, meaning 
that H(x,£) returns an £-bit string. Let LT be a lossy trapdoor function. Our 
nonce-based PKE NE1[A, LT] is described in Fig. 8; it has nonce space {0,1}* 
and message space {0, 1}*. Theorem 4 below shows that NE1[A, LT] is N-SO-CPA 
secure in the NPROM; the proof is in the full version. 

Theorem 4. Let LT be a lossy trapdoor function with lossiness r. Let M be a 
message sampler and let S be a function such that M is (Lpartially resamplable. 
Let NE1[A, LT] be as above, and let NG be a nonce generator. In the NPROM, 
for any adversary A , there are adversaries B and D such that 

Adv n NE y-r T ], N G ,W*) ^ 2Advl LT, f S (fc) + 8q(k)v(k) • Adv r N y D (fc) 

7v(k)(q(k) + v(k)) 12v (k)(q(k) + v(k)) 

+ ^ k + ’ 

where v is the number of messages that A4 generates, and q bounds the total 
number of random-oracle queries that A and M. make. The running time of 
A or A is about the time to run game N-SO-CPA^^J^ , but using an efficient 
^-partial resampling algorithm of M instead of Resamp M 6 . Each of B and D 
makes at most q random-oracle queries. 
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NE2.Kg(l fc ) 

(ek, td ) LT.IKg(l fc ) ; hk {0, l} k 

pk (hk, ek) ; sk (hk, ek , td) 

Return ( pk , sk) 

NE2.Sg(l fc ) 

xk {0, l} k ; Return xk 

NE2.Enc (pk, xk , N , m) 

NE2.Dec(sh, c) 

(hk, ek) pk 

r H(hk 00 | ( xk , A, m), LT.il (k)) 
y <— H{hk 01 | r, m|)®m 
z H(hk 10 | r m, k) 
trap LT.Eval (pk,r) 

Return [trappy) 

(hk, ek , td) sk ; (trap, y, z) <— c 

r LT.Inv(sh, trap) 

trap' LT.Eval (pk,r) 

m <- H(hk || 01 || r,\y\)@y 
z' «— H(hk 10 | r | m , k) 

If (z ^ z) V (trap' ^ trap) then return JL 
Return m 


Fig. 9. Nonce-based PKE scheme NE2[ih, LT]. 


4.4 Achieving N-SO-CCA Security 

To strengthen NE1 with CCA capability, in the encryption, we append to the 
ciphertext a hash image of r || m. When we decrypt a ciphertext, we’ll recover 
both r and m, and check if the hash image of r || m matches with what’s given in 
the ciphertext. The resulting scheme NE2 [H, LT] is shown in Fig. 9. The under- 
lying randomized PKE of NE2 is a textbook IND-CCA construction in the ROM 
(but LT just needs to be an ordinary trapdoor function). Theorem 5 below shows 
that NE2[ih, LT] is N-SO-CCA secure in the NPROM; the proof is in the full 
version. 

Theorem 5. Let LT be a lossy trapdoor function with lossiness r. Let M. be a 
message sampler and let 5 be a function such that M. is ^-partially resamplable. 
Let NE2[ih, LT] be as above, and let NG be a nonce generator. In the NPROM, 
for any adversary A, there are adversaries B and D such that 

Adv^^ 2 [^LT] ,ng,a,A4,(5 (^) < 2 Adv^s (&) + Sv(k)Q(k) • Adv^ p GjD (&) 

2 p(k) 7 v(k)Q(k) 12 v(k)Q(k) 

2 k + 2 k + 2 r (0 ’ 

where v is the number of messages that M generates, p is the number of A’s 
queries to the decryption oracle, q bounds the total number of random-oracle 
queries that A and M make, and Q = q + 2p J r v. The running time of B or D 
is about the time to run game N-SO-CCAj^j^, but using an efficient ^-partial 
resampling algorithm of M. instead of Resamp^ 5 . Each of B and D makes at 
most q + 2p random-oracle queries. 

5 Hedged Security for Nonce-Based PKE 

Recall that the security of nonce-based PKE relies on the assumption that 
the adversary cannot obtain the secret seeds and corrupt the nonce generator 
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simultaneously. Still, this assumption may fail in practice, and it’s desirable to 
retain some security guarantee when seeds and nonces are bad. We capture this 
via the notion HN-SO-CPA that is a variant of the notion D-SO-CPA2, adapted 
for the nonce-based setting. A good nonce-based PKE thus has to satisfy both 
N-SO-CPA and HN-SO-CPA simultaneously. We then extend this treatment to 
the CCA setting. 


5.1 Security Notions 

Unpredictable samplers. Let At be a message sampler. We say that At is 
(/i, d) -unpredictable if for any param £ {0, 1}*, 

(i) For any (m, a) £ [A4(l k , param)], each a [i] is a tuple (cq, xki , TV*), where xki 
is a seed and Ni is a nonce. Moreover, (xki, W, m[l]), (xk 2 , AT 2 , m[2]), . . . 
must be distinct. 

(ii) For any I C {1, . . . ,v(k)} such that \I\ < d, and any i £ {1, . . . ,v(k)}\I, 
for (m, a) Al(l /c , param) the conditional min-entropy of (m[i],xki, Ni) 
given (m[J], a[/], param) is at least /i, where v(k) is the number of messages 
that At produces and xki and W are the seed and nonce specified by a[i]. 

Defining unpredictable samplers allows us to model the situation when the seeds, 
nonces, and messages are related, and quantify security based on the combined 
min-entropy of each message with its nonce and seed. 

HN-SO-CPA security. Let NE be a nonce-based PKE scheme, and let At be an 
unpredictable message sampler. Let S be a function such that At is ^-partially 
resamplable. Let A = (A.pg, A. cor, A.g, A.f) be an adversary. Define 


a j hn-so-cpa / \ 
Adv mp 4 <$(’) 


= Pr 


NE,A,.M,<5 v 

HN-CPA-REAL^A’ 5 


( 0^1 


— Pr 


HN-CPA-IDEAL^ 4 ’ 5 


(•) 


where the games are defined in Fig. 10. 

HN-SO-CCA security. To add a CCA flavor to HN-SO-CPA, one would give 
A. cor and A.g oracle access to Dec(sfc, •). They are not allowed to query any 
c [i] to the decryption oracle. Let HN-CCA-REAL and HN-CCA-IDEAL be the 
corresponding games, and define 


Adv 


hn-so-cca 

NE,A,M,5 


(•) 


= Pr 


HN-CCA-REAL^’ 5 


(•) 


— Pr 


HN-CCA-IDEAL^’ 5 


(•) 


Separation. We now show that N-SO-CCA doesn’t imply HN-SO-CPA, even if 
Ad picks m[z] {0, l} k and a[i] = (i, i, i), and there’s no opening. Note that A4 
is fully resamplable, and consider the function S such that 5(m, param ) = param. 
Let H be a hash and LT be a lossy trapdoor function. Let NEb a d[^C LT] be the 
following variant of NE2[iL, LT]. To encrypt message m under public key pk , 


Selective-Opening Security in the Presence of Randomness Failures 299 


Game HN-CPA-REALj^’* (k) 

param <— * A.pg(l fc ) ; (pk, sk) <— $ Kg(l fc ) ; (m, a) <— * M(l k , param) 
For i — 1 to |m| do ( a,xk,N ) «— a[z] ; c[z] Er\c(pk, xk, N, m[z]) 
(state, I) $ A.cor(pk, c, param) ; cj A.g(state,m[I], a[I]) 
zi 6 (m, param) 

Return (lj = A.f(zi, param)) 

Game HN-CPA-IDEAL^’^fc) 

param <— * Apg(l fc ) ; (pk, sk) <— s Kg(l fc ) ; (m, a) <— * M(l k , param) 
For i — 1 to |m| do (a, xk,N) <— a.[i] ; c [i] Enc(p/c, x/c, iV, m[z]) 

(state, I) $ A.cor(pk, c, param) ; uj A.g(state, m[7], a[/]) 

2: 0 Resamp > 1 ( 5 (l fc ,m[/],a[/],/, param) 

Return (ca = A.f(zo, param)) 


Fig. 10. Games to define HN-SO-CPA security. 


seed xk and nonce N, instead of hashing (xk,N,m) to derive synthetic coins 
r, we just hash (xk,N). The proof of Theorem 5 can be recast to justify the 
N-SO-CCA security NEbad- However, without even opening, one can trivially 
break HN-SO-CPA security of NEbad as follows. First, adversary Apg outputs an 
arbitrary param. Next, adversary A. cor stores the ciphertexts and the public key 
in its state, and outputs 7 = 0. Adversary A.g computes r <— H(hk || 00 || (1, 1)), 
parses (trap,y,z) <— c[l], and outputs m[l] = y(BH(hk || 01 || r, \y\). Finally, 
adversary Af(m*, param) simply outputs m*[l]. The adversaries win with 
advantage 1 — 2~ k . 


5.2 Achieving HN-SO-CPA Security 

NtD transform. We first give a transform Nonce-then-Deterministic (NtD). Let 
DE be a D-SO-CPA2 secure D-PKE and NE be an N-SO-CPA secure nonce-based 
PKE. Then NtD[NE, DE] achieves both HN-SO-CPA and N-SO-CPA security 
simultaneously. The resulting nonce-based PKE NE is a double encryption: it 
first encrypts via NE, and then uses DE to encrypt the resulting ciphertext. 9 
The transform NtD is shown in Fig. 11, and Theorem 6 below confirms that it 
works as claimed. 

Discussion. To explain why NtD works, note that using an outer D-PKE on 
the ciphertext of NE doesn’t affect its N-SO-CPA security, and thus NE = 
NtD[NE, DE] inherits the N-SO-CPA security of NE. For HN-SO-CPA security, 
there are some subtle points as follows. 


9 For simplicity, we assume that the ciphertext length of NE is the plaintext length of 
DE. One may also consider a more generalized setting in which the ciphertext length 
of NE is smaller than the plaintext length of DE. In this case one needs to pad 10* 
to the ciphertexts of NE before feeding them to DE. 
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NE.Kg(l fc ) 


NE.En c(pk, xk, N, m) 


(pk n ,afc„)<-*N E.Kg(l fc ) 
(pk d ,sk d )^ DE.Kg(l fc ) 
pk <— ( pk n ,pk d ); sk <- ( sk n ,sk d ) 
Return (pk, sk) 


(. Pk n ,pk d ) <- pk 
m! (m || xk || JV) 
y NE.Enc(pA; n , irA;, AT, m') 
c <- DE.Enc(pA; d , 2 /) 

Return c 


NE.Dec(sA;, c) 

(sk n , skd ) sA; 
y DE.Dec(sA;d, c) 
m NE.Dec(sA:n, 2 /) 
(m || xk || TV) m 
Return (m || xk || AT) 


Fig. 11. Nonce-based PKE scheme NE = NtD[NE, DE]. It uses the same seed-generating 
algorithm as NE. 


First, the “messages” for DE are the ciphertexts produced by NE. Now, the 
D-SO-CPA2 security demands that those “messages” must have good min- 
entropy, but we only know that the combined min-entropy of each message with 
its nonce and seed is p. We need a bound, call it NE.Guess(/i), to quantify the 
min-entropy of the ciphertexts of NE. Therefore, let NE.Guess(/i(£;)) be biggest 
number that, for any seed xk, any nonce N, any message m, and any random 
variable X such that the conditional min-entropy of (m,xk,N) given X is at 
least p(k), and (pk,sk) NE.Kg(l /e ) independent of (m,xk,N,X), the condi- 
tional min-entropy of NE.Enc(pA;, xk, N, m) given X is at least NE.Guess(/i(&)). 
We say that NE is entropy -preserving if for any fi such that is negligible, 
so is 2 _NE Guess( ^). For example, one can show that NEl[iJ, LT].Guess(/i(fc)) > 
min{fc,/i(fc)/2} — 1, by modeling h hk(’) = H(hk || 0 || •, LT.il(fc)) as a universal 
hash function, and using the Generalized Leftover Hash Lemma [1, Lemma 3.4]. 
Hence NE1 is entropy-preserving. 

Next, we need to build an adversary B attacking DE from an adversary A that 
attacks NE. Then L>.pg will run param A. pg(l /c ), pick (pk, sk) NE.Kg(l /c ), 
and outputs pars = (pk, sk, param), asking its sampler M to run M and encrypt 
the resulting messages, nonces, and seeds under pk. At some point, A. cor will 
asks to open some ciphertexts c[J] to get the corresponding m [I],xk[I\, N[I], 
but the opened “messages” that B. g receives are NE.Enc(pA;, xk[i, iV[i], m[i]). 
Although B. g knows the secret key sk of NE, if we use NE1 to instantiate NE 
then one can’t recover (N[i],xk[i]) from just q = NE.Enc(pA;, xk[i\, N[i\, m[i]) 
and sk. Thanks to our explicit modeling of the auxiliary information, adversary B 
does get (xk[i\, N[i]) when it opens c[i]. 

Finally, one has to reason about the resamplability of the constructed sampler 
M . Had we restricted our notions to fully resamplable samplers and the function 
5(m, param) = m, we would have run into problem here. Why so? The resam- 
pling algorithm Rsmp of M has to generate NE.Enc(pA;, xk'[i\, N'[i\,m'[i\), but it 
only knows pk and another algorithm Rsmp to generate m'. That is, it’s unclear 
how to resample the seeds xk' and nonces N' . Using partial resamplability solves 
this issue. To justify this, suppose that we need to justify the HN-SO-CPA secu- 
rity of NE with respect to function S. Then, we’ll find another function 8 such 

that Adv^~ s ° _< ^ a (•) < Adv^°" c k^ 2 -(*), and at the same time, M is J-partially 
NE,A,At,(5 v ' — DE,B,A4,(5 V n ’ * J 
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Algorithm B(l k ,pk) 

Return A(l k , pk) 

Algorithm B(state, c) 

(pk d ,sk d ) ^*DE.Kg(l fc ) 

For i = 1 to |c| do c DE.Enc (pk d , c[z]) 
Return A(state, c) 


Algorithm B(state,xk*) 

Return A(state,xk*) 

Algorithm B (state, m*, a*, AT*, xk*) 
Return A(state , m*, a*, AT*, xk *) 


Fig. 12. N-SO-CPA adversary B in the proof of Theorem 6. 


resamplable. The function S(x, pars) works as follows. It first parses pars as 
(pk , sk , param) , runs m[i] <— NE.Dec(s£;, x[i]), and then outputs S(m, param). 
We stress that the NtD transform works in both the standard model and the 
NPROM. (Of course, this assumes that there are standard-model D-SO-CPA2 
secure D-PKE and N-SO-CPA secure entropy-preserving nonce-based PKE.) 

Theorem 6. Let NE be a nonce-based PKE, and let DE be a D-PKE scheme 
such that the ciphertext length of the former is a plaintext length of the latter. 

Let NE = NtD[NE,DE]. 

N-SO-CPA security: For any adversary A , any message sampler AA, any function 
S such that AA is ^-partially resamplable, and any nonce generator NG, there is 
an adversary B such that 


Adv” p " .,_(■)< Adv n " so_cpa 


NE,NG,A,At,(5 v 


NE,NG,B,M,8 


(■)• 


The running time of B is about that of A plus the running time of DE.Kg plus 
the time to run DE.Enc on the messages that AA produces. 

HN-SO-CPA security: For any (fi, d)-unpredictable message sampler AA, any 
function S such that M is 5-partially resamplable, and any adversary A, there 
are an adversary B that opens the same number of ciphertexts, another func- 
tion 5, and another (NE.Guess(/r), d)-entropic, ^-partially resamplable message 
sampler A4 such that 


a i hn-so-cpa 

AdV NE ,A,M,S 


(•) < Adv 


d-so-cpa2 

DE,B,M,5 


(•)• 


The running time of B is about that of A plus the running time of NE.Kg plus 
the time to run NE.Dec on v ciphertexts, where v is the number of messages 
that M. produces. The running time of A4 is about that of AA plus the time to 
run NE.Enc on v messages. 


Proof. For the first part, consider an arbitrary adversary A. Consider the adver- 
sary B in Fig. 12 attacking NE. Then game N-SO-CPA^^^ coincides with game 


N-SO-CPA^, 


and thus Adv^“'‘' p '* 

NE,NG,A-/W,<5 v 


(\ _ a j n - s °- cpa 
f ) ~ ^ av NE,NG,B,Al,(5V )• 

For the second part, consider an arbitrary adversary A and a message sampler 


AA. Consider the following message sampler AA (l k , pars). It parses param as a 
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Algorithm B. pg(l fc ) 
param $ Apg(l fc ) 

(pk n ,sk n )^M E.Kg(l fe ) 
pars «— ( pk n , sk n , param) 

Return pars 

Algorithm B. cor (pk d , c, pars) 

(pk n , sk n , param) pars 

pk <- ( pk d ,pk n ) 

(state, I) A.cor(pk, c, param) 

t (state, pars) ; Return (t, I) 

Algorithm B.g(t,y* ,a*) 

(state, pars) t 

( pk n , sk n , param) pars 

For i < — 1 to |y* | do 

m[$] NE.Dec(sA;n, y[i]) 
uj A.g(state, m*, a*) 

Return uj 

Algorithm B.{(z,pars) 

(pk n , sk n , param) pars 

t A.{(z, param) ; Return t 

Algorithm M(l k , pars) 

Algorithm Rsmp(l /e , y*, a*, I, pars) 

(pk n , sk n , param) <— pars 

(pk n , skn, param) pars 

(m, a) M (l fe , param) 

For i— 1 to y* do 

For i = 1 to |m| do 

m*[z] NE.Dec(sft n , y*[i]) 

(a, xk, N) a[z] 

z Rsmp(l fe , m*, a*, I, param) 

y[i] NE.Enc(pfc n , xk, N, m[z]) 

Return z 

Return (y, a) 



Fig. 13. D-SO-CPA2 adversary B, constructed sampler M, and its partial resampling 
algorithm Rsmp in the proof of Theorem 6. 


triple (pk n , sk n , param), where pk n and sk n are public and secret keys for NE. 
It then runs A4 (l k , param) to generate (m, a). Since A4 is unpredictable, each 
a [i] can be parsed as (a*, xki, Ni). Now the “messages” of M is the vector y, 
where each y[i\ = NE.Enc(p& n , xki, Ni, m[i]), and the corresponding auxiliary 
information is still a[i]. The code of M is given in Fig. 13. Since M is (p, d)- 
unpredictable, M is (NE.Guess(p), d)-entropic. Let S be a function such that 
M. is J-partially resamplable. Let S(y,pars) be the following function. It parses 
pars as (pk n , sk n , param), decrypts m[i] <— NE.Dec(s£; n , y[i]), and then returns 
5(m, param). Then M. is J-partially resamplable: given any (^-partial resampling 
algorithm Rsmp for Ad, we can construct a (Lpartial resampling algorithm Rsmp 
for M. as in Fig. 13. 

Now, consider the adversary B attacking DE as given in Fig. 13. It targets 
message sampler A4, with respect to function 5. Initially, B. pg(l k ) runs param <— 
A(l k ), and then generates public and secret keys pk n and sk n for NE. It then out- 
puts pars ( pk n , sk n , param). When B . g receives its “messages” y*, it extracts 
the secret key sk n from its state and decrypts m *[i] <— NE.Dec(s£; n , y* [i]), 
and then gives m* to Ag together with the auxiliary information a*. Then 


game HN-CPA-REAL^ 4 ’ 6 


coincides with game D-CPA2 -REALq£ A/< ’' 5 . 


More- 


over, game 
AHv— so ~ cpa 


HN-CPA-IDEAL^ 1 ’ 5 coincides with D-CPA2-IDEAL£r A4 ’ <s . Hence 

NE ut 

(•) < Adv d " so " c — 2 -(-). □ 
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NE1 ALONE IS ENOUGH. Constructions via NtD transform will be at least twice 
slower than NE1, because we need to run public primitives twice. But in the 
NPROM, NE1 [H, LT] alone achieves both N-SO-CPA and HN-SO-CPA security 
simultaneously. In Theorem 7 below, we’ll show that NE1 is HN-SO-CPA secure. 
See the full version for the proof. We stress that for (/i, oo)-unpredictable message 
samplers, NE1 allows the adversary to open as many ciphertexts as it wishes. 


Theorem 7. Let LT be a lossy trapdoor function with lossiness r. Let Ad be a 
(/i, d ) -unpredictable resamplable message sampler, and let S be a function such 
that Ad is ^-partially resamplable. Let NEl[iL, LT] be as above. In the NPROM, 
for any adversary A opening at most d ciphertexts, there is an adversary D such 
that 


Adv 


hn-so-cpa 

NE1[H,U],A,M,S 


(*)< 


4g(fc) 

2 k 


4 q(k)v(k) 
2 ^ 0 ) 


v(k)(v(k) + 4 q(k)) 
2 T ( k ) 


+2 Adv[_T *£,(&), 


where q(k ) is the total number of random-oracle queries of A and Ad, and v(k) 
is the number of messages that Ad produces. The running time of D is about 
that of A plus the time to run S and an efficient ^-partial resampling algorithm 
of Ad plus the time to run NEl[iL, LT] to encrypt Ad’s messages. Adversary D 
makes at most q random-oracle queries. 


5.3 Achieving HN-SO-CCA Security 

In proving that NtD[NE, DE] achieves HN-SO-CPA security, we don’t need any 
property of the D-PKE scheme DE. This no longer holds for HN-SO-CCA. 
Indeed, consider a scheme DEbad such that DEbad -Enc appends 0 to the cipher- 
texts, and DEb a d • Dec ignores the last bit of the ciphertexts. An adversary thus 
can obtain the plaintexts by modifying the last bits of the ciphertexts, and 
querying those to the decryption oracle. Hence to obtain HN-SO-CCA, one has 
to exploit some property of DE. We’ll need DE to be unique- ciphertext, a property 
formalized by Bellare and Hoang [7]. 

Formally, a D-PKE scheme DE is unique- ciphertext if for every k E N, every 
( pk,sk ) E [DE.Kg(l /c )], and every m G {0,1}*, there is at most a string c 
such that DE.Dec(s£;, c) = m. The D-PKE scheme DEbad above is not unique- 
ciphertext. The unique-ciphertext property of DE ensures that if one modifies a 
ciphertext of NtD[NE, DE], the underneath ciphertext of NE will be changed. 

Bellare and Hoang also show how to efficiently transform a D-PKE scheme 
DE to a unique-ciphertext one UE: in the decryption, we first recover the message, 
and then re-encrypt it and return _L if the newly constructed ciphertext doesn’t 
match the given one. The transform UniqueCtx is given in Fig. 14. Note that this 
transform doesn’t affect the D-SO-CCA security of DE. Indeed, for any message 
sampler A4, any PT adversary A attacking UE = UniqueCtx[DE], it’s trivial to 
construct another PT adversary B attacking DE such that Adv^'I^^O) < 

Adv DE?A , mv )- 
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UE.Kg(l fc ) 

UE.Enc(p/c, m) 

UE.Dec((pfc, sk), c ) 

(pk,sk) <— $ DE.Kg(l fc ) 

c DE.Enc (pk,m) 

m DE.Dec (sk,c) 

Return (pk, ( pk , sk)) 

Return c 

If m ^ T then 



d DE.Enc (pk,m) 

li c A c then return T 



Return m 


Fig. 14. Unique-ciphertext D-PKE scheme UE = UniqueCtx[DE] constructed from 
D-PKE scheme DE. 


Let DE be unique-ciphertext and D-SO-CCA secure D-PKE and NE be an 
N-SO-CCA secure, entropy-preserving nonce-based PKE. Then, Theorem 8 con- 
firms NtD[NE, DE] achieves both HN-SO-CCA and N-SO-CCA security simulta- 
neously; the proof is in the full version. To instantiate DE, one can either apply 
the UniqueCtx transform on a D-SO-CCA secure D-PKE scheme, or directly use 
our construction DE2 in Sect. 3.3. 


Theorem 8. Let NE be a nonce-based PKE as above, and let DE be a unique- 
ciphertext D-PKE scheme such that the ciphertext length of the former is a 
plaintext length of the latter. Let NE = NtD[NE,DE]. 

N-SO-CCA security: For any adversary A , any message sampler Ad, any function 
S such that Ad is ^-partially resamplable, and any nonce generator NG, there is 
an adversary B such that 


a i n-so-cca 
^ aV NE,NG,A,A4,(5 


( \ ^ \ j, n-so-cca 

(•) < Adv NE 


NG,B,At,(5 


(•)• 


The running time of B is about that of A plus the running time of DE.Kg plus 
the time to run DE.Enc on the messages that A produces, and the time to run 
DE.Dec on the decryption queries of A. Adversary B makes as many decryption- 
oracle queries as A. 


HN-SO-CCA security: For any adversary A , any (/i, d ) -unpredictable message 
sampler Ad, and any function S such that Ad is ^-partially resamplable, there 
are an adversary B that opens the same number of ciphertexts, a function 5, and 
an (NE.Guess(/i), d)-entropic, ^-partially resamplable message sampler Ad such 
that 


Adv^ so - cca 


(.) < Adv d-so-c — -M 

NE, A, M,S^ ) — ^ uv DE,B,M,(5V )' 


The running time of B is about that of A plus the running time of NE.Kg 
plus the time to run NE.Dec on v + p ciphertexts, where v is the number of 
messages that Ad produces and p is the number of A’s decryption-oracle queries. 
Adversary B makes as many decryption-oracle queries as A. The running time 
of Ad is about that of Ad plus the time to run NE.Enc on v messages. 


Alternatively, we can use NE2 directly. In Theorem 9 below, we’ll show that 
NE2 is HN-SO-CCA secure. See the full version for the proof. 
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Theorem 9. Let LT be a lossy trapdoor function with lossiness r. Let A4 be 
a (/i, d ) -unpredictable message sampler, and let S be a function such that M is 
^-partially resamplable. Let NE2[iL, LT] be as above. In the NPROM, for any 
adversary A opening at most d ciphertexts, there is an adversary D such that 


a i hn-so-cca / 1\ 

^ av NE2[tf,LT],A,At,<5 W 

6 cm , 4 Q(k)v(k) 

— 2 k 2^ k ) 


v(k)(v(k) + 4 Q(k)) 
2 r (k) 


+ 2Adv|^ f D (k), 


where q(k) is the total number of random-oracle queries of A and A4, v(k) is 
the number of messages that M produces, and p(k) is the number of decryption 
queries of A , and Q(k) = q(k) + 2p(k). The running time of D is about that 
of A plus the time to run S and a ^-partial resampling algorithm of M plus the 
time to run NE2[iL, LT] to encrypt ATs messages. Adversary D makes at most 
Q random-oracle queries. 
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Abstract. KDM[jF]-CCA secure public- key encryption (PKE) protects 
the security of message f(sk), with / £ T, that is computed directly from 
the secret key, even if the adversary has access to a decryption oracle. 
An efficient KDM[jF a ff]-CCA secure PKE scheme for affine functions was 
proposed by Lu, Li and Jia (LLJ, EuroCrypt 20 15). We point out that 
their security proof cannot go through based on the DDH assumption. 

In this paper, we introduce a new concept Authenticated Encryption 
with Auxiliary -Input AIAE and define for it new security notions dealing 
with related-key attacks, namely IND-RKA security and weak INT-RKA 
security. We also construct such an AIAE w.r.t. a set of restricted affine 
functions from the DDH assumption. With our AIAE, 

- we construct the first efficient KDM[jF a ff]-CCA secure PKE w.r.t. 
affine functions with compact ciphertexts, which consist only of a 
constant number of group elements; 

- we construct the first efficient KDM[Tp 0ly ]-CCA secure PKE w.r.t. 
polynomial functions of bounded degree d with almost compact 
ciphertexts, and the number of group elements in a ciphertext is 
polynomial in d, independent of the security parameter. 

Our PKEs are both based on the DDH & DCR assumptions, free of 
NIZK and free of pairing. 


Keywords: Public-key encryption • Key-dependent messages • Chosen- 
ciphertext security • Authenticated encryption • Related-key attack 


1 Introduction 

Traditional Chosen-Ciphertext Attack (CCA) security of a public-key encryption 
(PKE) scheme considers the security of messages chosen by an adversary, even if 
the adversary obtains the public key pk , challenge ciphertexts of the messages, 
and has access to a decryption oracle (which provides decryption services to 
the adversary but refuses to decrypt the challenge ciphertexts). Note that the 
adversary cannot compute messages directly from secret keys, since it does not 
possess the secret keys. Therefore, CCA security does not cover the corner, where 
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J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 307-338, 2016. 
DOI: 10.1007/978-3-662-53890-6-11 



308 


S. Han et al. 


messages closely depend on the secret keys, say the secret keys themselves or 
functions of the secret keys. This issue was first identified in [GM84]. Later the 
security of key-dependent messages was formalized as KDM-security [BRS02]. 
KDM-security is an important notion, and has found wide applications, like hard 
disk encryption [BHHO08], cryptographic protocols [CL01], etc. 

KDM-security w.r.t. a set of functions T is denoted by KDM[F] -security. 
The larger T is, the stronger the security is. Roughly speaking, n-KDM[T]- 
security of PKE considers such a scenario: an adversary is given public keys 
(pki , pk 2 , • • • ,pk n ) of n users and an encryption oracle. Whenever the adver- 
sary queries a function / E F, the encryption oracle will always reply with 
an encryption of a constant say 0, or always reply with an encryption of 
/(sfci, s&2, • ’ • ,^ n )- If the adversary cannot tell which case it is, the PKE is 
n-KDM[jF]-CPA secure. If the adversary has also access to a decryption ora- 
cle in the scenario, then KDM[JF]-CPA security is improved to KDM[F]-CCA 
security. Obviously, KDM-CCA security notion is stronger than KDM-CPA. 

KDM[JF]-CPA Security. The BHHO scheme [BHHO08] was the first PKE 
achieving KDM[F a ff]-CPA security based on the Decisional Diffie-Hellman 
(DDH) assumption, where F a ff denotes the set of affine functions. It was later 
generalized by Brakerski and Goldwasser [BG10] to KDM [.Faff] -CPA secure PKE 
schemes based on the Subgroup Indistinguishability Assumption (including the 
QR and the DCR assumptions). These schemes have incompact ciphertexts con- 
taining 0(t) group elements, where i denotes the security parameter. 

A variant of Regev’s scheme [Reg05] was shown to be KDM[F a ff]-CPA secure 
and has compacter ciphertexts by Applebaum et al. [ACPS09]. 

Barak et al. [BHHI10] proposed KDM-CPA secure PKE w.r.t. a very large 
function set, i.e., the function set of boolean circuits of bounded size p = p(t). 
However, their scheme is inflexible and highly impractical, since its encryption 
algorithm depends on the bound p and the number of users, and the ciphertext 
contains a garbled circuit of size at least p = p(£). 

Brakerski et al. [BGK11] amplified the BHHO scheme to KDM[Fp oly ]-CPA 
security w.r.t. the set of polynomial functions of bounded degree d. However, 
their ciphertext contains 0(t d+1 ) group elements. 

It is Malkin et al. [MTY11] who designed the first efficient PKE scheme 
achieving KDM[Fp oly ]-CPA security. Their ciphertext contains only 0(d ) group 
elements, thus d can be polynomial in i in their case. The function set Fp oly is 
characterized by a polynomial-size Modular Arithmetic Circuit in [MTY11]. 

KDM[JF]-CCA Security. KDM[JF]-CCA security of PKE is far more diffi- 
cult to design than KDM[F]-CPA security. Camenisch et al. [CCS09] gave the 
first solution, following Naor-Yung’s paradigm, which needs a KDM-CPA secure 
PKE, a CCA-secure PKE and a non-interactive zero-knowledge (NIZK) proving 
that the two PKEs encrypt the same message. 

NIZK is not practical in general, except Groth-Sahai proofs [GS08]. When 
following [CCS09]’s approach, the only possible way to get an efficient KDM- 
CCA secure PKE, is using Groth-Sahai proofs together with an efficient 
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KDM-CPA secure PKE. However, many existing efficient KDM-CPA secure 
schemes, such as [ACPS09,MTY11], are not based on pairing-friendly groups, 
thus not compatible with Groth-Sahai’s efficient NIZK. 

Another work by Galindo et al. [GHV12] is based on the Matrix DDH 
assumption over pairing-friendly groups. Their scheme has compact ciphertexts, 
but only obtains a bounded form of KDM-CCA security, i.e., the number of 
encryption queries is limited to be linear in the size of the secret key. 

To get an efficient KDM-CCA secure PKE, Hofheinz [Hofl3] proposed 
another approach, which uses a new tool called “lossy algebraic filter” . His work 
results in the first PKE enjoying both KDM-CCA security and compact cipher- 
texts (consisting only of a constant number of group elements). However, the 
function set T c i rc only consists of selection functions /(sAq, • • • , sk n ) = ski and 
constant functions. 

It is quite challenging to enlarge T for KDM[jF]-CCA security while still keep- 
ing PKE efficient. One effort was recently made by Lu, Li and Jia [LLJ15], who 
proposed the first efficient KDM[.F a ff]-CCA secure PKE with compact cipher- 
texts. We call their construction the LLJ scheme. There is an essential building 
block called “Authenticated Encryption” (AE) in their scheme. The KDM[/ a ff]- 
CCA security heavily relies on a so-called INT-jF a ff-RKA security of AE. INT- 
jF a ff-RKA security of AE means that a PPT adversary cannot forge a fresh 
forgery (/*, ae.ct*) such that AE.Decj*( k ) (ae.ct*) 7 ^ _L, even if the adversary 
observes multiple outputs of AE.Enc^.(iq(raj) with his choice of ( fj,rrij ). Unfor- 
tunately, we found that the INT-^ff-RKA security proof of the specific AE does 
not go through to the DDH assumption, which in turn affects the KDM[f a ff]- 
CCA security proof of the LLJ scheme. Our essential observation is that the 
DDH adversary is not able to employ the fresh forgery from the adversary of AE 
to solve the DDH problem, since the DDH adversary does not have any trapdoor 
to convert the computing power (forgery) to a decision bit. 

As for KDM[^*p ol ]-CCA security, [CCS09]’s paradigm is the unique path to 
it up to now. Unfortunately, the only efficient KDM[.Fp oly ]-CPA secure scheme 
[MTY11] does not compose well with Groth-Sahai proofs, so it has to resort 
to the general NIZK. Other KDM[.Fp oly ]-CPA secure schemes either is highly 
impractical [BHHI10] or has ciphertext containing 0(Jt d+1 ) group elements 
[BGK11], which grows exponentially with the degree d. 

Our Contribution. We work on the design of efficient PKE with KDM[/ a ff]- 
CCA security and KDM[^p oly ]-CCA security. 

- We identify the proof flaw in [LLJ15], where an efficient KDM[.F a ff]-CCA 
secure PKE was claimed. We show that for “Authenticated Encryption” (AE) 
used in the LLJ scheme, the INT-jF a ff-RKA security reduction to the DDH 
assumption does not work. This proof flaw directly affects the KDM[jF a ff]- 
CCA security proof of the LLJ scheme. 

- We provide the first efficient KDM[jT aff ]-CCA secure PKE w.r.t. affine func- 
tions with compact ciphertexts. Our scheme has ciphertexts consisting only 
of a constant number of group elements and is free of NIZK. 
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- We provide the first efficient KDM[.Fp oly ]-CCA secure PKE w.r.t. polynomial 
functions of bounded degree d with almost compact ciphertexts. Our scheme 
is free of NIZK. The number of group elements in a ciphertext is polynomial 
in d, independent of the security parameter I. 

We summarize known PKEs either achieving KDM-CCA security or against 
function set £F^ oly in Tablet. 


Table 1. Comparison between PKEs either achieving KDM-CCA security or against 
function set £F^ 0 \ y . Here £ is the security parameter. Ecirc, dkff and £F% 0 \ y denote the set 
of selection functions, the set of affine functions and the set of polynomial functions of 
bounded degree d, respectively. “CCA” means the scheme is KDM-CCA secure. “Free 
of Pairing” asks whether the scheme is free of pairing. |CT| shows the size of ciphertext. 
G, Zjy 3 , Z iV 2 and Z^ are the underlying groups, s can be any integer greater than 1. 
The symbol “?” means that the security proof is not rigorous. 


Scheme 

Set 

CCA? 

Free of Pairing? 

|CT| 

Assumption 

[BHHO08] + [CCS09] 

£E aff 

V 

- 

(6£ + 13)|G| 

DDH 

[BGK11] 

jrd 

“poly 

- 


(£ d+1 )|G| 

DDH or LWE 

[MTY11] 

T d 

poly 

- 


( d + 2) |Z ]\fs | 

DCR 

[Hof 13] 

£E oirc 

V 

- 

6|Zjy3 | + 49|G| 

DDH & DCR 

[LLJ15] 

T a ff 

7 

>/ 

3 1 Z jy 2 | + 3|ZjV s | + 
|Z*| 

DDH & DCR 

Our scheme in Sect. 5 

•Taff 

V 


9|Zjy2| + 9\Z N s + 

2|Z*| 

DDH & DCR 

Our scheme in Sect. 6 

jrd 

“poly 

V 


9|Z iV 2 | + 

(8 d? + 1) |Zjv s | + 

2| Zjv 

DDH & DCR 


Our Approach. The challenge for KDM^J-CCA security of PKE lies in the 
fact that the adversary A has multiple access to the encryptions of f(sk) and 
decryption oracle Dec(sfc, •), with / £ T and sk the secret key. Let us con- 
sider only one secret key for simplicity. The information of sk might be leaked 
completely via encryptions of f(sk). 

To solve this problem, we follow a KEM+DEM style and construct our PKE 
with three building blocks: KEM, £ and AIAE, as shown in Fig. 1. 

• We propose a new concept “ Authenticated Encryption with Auxiliary -Input” 
(AIAE). We define for it new security notions dealing with related-key attacks, 
namely weak INT-T' -RKA security and IND-d r/ -RKA security. 

• We design the other building blocks KEM and £. KEM.Enc encapsulates a 
key k for AIAE, and the encapsulation kem.ct serves as an auxiliary input aux 
for AIAE. Enc. f.Enc encrypts m to get a ciphertext £ .ct, which serves as an 
input for AIAE. Enc. 
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We show how to achieve KDM^J-CCA security with our three building blocks. 

- £.Enc can behave like an entropy filter (the concept was named in [LLJ15]) 
for T . That is, through some computationally indistinguishable change, some 
entropy of sk is always reserved even if multiple encryptions of fj(sk) are 
given to A. Here fj E T is chosen by A. 

- The fresh keys k j used by AlAE.Enc can be expressed as functions of a base 
key k*, i.e., k j = /j( k*), where /j E T' for some function set T' . We stress 
that T' might be different from T . 

- KEM.Enc is able to use the remaining entropy of sk to protect the base key 
k*, via some computationally indistinguishable change. 

- The weak INT-^'-RKA security of AIAE guarantees: given multiple AIAE 
ciphertext-auxiliary input pair (aiae.ctj, auxj) encrypted by /■( k*), it is infea- 
sible for a PPT algorithm to forge a new (/', aiae.ct, aux) satisfying (1) 
AlAE.Decj /(k*) (aiae.ct, aux) ^ _L; (2) if aux = au Xj for some j then f = /j. 

- Decryption oracle can reject all invalid ciphertexts that are not properly gen- 
erated by the encryption algorithm, via some computationally indistinguish- 
able change. If the invalid ciphertext makes K EM. Dec decapsulate a key /'( k*), 
AIAE. Dec will output _L, due to its weak INT-^'-RKA security. Otherwise, the 
invalid ciphertext will be rejected by £.Dec or K EM. Dec, due to the remaining 
entropy of sk. As a result, no extra information about sk is leaked. 

- The IND-^'-RKA security of AIAE ensures: given multiple AIAE ciphertext- 
auxiliary input pair (aiae.ct^, auxj) with key /j(k*) encrypting either mo or 
mi, it is infeasible for a PPT algorithm to distinguish which case it is, even 
if fj E T' is submitted by the algorithm. 

- By the IND-^'-RKA security of AIAE, the encryption of £ .ct can be replaced 
with an encryption of all zeros. Then the KDM[jF]-CCA security follows. 

With this approach, we can construct PKEs possessing KDM[jT aff ]-CCA and 

KDM[.Fp oly ]-CCA security respectively, by designing specific building blocks. 



Fig. 1 . Our approach of PKE construction. Here KEM and £ share the same pub- 
lic/secret key pair. AlAE.Enc uses k output by KEM to encrypt £.ct with auxiliary 
input aux := kem.ct, and outputs ciphertext aiae.ct. 

Comparison with LLJ. We inherit the idea of utilizing RKA security of AE 
to achieve KDM security from LLJ. However, our approach deviates from LLJ 
in three aspects. 
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1. The structure of our scheme is different from LLJ. It is also possible to explain 
the LLJ scheme with three components KEM, £ and AE. However, their com- 
ponents were composed in a different way. In the LLJ scheme, the output 
kem.ct of KEM serves as an additional input for £.Enc. With their structure, 
£ is expected to authenticate kem.ct. In our approach, kem.ct is the auxiliary 
input of AIAE, thus can be authenticated by AIAE. 

2. The syntax and security requirements of our AIAE are different from LLJ’s 
AE. Their AE does not support auxiliary input, and the security proof of their 
AE instantiation has some problem, as shown in Sect. 3. 

3. Our KEM and £ are newly designed building blocks which compose well 
with our AIAE. We give two designs of £ to support KDM [.Faff] -CCA and 
KDM[^p oly ]-CCA security respectively. 

2 Preliminaries 

Let i G N denote the security parameter. For i,j G N with i < j, define [i,j] := 
{z, z+ 1, • • • , j} and [j] := {1, 2, • • • , j}. Denote by s <— % S the operation of picking 
an element s from set S uniformly at random. For an algorithm A, denote by 
y <— $ A(x ; r), or simply y A{x)^ the operation of running A with input x and 
randomness r and assigning output to y. Let £ denote the empty string. For a 
primitive XX and a security notion YY, we typically denote the advantage of a 
PPT adversary A by Adv^x^W and define AdvxxW := maxppTA Adv^^M- 
Let denote the value upper bounded by for some constant c > 0. 

Games. Our security proof will be game-based security reductions. A game G 
starts with an Initialize procedure and ends with a Finalize procedure. There 
are also some optional procedures ProCi,--- , PROC n performing as oracles. 
All procedures are described using pseudo-code, where initially all variables are 
empty strings e and all sets are empty. An adversary A is executed in game G 
if it first calls Initialize, obtaining its output. Then the adversary may make 
arbitrary oracle-queries to procedures Proc^ according to their specification, and 
obtain their outputs. Finally it makes one single call to Finalize. By G*' 4 => b 

we means that G outputs b after interacting with A, and b is in fact the output 
£ 

of Finalize. By a = b we mean that a equals b or is computed as b in game G. 

2.1 Public-Key Encryption and KDM-CCA Security 

A public-key encryption (PKE) scheme is made up of four PPT algorithms 
PKE = (Setup, Gen, Enc, Dec): Setup(l^) generates a public parameter prm, which 
implicitly defines a secret key space SJC and a message space A4; Gen (prm) takes 
as input the public parameter prm and generates a public/secret key pair (pk, sk); 
Enc(pk, m) takes as input the public key pk and a message m, and outputs a 
ciphertext pke.ct; Dec(sk, pke.ct) takes as input the secret key sk and a ciphertext 
pke.ct and outputs either a message m or a failure symbol J_. The correctness of 
PKE requires that, for all prm Setup(l^), all (pk, sk) Gen(prm), all m G M 
and all pke.ct Enc(pk, m), it holds that Dec(sk, pke.ct) = m. 
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Procedure Initialize: 

prm ^— $ Setup(F). 

For i E [n] 

(pk-,ski) <(— $ Gen(prm). 

P -*— $ {0, 1}. // challenge bit 

Return (prm,pk 1? -- - , pkj. 

Procedure Finalize^'): 
Return (P' = p). 


Procedure Enc(/ E J 7 , i E [n]): 
mi := /(ski, • • • ,sk n ), rn 0 :=0 |mi1 . 
pke.ct <(— $ Enc(pk^, my). 

Qsmc := QfAfc U {(pke.ct, z)}. 
Return pke.ct. 

Procedure DEc(pke.ct,z E N) : 

If (pke.ct, i) E Qsatc, Return _L. 
Return Dec(sk/, pke.ct). 


Fig. 2. n-KDM[jF]-CCA security game for PKE. 


Let n E N and T be a family of functions from SKJ 1 to M. We define the 
n-KDM[jF]-CCA security via the security game in Fig. 2. 

Definition 1 (KDM[JF]-CCA Security for PKE). Scheme PKE is n- 
KDM\T]-CCA secure if for any PPT adversary A, Advp := 
| Pr[n-KDM[:F]-CCA' A => 1] — 1/2| is negligible ini, where game n-KDW\[F]-CCA 
is specified in Fig. 2. 


2.2 Key Encapsulation Mechanism 

A key encapsulation mechanism (KEM) consists of three PPT algorithms KEM = 
(KEM.Gen, KEM.Enc, KEM.Dec): KEM.Gen(l^) outputs a public/secret key pair 
(pk, sk); KEM.Enc(pk) uses the public key pk to compute a key k and a ciphertext 
(or encapsulation) kem.ct; KEM.Dec(sk, kem.ct) takes as input the secret key sk 
and a ciphertext kem.ct, and outputs either a key k or a failure symbol _L. 
The correctness of KEM requires that, for all (pk, sk) KEM.Gen(l^) and all 
(k, kem.ct) KEM.Enc(pk), it holds that KEM.Dec(sk, kem.ct) = k. 

2.3 Authenticated Encryption: One-Time Security and Related-Key 
Attack Security 

Definition 2 (Authenticated Encryption). An authenticated encryption 
(AE) scheme AE = (AE. Setup, AE.Enc, AE. Dec) consists of three PPT 
algorithms : 

• AE.Setup(l^) outputs a system parameter prm AE , which is an implicit input to 
AE.Enc and AE.Dec. The parameter prm AE implicitly defines a message space 
M and a key space /Cae- 

• AE.Enc(k, m) takes as input a key k E /Cae and a message m E A i, and 
outputs a ciphertext ae.ct. 

• AE.Dec(k, ae.ct) takes as input a key k E /Cae and a ciphertext ae.ct, and 
outputs a message m E M. or a rejection symbol JU 
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Procedure Initialize: 

P rm AE $ AE.Setup(T), k <— $ /Cae- 
/ 3 <— $ {0, 1}. // challenge bit 

Return prm AE . 

Procedure ENC(mo,mi): // one query 
If |rao| 7 ^ |mi|, Return _L. 
ae.ct $ AE.Enc(k, mp). 

Return ae.ct. 

Procedure Finalize^'): 

Return (/3' = /3). 


Procedure Initialize: 

P rm AE $ AE.Setup(T), k <(— $ /Cae- 
Return prm AE . 

Procedure ENC(ra): // one query 

ae.ct $ AE.Enc(k, m). 

Return ae.ct. 

Procedure Finalize (ae.ct* ) : 

If ae.ct* = ae.ct, Return 0. 

Return (AE.Dec(k, ae.ct*) ^ _L). 


Fig. 3. Games IND-OT (left) and INT-OT (right) for defining securities of AE. 


Correctness of AE requires that, for all prm AE AE.Setup(l^) ; all k E /Cae, all 
m e M and all ae.ct <—$ AE.Enc(k, m), it holds that AE.Dec(k, ae.ct) = m. 

The security notions for AE include One-time ciphertext-indistinguishability 
(IND-OT) and One-time ciphertext- integrity (INT-OT). The IND-OT and INT- 
OT securities of AE are formalized via the security games in Fig. 3. 

Definition 3 (One-Time Security for AE). Scheme AE is one-time secure 
(OT-secure) if it is IND-OT secure and INT-OT secure, i.e., for any PPT adver- 
sary A, both Ad := IPrpND-OP 4 => 1] - 1/2| and Adv^(^) := 
PrpNT-OT- 4 => 1] are negligible in I, where games IND-OT and INT-OT are 
specified in Fig. 3. 

Let T be a family of functions from /Cae to /Cae- The ^-Related-Key Attack 
for AE scheme was formalized in [LLJ15], and RKA security notions characterize 
the ciphertext indistinguishability (IND-JF-RKA) and integrity (INT-.F-RKA) 
even if the adversary has multiple access to the encryption oracle and designates 
a function / E T each time such that the encryption oracle uses /( k) as the key. 

Definition 4 (IND-RKA and INT-RKA Securities for AE). Scheme 
AE is IND-T -RKA secure and INT-T-RKA secure, if for any PPT adversary 
A, both Advjf£[ fca (*) := | Pr[IND-.f-RKA" 4 => 1] - 1/2| and Adv^ fea (^) := 
PrpNT-JT-RKA' 4 =>• 1] are negligible ini, where games IND-JF-RKA and INT-.F- 
RKA are specified in Fig. 4- 


2.4 DCR, DDH, DL and IVA Assumptions 

Let GenN(l^) be a PPT algorithm outputting (N,p, q ), where p , q are safe primes 
of I bits and N = pq , such that N = 27V+1 is also a prime. Let s E N and T = 1 + 
N. Define Q R N s := {a 2 mod N s [a eZ* NS }, SCR^ := {a 2JVS_1 mod N s | a e 
Zy } . and MUjva := { T r mod A’ s | r G [iV s_1 ]}. Then SCR at* is a cyclic group 
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Procedure Initialize: 

P rm AE AE.Setup(V), k ^— $ /Cae- 
P G- $ { 0 , 1 }. // challenge bit 

Return prm AE . 

Procedure ENC(mo,mi,/ G P): 

If \mo\ A \mi\, Return _L. 
ae.ct <(— $ AE.Enc(/(k), mp). 

Return ae.ct. 

Procedure Finalize^'): 

Return (ft' = p). 


Procedure Initialize: 

P rm AE $ AE.Setup(V), k <(— $ /Cae- 
Return prm AE . 

Procedure ENC(m, / G J -): 
ae.ct ^— $ AE.Enc(/(k) , m). 

Qsmc := Qsmc U { (/, ae.ct) }. 

Return ae.ct. 

Procedure Finalize(/* G T, ae.ct*): 
If (/*, ae.ct*) G Qenc , Return 0. 
Return (AE.Dec(/*(k), ae.ct*) 7 ^ _L). 


Fig. 4. Games IND-JF-RKA (left) and INT-.F-RKA (right) for defining securities of AE. 


of order f>(N)/ 4, and QMy s = ®MUa/s, where 0 denotes internal direct 

product. Let QMy := { ft2 m °d N | a G Zy}, th en is a cyclic group of 

order N = pq. 

For X G MU ats, the discrete logarithm dlog T (X) G [TV 5-1 ] can be efficiently 
computed given only N and X [D J01] . Note that Zy s = Z 2 0Z20 §CMats 0MU n s , 
hence for any u = u{Z 2 ) -u(Z' 2 ) -u($CR N s) -T x G Z^ s , G WV N s 

and 


d\og T )/ cf)(N) mod N s 1 = x. (1) 

The formal definitions of the Decisional Composite Residuosity (DCR) and 
the Discrete Logarithm (DL) assumptions are in the full version [HLL16]. The 
DCR assumption implies the Interactive Vector (IV^) assumption according to 
[BG10]. We adopt the version in [LLJ15]. 

Definition 5 (IV^ Assumption). The IV d Assumption holds w.r.t. GenN and 

group QMa/-s if for any PPT adversary A, the following advantage is negligible 
m £: 

Ad v£ d nN) AW : = I Pr [A C * A ^ d{ N, gi , ■■■,g d ) = b]~ 1/2] |, 

where (N,p,q) GenN(l^) ; gi,-" ,gd b {0, 1}, and the oracle 

CHALj Vd (-) can be queried by A adaptively. A submits (5i, • • • Ad) to the oracle. 
CHALj Vd (5i, • • • Ad) selects random r [ [7V/4J ] . If b = 0 ; the oracle returns 
(tf, • • • ,gd)> otherwise it returns (g[T Sl , • • • ,g d T 6d ), where T = 1 + N. 

Definition 6 (DDH Assumption). The Decisional Diffie- Heilman (DDH) 
Assumption holds w.r.t. GenN and group QMy- if for any PPT adversary A, 
the following advantage is negligible in I: 

Advcer m , a (£) ■= | Pr [A(N , p, q, gi , g 2 , g* , c/f ) = l] - Pr [A(N,p,q,g u g 2 , gf,g%) = l] | , 
where ( N,p,q ) <— s GenN(E), 51,52 x,y \ { 0 }. 
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2.5 Collision Resistant Hashing and Universal Hashing 

Definition 7 (Collision Resistant Hashing). A family of functions H = 
{H : X — > 3^} is collision-resistant if for any PPT adversary A , the following 
advantage is negligible in £: 

:= Pr [H <—$ H, (x,x') * .4(H) : H(®) = H(®') A x^x'j. 

Definition 8 (Universal Hashing). A family of functions H = {H : X — » 

J 7 } is universal if for all distinct x,x' G X, it follows that 

Pr[H^s7Y : H(x) = H(z')] < l/\y\. 

3 AE of the LLJ Scheme and Its INT-RKA Security 

The LLJ scheme [LLJ15] makes use of an important primitive “Authenticated 
Encryption” AE. Its KDM[jT aff ]-CCA security heavily relies on the IND-jF a ff- 
RKA security and INT-^ff-RKA security of their AE. LLJ claimed INT-.Fajf- 
RKA security of their AE, however, we point out that their security proof does 
not go through to the DDH assumption, which in turn affects the KDM[f a ff]- 
CCA security proof of the LLJ scheme. 

Let us briefly review LLJ’s AE as follows. The public parameter is pirn^= = 
(TV, TV, < 7 ) where TV = pq , TV = 2 TV + 1, and g is a generator of group QlRy. Let 
AE be an IND-OT and INT-OT secure authenticated encryption, and H be a 
4- wise independent hash function. The secret key space is Z jy. 

- AE.Enc (fc,m) computes u = g r with r ^$Ztv, ft = H (u k ,u) and invokes 
X AE.Enc (ft, ra). It outputs the ciphertext (u,x)- 

- AE.Dec (k,(u,x)) computes ft = H (u k ,u) and outputs m/J_ AE.Dec(ft,x)* 

In the LLJ scheme, AE should have RKA security w.r.t. = {/ : fc i — >ak+ 
b | a 0}. Let us check their security proof. See Table 2. The proof idea is to 
use the DDH assumption to make sure that each k\, A G [Q e ], is random to the 
adversary. Then the INT-OT of AE guarantees that the adversary cannot make a 
fresh forgery (/* = (a*, &*), (u* , %*)) such that AE.Dec(a*& + 6*, (u*, %*)) ^ T. 

In [LLJ15], the indistinguishability of Game l.(i — 1) and Game l.i is reduced 
to the DDH assumption. A PPT algorithm B is constructed to solve the DDH 
problem by employing an INT-^ff-RKA adversary A. Given the challenge 
(g,g ri ,g k ,Z), B wants to tell whether Z = g kri or Z = g Zi for a random Z{. 
B simulates the INT-JT aff -RKA game for A by computing ft* = H (Z ai g ribi , g Ti ). 
If Z = g kri , B simulates Game 1 .{i — 1) for A; if Z = g Zi , B simulates Game l.i. 

The problem is now that B does not know the value of secret key k (it knows 
g k ). When A submits a fresh forgery (/* = (a*, 6*), (iz*,x*)), B is not able to 
see whether AE.Dec (a*k + fr*, (u*,x*)) / d or not without the knowledge of k. 
More precisely, B can not compute ft* = H(u * a * k + b * , u*) = H ((u* k ) a * • u* b * ,u*) 
from g k and u*, unless it is able to compute the CDH value u* k from g k and 
u*. Without ft*, it is hard for B to decide whether AE.Dec(ft*, x*) 7 ^ d or not. 
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Table 2. INT-^Aff-RKA security proof of AE in the LLJ scheme; we point out a flaw 
in the security reduction from Game 1 .(i — 1) to Game l.i , denoted by “?”. 



Enc(?71a,/a = oracle, A € [Q e ], 

where Q e is the number of encryption queries 

Assumptions 

Game 0 

r x Ziv; u\ := g rx \ k,\ := H(i^ aAfc+bA) , u x ); 

Xx AE.Enc(ftA,ra A ); return ae.ct A := {u\,x\) 

— 

Game 1 

Same as Game 0 except n\ := \-\{{g krx ) ax g rxbx , g rx ) 

Game 1 — Game 0 

Game l.i 

For A = 1, • • • , i, the same as Game 1 except 
n\ := H ((g Zx ) ax g rxbx ,g rx ) with z A Z N ; 

For A = i + 1, • • • Q e , the same as Game 1 

DDH (?) 

Game 2 

Game 2 — Game l.Q e 

INT-OT of AE 


In other words, B cannot find an efficient (PPT) way to transform the computing 
power (forgery) of A into its own decisional power (decision bit) to determine 
(g, g Vi ,g k ,Z) to be a DDH tuple or a random tuple. The failure of the INT-.F a ff- 
RKA security proof results in the failure of the KDM[.F a ff]-CCA proof of the 
LLJ scheme since INT-jF a ff-RKA security is used to prevent a KDM[.F a ff]-CCA 
adversary from learning more information about the secret key by querying some 
invalid ciphertexts for decryption. 

4 Authenticated Encryption with Auxiliary-Input 

We do not see any hope of successfully fixing the security proof of the LLJ’s AE 
in [LLJ15]. Alternatively, we resort to a different building block, namely AIAE. 
The intuition is as follows. If LLJ’s AE is regarded as (ElGamal + OT-AE), we 
can design a new AIAE as (Kurosawa-Desmedt [KD04] + OT-AE). But a new 
problem with our design arises: the secret key of KEM [KD04] consists of several 
elements, i.e., k = (Aq, & 2 , & 3 , Aq). The affine function of k is too complicated to 
prove the INT-^ff-RKA security. Fortunately, (a weak) INT-RKA security fol- 
lows w.r.t. a smaller restricted affine function set = {/ : (Aq, & 2 , Aq, Aq) 1 — » 
a - (k 1 ,k 2 ,k 3 ,k 4 ) + (bi,b 2 ,b 3 ,b 4 ) \ a ± 0}. 

To make AIAE serve KDM-CCA security of our PKE construction in Fig. 1, 
we have the following requirements. 

• AIAE must have auxiliary input aux. 

• A weak INT-^-RKA security is defined for AIAE. Compared to INT-1F- 
RKA security, the weak version has an additional special rule for the adver- 
sary’s forgery (aux*, /*, aiae.ct*) to be successful: if the adversary has already 
queried (m, aux*, /) to the encryption oracle Enc, it must hold that /* = /. 

Next, we introduce the formal definitions of Authenticated Encryption with 
Auxiliary -Input, its IND-T -RKA Security and Weak INT-T -RKA Security. 
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4.1 AIAE and Its Related-Key Attack Security 

Definition 9 (AIAE). An auxiliary-input authenticated encryption (AIAE) 
scheme AIAE = (AIAE. Setup, AIAE. Enc, AIAE. Dec) consists of three PPT algo- 
rithms: 

• AIAE.Setup(l^) outputs a system parameter prm A | AE , which is an implicit 
input to AIAE. Enc and AIAE. Dec. The parameter prm A | AE implicitly defines 
a message space M, a key space /Caiae and an auxiliary -input space AUX . 

• AIAE. Enc(k, ra, aux) takes as input a key k G /Caiae ; a message m G M and 
an auxiliary input aux G AUX , and outputs a ciphertext aiae.ct. 

• AIAE.Dec(k, aiae.ct, aux) takes as input a key k G /C ae? a ciphertext aiae.ct and 
an auxiliary input aux G AUX ; and outputs a message m G M. or a rejection 
symbol _L. 

Correctness of AIAE requires that , for all prm A | AE AIAE.Setup(l^), all k G 
/Caiae, all m G M, all aux G AUX and all aiae.ct <— $ AIAE.Enc(k, ra, aux), we 
have that AIAE. Dec(k, aiae.ct, aux) = m. 

If the auxiliary- input space AUX — 0 for all possible parameters prm A!AE , 
the above definition is reduced to traditional AE. 

Let P be a family of functions from /Caiae to /Caiae- We define the related-key 
security notions for AIAE via Fig. 5. 


Procedure INITIALIZE: 

P rm AiAE AIAE.Setup(l £ ), k /Caiae- 
/3 ^ — $ {0, 1}. // challenge bit 

Return prm A | AE . 

Procedure ENC(mo, mi, aux, / G P): 

If |mo| |mi|, Return _L. 
aiae.ct AIAE. Enc(/(k), aux). 
Return aiae.ct. 

Procedure Finalize^) 1 
Return (/ 3 ' = ( 3 ). 


Procedure INITIALIZE: 

P rm AiAE AIAE.Setup(l^), k /Caiae- 
Return prm A!AE . 

Procedure ENC(m, aux, / G P): 
aiae.ct AIAE.Enc(/(k), ra, aux). 

QsMc P= Qemc U {(aux, /, aiae.ct)}. 

Qauxx := Qauxt U {(aux, /)}. 

Return aiae.ct. 

Procedure Finalize (aux*, f* G .F, aiae.ct*) : 
If (aux*, /*, aiae.ct*) G Qsmc, Return 0. 

// Special rule: 

If there exists (aux, /) G Qauxt such that 
aux = aux* but f A /* , Return 0. 

Return (AIAE.Dec(/*(k), aiae.ct*, aux*) A -L)- 


Fig. 5. Games IND-JF-RKA (left) and weak-INT-jF-RKA (right) for defining securities 
of auxiliary- input authenticated encryption scheme AIAE. We note that the weak INT- 
JF-RKA security needs a special rule to return 0 in Finalize as shown in the shadow. 
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Definition 10 (IND-JF-RKA and Weak INT-.F-RKA Securities for 
AIAE). Scheme AIAE is IND-T -RKA secure and weak INT-T-RKA secure, if 
for any PPT adversary A, both Adv^E^fM := I Pr[IND-JF-RKA' A => 1] — 1/2 1 
and (t) := Pr[weak-INT-J r -RKA“ 4 ' => 1] are negligible in I, where 

games IND-^-RKA and weak-INT-^-RKA are specified in Fig. 5. 


4.2 AIAE from OT-secure AE and DDH Assumption 

Let AE = (AE. Setup, AE.Enc, AE. Dec) be a traditional (without auxiliary-input) 
authenticated encryption scheme with key space 1C ae and message space AA. Let 
Hi = {Hi : {0,1}* — > Z at} and H 2 = {H 2 : — > JC ae} be two families of 

hash functions with |/Cae|/|Q^jvI ( = I^aeI/N) < 2~ n ( e \ The proposed scheme 
AIAE = (AIAE. Setup, AIAE. Enc, AIAE. Dec) with key space /C aiae = (Zjv) 4 , mes- 
sage space AA and auxiliary-input space AUX = {0, 1}* is defined in Fig. 6. 


P rm AiAE AIAE.Setup(R): 

(IV, p, q ) GenN(R), i.e., pick two I- bit safe primes p and q , such that 2 pq + 1 

is also a prime, and N := pq. 

N := 2N + 1 = 2pq + 1. g ± , g 2 ■ Hi <— $ 7^i, H 2 H 2 - 

Return prm AIAE := (IV, p, q, IV, g u g 2 , Hi, H 2 ). 

(ci,C 2 ,x) AIAE. Enc(k, ra, aux): 

m/1. AIAE. Dec (k, (ci, c 2 , x)? aux ) : 

Parse k = (fci, fe, fe, fct) £ Z%. 
w <— $ Ziv\{0}. (c 1; c 2 ) := (gf ,gz) e QR#. 
t := Hi(ci, C 2 , aux) 6 Z at. 
k ~ H 2 (c* 1+k3t ■ c% 2+k4t ) 6 /Cae- 
X <— $ AE.Enc(tt, m). 

Return (ci, c 2 , x)- 

Parse k = (fci, ^ 2 , ^3 , £ 4 ) G Z^-. 

If (ci,c 2 ) ^ V (ci,c 2 ) = (1, 1), 

Return J_. 

t := Hi(ci, c 2 , aux) G Za/-. 
k:= H 2 (c k 1 1+k3t ■ c k 2 2+k4t ) G/C ae- 
Return ra/J_ AE.Dec(/c, x)- 


Fig. 6. Construction of the DDH-based AIAE from AE. 


The correctness of AIAE follows from the correctness of AE directly. Note that 
the factors p, q of N in prm A j AE are not needed in the encryption and decryption 
algorithms of AIAE. Jumping ahead, the factors p, q are necessary when the 
security of the PKEs presented in Sects. 5 and 6 is reduced to the security of 
AIAE. We now show the RKA-security of AIAE through the following theorem. 

Theorem 1. If the underlying scheme AE is OT-secure, the DDH assumption 
holds w.r.t. GenN and Hi is collision resistant and H 2 is universal, then 

the resulting scheme AIAE in Fig. 6 is IND-tF ra ff-RKA and weak INT-tF ra ff-RKA 
secure, where the restricted affine function set is defined as F r aff := {/(a,b) : 
{ki,k2-)k?>-)kf) G 1 — > (afci + b\,ak2 + 62, <2^3 + b^^ak^ + 64) G Z^- | a G 

T , b = (61, 6 2 , 63, 64) G Z^-}. 
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Proof of IND-^aff-RKA security of AIAE in Theorem 1. The proof pro- 
ceeds with a sequence of games. Suppose that A is a PPT adversary against the 
IND-^ raff -RKA security of AIAE, who makes at most Q e times of Enc queries. 
Let Pr i[-] (resp., Pr^ [•]) denote the probability of a particular event occurring in 
game (resp., game G-). 

- Game Gi: This is the original IND-^aff-RKA security game. Let Win denote 

the event that /?' = j3. Then by definition, Adv^E^W = | Pri[Win] — \ \- 
Denote prm A | AE = (7V,p, q, TV, gi, g 2 . Hi, H 2 ) and k = (Aq, /q, Aq, Aq). To answer 
the A-th (A G [Q e ]) Enc query (ra Aj0 , m Aj i, aux A , /a), where f\ = (a A ,b A = 
(p\,h b\, 2 i ^A,4)) £ the challenger proceeds as follows: 

1. pick w x <-t Zjv\{ 0} and compute (c A ,i,c A)2 ) := ( 9 i x , 92 X ) € QM#, 

2. compute a tag t\ := Hi(c Aj i, c Aj 2 , aux A ) G Zjv, 

3. compute an encryption key for AE scheme using a related key / A (k): 

„ . u f S a \ k i+b\,i)+(axk 3 +bx,3)t\ (axk 2 +bx,2)+(cLxk 4: +bx,4)t\\ ir 

K\ •= H2 [C X1 • C X 2 ) G E, 

4. invoke y A AE.Enc(ft A , ra A ^), 

and returns the challenge ciphertext (c Aj i, c A? 2 , X\) to the adversary A. 

- Game Gjq, i G [Q e + 1]: This game is the same as game Gi, except that, the 
challenger does not use secret key k to answer the A-th (A G [z — 1]) Enc query 
at all, and instead, it changes steps 1, 3 to steps 1', 3' as follows: 

V. pick w x ,i,w x ,2 <—■ * Zjv\{ 0} and compute (c A) i,c A>2 ) := (flp’SflT’ 2 )) 

3'. choose an encryption key k>\ 1C ae randomly for the AE scheme. 

The challenger still answers the A-th (A G [i,Q e ]) Enc query as in Gi, i.e., 
using steps 1, 3. 

Clearly Gqi is identical to Gi, thus Pri[Win] = Prqi[Win]. 

- Game G[ i: i G [Q e ]: This game is the same as game Gq*, except that the 
challenger answers the i-th Enc query using steps 1', 3 (rather than steps 1, 
3 in game Gq*). 

The only difference between Gq^ and G Xi is the distribution of (#i, # 2 , cqi, 
2 )- In game Gi q, (^ 1 ,^ 2 , cqi, is a DDH tuple, while in game G^ iJ it is 
a random tuple. It is straightforward to construct a PPT adversary to solve 
the DDH problem w.r.t. GenN and QRy, thus we have that |Pri^[Win] — 
P r M' [Win] | < AdvS N (£). 

We analyze the difference between G' x i and Gq* + i via the following lemma. 
Its proof is provided in the full version [HLL16]. 

Lemma 1. For alii G [Q e \, | [Win] — Prq i+ i[Win] | < j- + 

- Game G 2 : This game is the same as game GqQ e +i, except that, to answer the 
A-th (A G [Q e ]) Enc query, the challenger changes step 4 to step 4': 

4'. invoke y A AE.Enc(ft A , 0l mA ’°l). 
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In game Gi ? g e+ i, the challenger computes the AE encryption of m\^ under 
encryption key in Enc, while in game G2 it computes the AE encryption of 
Ol m A,o| i n Enc. Both in games Gi ? g e+ i and G2, we have that each is chosen 
uniformly from JC ae and independent of other parts of the game. Therefore we 
can reduce the differences between Gi ? g e+ i and G2 to the IND-OT security of 
AE by a standard hybrid argument, and have that | Pri ? g e+ i [Win] — Pr2[Win] | < 
Qe- Advj^- 0t (£). 

Now in game G2, since the challenger always encrypts the constant message 
Ol mA ’°l, the challenge bit f 3 is completely hidden. Then Pr 2 [Win] = 1 / 2 . 

Taking all things together, the IND-.F r aff-RKA security of AIAE follows. ■ 

Proof of Weak INT-JT raff -RKA security of AIAE in Theorem 1 . Again, 
we prove it through a sequence of games. These games are defined almost the 
same as those in the previous proof. Suppose that A is a PPT adversary against 
the weak INT-.F ra ff-RKA security of AIAE, who makes at most Q e times of Enc 
queries. 

- Game Go: This is the original weak-INT-jF ra ff-RKA security game. 

Denote prm A | AE = (iV, _p, g, TV, gi, $2? Hi, H2) and k = (fci, &2, £4). To answer 

the A-th (A E [Q e ]) Enc query (my, auxy, /y), the challenger proceeds with 
steps 1 ~ 4 , similar to the previous proof, and returns the challenge cipher- 
text (cy,i, cy,2, Xa) to the adversary A. Moreover, the challenger will put 
(aux A ,/ A , (c Aj i,c A) 2 ,Xa)) to a set Qeuc , put (aux A ,/ A ) to a set Qauxf, and 
put (cy, 1, cy ? 2, auxy, t\) to a set Qtaq- Finally, the adversary outputs a forgery 

(aux*,/* = ’<a*,b*'~ (bl b* 2 ,b* 3 , bl)), (ct,c* 2 , X *))- 

Let Forge be the event that the following Finalize procedure outputs 1 : 

• If (aux*, /*, (cj, C2, x*)) e Qsmc, Return 0. 

• If there exists (auxy,/y) E Qauxf such that auxy = aux* but /y ^ /*, 
Return 0 . 

• If (cf,c£) $ V (cj,c|) = ( 1 , 1 ), Return 0 . 

• t* := Hi(cJ, c|, aux*), k* := H 2 (cf a * fel+6D+(a * fc3+63)t * • 

*(a*/c 2 +&j) + ( a *^4+frlh* \ 

C 2 )' 

Return (AE.Dec(ft*, %*) ^ _L). 

By definition, it follows that, Adv A)A a ^ ) ~J^ lt ~ rka (£) = Pr 0 [Forge]. 

- Game Gi : This game is the same as game Go, except that, the challenger adds 
the following new rule to the Finalize procedure: 

• If there exists (cyq, cy ? 2, auxy, t\) E Qtaq such that t\ = t* but 
(cy,i,c A?2 , auxy) 7^ (c*, C2, aux*), Return 0 . 

Since t\ = Hi(cy ? i, cy ? 2, auxy) and t* = Hi(c^, cj, aux*), any difference 
between Go and Gi will imply a collision of Hi. Thus | Pro [Forge] — 
Pn [Forge] | < Adv^(£). 

- Game Gi^, i E [Q e + 1 ]: This game is the same as game Gi, except that, the 
challenger does not use secret key k to answer the A-th (A E [£*- 1 ]) Enc query 
at all, and instead, it changes the steps 1 , 3 to the steps T, 3 ' respectively, as 
in the previous proof. 

Clearly Pri [Forge] = Prqi [Forge]. 
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- Game G[ i G [Q e \- This game is the same as game Gi except that the 
challenger answers the Ath Enc query using steps 1', 3 (rather than steps 1, 
3 in game Gi^), as in the previous proof. 

The only difference between Gi^ and G , li is the distribution of (< 7 i, # 2 ? Q,ij 
2)- In game Gi^, (#i, #2, W2) is a DDH tuple, while in game G' x it is a 

random tuple. It is straightforward to construct a PPT adversary to solve the 
DDH problem w.r.t. GenN and QMyp We stress that the PPT adversary (sim- 
ulator) can detect the occurrence of event Forge efficiently since it can choose 
the secret key k = (Aq, /q, &3, Aq) itself. Thus we can reduce the difference 
between G\ y i and G^ i to the DDH assumption smoothly. 

Lemma 2. For all i G [Q e \, | Pry* [Forge] — Pri^/ [Forge] | < Adv^ N (^). 

Proof. We construct a PPT adversary B to solve the DDH problem. B is given 
(• N,P,q , 9 i, 92,9 i 1 ,92 2 )> where ( N,p,q ) <-$ GenN(l^), g 1: g 2 QRjv, and aims 
to distinguish whether x\ = X2 \ { 0 } or aq, X2 ^$Zn\ { 0 }. 

B will simulate game Gq* or G^ i for adversary A. First, B picks H 1 7 Yi, 

H 2 <— $ H2 randomly, sets prm A , AE := (N,p,q,N = 2 N + 1, <71, g 2 , Hi, Fl 2 ) and 
sends prm A j AE to A. Then B generates the secret key k = (Aq, Aq, Aq, Aq) itself. 

To answer the A-th (A G [Q e ]) Enc query (m^, aux A , / A ), where /a = 
(a A ,b A = (&a, 1, ^a, 2,&A, 3, 6a, 4)) e 23 proceeds as follows: 

• If A G [i — 1 ], B proceeds the same as in G and G^ i . That is, B picks 

w x ,i,w x ,2 ^tv\{ 0 } randomly and sets (c A ,i,c A ,2) •= , #™ A ’ 2 ). Then B 

chooses k x <— $ /Cae and invokes y A AE.Enc(ft A , m A ). 

• If A G [i + 1 , Q e ], 23 proceeds the same as in Giq and G^ That is, 23 
picks w x <— $ Zat\{ 0 } randomly and sets (c A ,i,c A ,2) •= (< 7 ™ A , g™*)- Then 
B computes t\ := Hi(c A) i, c A>2 , aux A ), k x ■= H 2 ^ xkl+bx ’ l)+ ^ axk3+bx ’ 3)tx ■ 
c (a\k 2 + bx ,2)+( a \k4+ bx , 4 )t\^ an( j invokes x\ * AE.Enc(K A , m\). 

• If A = i, 23 embedded its DDH challenge to (<Xq,c A 2) •= (^iS^ 2 )* 
Then it computes ti := Hi(c^i, c A 2, aux^), /q := Fl 2 ( C j a l ' /ci +^’ 1 )+( a ^ 3 +^> 3 ) t " . 
c (^ 2 + ^ 2 ) + (a^ 4 + ^ 4 )q ) 5 invokes yq AE.Enc(/q, rrii). 

23 returns the challenge ciphertext (c Aj i, c Aj 2,Xa) to Al, and puts (aux A , 
/a, (ca,i,c A)2 ,Xa» to Q^c, (aux A ,/ A ) to Qauxf, and (c A;l , c A , 2 , aux A , t x ) to 
Qt Ag- 
in the case of that ( 7 V,p, g, pi, #2, ^i 1 , #2 2 ) * s a DDH tuple, i.e., x\ = aq «— 
$ Z;v \ { 0 }, 23 simulates game Giq perfectly for Al; in the case of that ( 7 V,_p, g, <71, 
#2, ^i 1 , ^2 2 ) * s a random tuple, i.e., x\ ,x 2 ^— $ Zat \ {0}, 23 simulates game G^ i 
perfectly for A. 

Finally 23 receives a forgery (aux*, /*, (c*, C2, X*)) from Al, where /* = 
(a*,b* = (6*, 62? 63, 6|)) G A-'raff. 23 determines whether or not the Finalize 
procedure outputs 1 using the secret key k = (Aq, Aq, /C3 , Aq). That is, 
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• If (aux*,/*, (cf,C2,x*)) £ QsMc i B outputs 0 (to its DDH challenger). 

• If there exists (auxy,/y) E Qauxt such that aux^ = aux* but /a / f , B 
outputs 0. 

• If (c\,c* 2 ) £ QM^ V (c$,c$) = (1, 1), B outputs 0. 

• t* := Hi(ct, C 2 , aux*), k* := H 2 ( c *(“* fc i+ i ’J)+(“* fc 3+t-5)‘* . c *( 0 *fc2+i-5)+(<x*fc 4 +t-2)t*^ 

• If there exists (ca,i, cy,2, aux^, £a) E Qtag such that ty = t* but (ca, 1 j c a, 2 j 
aux A ) ± (cT Co, aux*), B outputs 0. 

• Output (AE.Dec(ft*, x*) ^ _L). 

With the secret key k = (Aq, fe, Aq), B simulates Finalize perfectly, the same 
as in games Gjq and iJ and B outputs 1 to its DDH challenger if and only if 
Finalize outputs 1, i.e., the event Forge occurs. 

As a consequence, | Pr^ [Forge] — Pri ^ [Forge] | < Advgg„ N B (^). ■ 

We analyze the difference between G[ i and Gi^+i via the following lemma, 
and the proof is in the full version [HLL16] due to the lack of space. 

Lemma 3. For all i E [Q e \, Pri v [Forge] < Pri 1+1 [Forge] + Adv^’ ot (^) + 
1 l o-nu) 


Now in game Gi ? g e +i, the challenger does not use the secret key k to compute 
k,\ at all, hence k = (Aq, /q, /q, Aq) is uniformly random to the adversary A. As 
a result, in the Finalize procedure defining the event Forge, 

* |_j / a* -((w^ k\ +u>2 wk2)-\-t* -(w^ ks+wi^ wk±)) (w^ +^2 w ^2 )+^* ' ( w i ^3 +^2 ) \ 

K,.mr\2[g 1 • g 1 j, 

where w = dlog gi g 2 G Z N and (w^,w^) = (dlog fll cJ, dlog g2 c^) G Z^\{(0,0)}. 
The term (w*ki + ic^re/q) is uniformly distributed over Zjv- Then as long as 
a* E Y will be uniformly distributed over QRjg and independent of H 2 ♦ 
By the Leftover Hash Lemma, k* = FI 2(F) is statistically close to the uniform 
distribution over JC ae- Thus AE.Dec(ft*, x*) 7^ -L will hold with probability at 
most Adv“(4 Then Pri,g e+1 [Forge] < Adv “ (£) + 

Taking all things together, the weak INT-.F ra ff-RKA security of AIAE follows. ■ 

Remark. We stress that the problem in the INT-.F a ff-RKA security proof of 
LLJ’s AE does not appear here. The weak INT-.F ra ff-RKA security of our AIAE 
can be reduced to the DDH assumption smoothly. More precisely, in the security 
analysis of games Giq and G^ i (cf. Lemma 2), the simulator chooses the secret 
key itself and uses it to detect the occurrence of event Forge efficiently. Therefore 
the simulator can always make use of the difference between Priq [Forge] and 
Pri^/ [Forge] to solve the DDH problem. 

5 PKE with n-KDM[^ aff ]-CCA Security 

Let AIAE = (AIAE. Setup, AIAE. Enc, AIAE. Dec) be the DDH-based auxiliary- 
input authenticated encryption scheme constructed from OT-secure AE, with 
key space (Z^) 4 and a suitable message space M (cf. Fig. 6). Following our 
approach in Fig. 1, we have to design the other two building blocks. 
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KEM: With respect to this AIAE, we design a KEM which can encapsulate a 
key tuple (Ai, & 2 , A 3 , A 4 ) G (Z/v) 4 . 

£: With respect to the affine function we design a public- key encryption 
£ such that £.Enc can be changed to an entropy filter for affine functions in 
a computationally indistinguishable way. 

The proposed PKE = (Setup, Gen, Enc, Dec) is defined in Fig. 7, where the shad- 
owed parts describe algorithms of building blocks KEM and £. 


prm Setup(F): 

P rm AiAE AIAE.Setup(F), where 
P rm AiAE = (Af,p, (/, iV, <71, <72, Hi, H 2 ), 

N = pq , N = 2N + 1, gi,g2 G QM.jv- 
P rm AiAE : = (N,N,g 1 ,g 2 ,H 1 ,H 2 ). 
gi , g 2 , g3 , 2/4 , 2/5 §CIRjv s . 

Return prm := (prm A , AE , pi, p 2 , p 3 , # 4 , £ 5 ). 

(aux, aiae.ct) Enc(pk, m): m G 1 ] 
// (k, aux) KEM.Enc(pk): 

k = (Ai,A 2 ,A 3 , A 4 ) Z%. 

(i/-i , u 2 , ^ 3 , U 4 , 1/5 ) : = (tf, 05,03, <71, 0s) 
mod A/ -2 . 

(ei,e 2 ,e 3 ,e 4 ) := (/dT fcl , h r ^T k2 , hsT k3 , 
^T fc4 ) mod N 2 . 
aux := (in, • • • ,ix 5 ,ei, • • • ,e 4 ). 

// £.ct £.Enc(pk, m): 


A 1 , r 2 , r 3 , r 4 <- 

[LfJ]- 

(Ai, A 2 , 

a 3 ,a 4 , 

U5,Ue,UT,U8) ■= 

g?, 

g?,g? 

1 , g? , gl 4 , g r 5 4 ) mod NS - 

e := hi 1 hi 2 hi 4 T m mod N s . 

jl 

mod N G Zjv- 

£.ct : = 

(Ai, • • 

'■+3T' 

00 


aiae.ct AIAE. Enc(k, £.ct, aux). 

Return (aux, aiae.ct). 


(pk, sk) Gen(prm): 

^1, 2/1, ^2, 2/2, ^3, 2/3, ^4, 2/4 

(Ai,/i2, As, A 4 ) := (gi x± g 2 V1 1 g 2 X 2 gs V2 , 

g 3 X 3 gl V 3 ,gl XA gl VA ) mod n s . 

pk := (Al, A 2 , A 3 , A 4 ) . 

sk := (xi, 2/1, x 2 , 2/2, x 3 , 2/3, £4,2/4). 

Return (pk,sk). 

m/_L Dec(sk, (aux, aiae.ct)): 

// k/_L <- KEM.Dec(sk, aux): 

Parse aux = {u\> • • • , 1^5, ei, • • • , e 4 ). 

If eiu^u ^ 1 , e 2 i^2 2 ^3 2 , e3^3 3 i^4 3 , 
e 4 'U 4 4 'Ug 4 G MUJat 2 

(Ai,A 2 ,A 3 ,A 4 ) := (dlog T (ei< 1 ^ 1 ), 
dlog T (e 2 i^2 2 ^3 2 ) , dlog T (e 3 % 3 i^ 3 ) , 
dlog T (e 4 i^4 4 i^5 4 )) mod N . 
k := (Ai, A 2 , A3, A 4 ). 

Else, Return T. 

£.ct/T AIAE. Dec(k, aiae.ct, aux). 

// m/_L <— £.Dec(sk, £.ct): 

Parse £.ct = (Ai, • • • , As, e,t). 

If eA® 1 A 2 1 A 3 2 A 4 2 A 5 3 Ag 3 A® 4 A | 4 G MOw* 
m := dlog T (eA^ 1 A2 1 A3 2 A4 2 A5 3 Aq 3 
Ay 4 Ag 4 ) mod A/ - * 5-1 . 

If t = g™ mod AT, Return m. 

Else, Return _L. 


Fig. 7. Construction of PKE from AIAE. The shadowed parts describe algorithms of 
building blocks KEM and £. Here p, q contained in prm A)AE are not provided in prm AiAE , 
since they are not necessary in the encryption and decryption algorithms of AIAE. 


The correctness of PKE follows from the correctness of AIAE, £ and KEM 
directly. We now show its KDM-CCA-security through the following theorem. 
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Theorem 2. If the underlying scheme AIAE is IND-F ra ff-RKA and weak INT- 
Fraff-RKA secure, the DCR assumption holds w.r.t. GenN and group QR N3 , 
and the DL Assumption holds w.r.t. GenN and group SCRjys, then the resulting 
scheme PKE in Fig. 7 is n-KDM[F a jg]-CCA secure. 

Proof of Theorem 2. Suppose that A is a PPT adversary against the n- 
KDM [.F a ff] -CCA security of PKE, who makes at most Q e times of Enc queries 
and Qd times of Dec queries. We prove the theorem by defining a sequence 
of games. Before presenting the full detailed proof, we first give a high-level 
description how n-KDM[F a ff]-CCA security is achieved. 

(1) For the n secret key tuples, each tuple can be divided into two 

parts: for i € [n], sk ; = (x itj , Vi,j)j =1 = Vi,j)j =1 mod N, (x itj , 

Vi,j)j=i mod 4>(N)/4). 

(2) Each secret key tuple can be generated by adding a random shift 

{%i,j>Vi,j)j = l to a fixed base ( x j,Vj)j = u i-e., sk* = := 

(3) Every public key tuple plq = (hqi, • • • , hi q) only reveals information about 
the (mod <f(N)/A) part of the secret key tuple sk^. 

(4) For each encryption query from the adversary (f\,i\), if the Enc oracle 
encrypts /a (ski, • • • , sk n ), the ciphertext might reveal information about sk^ 
through £ .ct. We have to change this fact such that the leaked information 
about sk^ in Enc is bounded. 

- By IVd assumption, we can change the generation of £.ct by oracle Enc 
such that it does not reveal any information about {xj,yj)^ =1 mod AT, 
i.e., the (mod N) part of the base secret key tuple. 

- By IVd assumption, we can change the generation of kem.ct(= aux) by 
Enc such that it encapsulates a different key, other than the key used in 
AIAE. Enc. If AIAE. Enc uses key ( r\k * 3-s\j)j =1 , then KEM.Enc encapsu- 

lates (rx(k]-~a j x j -a j+1 y j )-r x (a j x ix>j + a :H . 1 yi Xtj ) + sx >j ) 4 j=1 mod N. 
Thus, (fcf , • • • , fc|) is now protected by (xj,yj)1j =1 mod N. 

(5) Oracle Dec might also leak information about (xj , yj ) j =1 mod N. There- 

fore, we change how oracle Dec works so that decryption does not use 
(xj,yj)^ =1 mod N any more. Observe that as long as the ciphertext queried 
by the adversary satisfies \/j £ [5] , Uj £ SOW 2 and Wj £ [8] , Uj £ SCRjys, 
Dec can use and the (mod 4>{N)/ 4) part of secret key for decryption. 

- If 3j £ [5] , Uj £ SCRn 2 i n the ciphertext queried by the adversary, we 
expect that AIAE. Dec will reject, due to its weak INT-*F ra ff-RKA security. 

- If 3j £ [8] , Uj £ SCMw s in the ciphertext queried by the adversary, we 
expect decryption will result in t ^ g™ mod AT, so £ .Dec will reject. 

(6) Consequently, both (xj,%)j= l m °d A and (&*,♦•• , fc|) are random to 
the adversary, and AIAE. Enc always uses the restricted affine function of 
(&!,••• , fc|) for encryption. Then IND-Ffaff-RKA security of AIAE implies 
the n-KDM[F a ff]-CCA security. 
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In the proof, G1-G2 are dedicated to deal with the n-user case; the aim of 
G3-G4 is to eliminate the use of the (mod N) part of (xj , yj )^ =1 in Enc; the aim 
of G5-G6 is to use (xj,yj) 1 j^g mod N to hide the AlAE’s base key (fc*, • • • , 
in Enc, however, Dec may still leak the information about (xj,yj)j = i mod TV; 
the aim of G7-G8 is to eliminate the use of {xj,yj )^ =1 mod N in Dec; finally, in 
G9-G10, the IND-^ raff -RKA security of AIAE is used to prove the n-KDM[jF aff ]- 
CCA security of PKE, since (&£, • • • , fc|) is perfectly hided by (xj,yj)j = i mod N. 

- Game Go: This is the original n-KDM[.F a ff]-CCA game. Let Win denote the 
event that f 3 r = ( 3 . Then by definition, Advp^"^ ca (^) = | Pr 0 [Win] — ||. 
Denote by pk f = (h it i,--- , h iA ) and sk; = (zi,i,2/t,i, • • • ,x iA ,yi,i) the public 
and secret keys of the i-th user respectively, i E [n\. 

- Game Gi : This game is the same as game Go, except that, when answer- 
ing the Dec query ((aux, aiae.ct), i E [n]), the challenger outputs _L if 
(aux, aiae.ct) = (auxA, aiae.ctA) for some A E [Q e ], where (auxA, aiae.ctA) is 
the challenge ciphertext for the A-th Enc query 

Case 1: ((aux, aiae.ct), i) = ((auxA, aiae.ctA), i\). 

Dec will output _L in game Go since ((auxA, aiae.ctA), i\) is prohibited. 
Case 2 : (aux, aiae.ct) = (auxA, aiae.ctA) but i 7^ i\. 

We show that in game Go, Dec will output _L, due to ^ap^a 2 ^ 
MUtv 2 , with overwhelming probability. Recall that u\ 1 = g[ x ,u\2 = 
9?,e x<1 = h r ^ tl T k ^,ao 


=hZ > 1 T k ^.(g?r*-'(g?) v <-' = (h ixA h~j) r *T k ^ mod N 2 


where /q A? i and /qq are parts of public key of different users i\ and i 
respectively and are uniformly distributed over §ClR/v s - So 7^ 1 ? 

hence ca,i^a 2 ^ MJjv 2 , except with probability 

By a union bound, Go and Gi are identical except with probability Qd' 2 ~ Q ^\ 
therefore | Pr 0 [Win] — Pri[Win] \ < Qd ’ . 

- Game G2: This game is the same as game Gi, except that, the challenger sam- 

ples the secret keys sk^ = (2^1, ?/^i, • • • ,2^4, 7/^4), i G [n], in a different way. 
First, it chooses random (xi,2/i,-- - ,#4,7/4) and (2^,1, • • • ,^,4,^,4), i G 

M, from [|_-/V 2 / 4 J] , then it computes (x iA , y iA , ■ ■ ■ ,x iA ,y iA ) = {x^yw* , 
£4,2/4) + (x iA , y iA ,--- ,x iA ,y iA ) mod |N 2 / 4 J for i e [n\. 

Obviously, the secret keys sk^ = (2^1, 7/^1, • • • , 2^4, 7/^4) are uniformly distrib- 
uted. Hence G2 is identical to Gi, and Pri[Win] = Pr2[Win]. 

- Game G3: This game is the same as game G2, except that, when responding 

to the adversary’s A-th (A E [Q e ]) Enc query instead of using the 

public keys pk iA = (fti Aj i, • • * , /q A? 4), the challenger uses the secret keys sk^ A = 
(xi x ,i,Vi x ,i, - ■ ■ ,x ixA ,y ixA ) to prepare (e A ,i,-- - ,e A>4 ) and e A as follows: 


sa,i, • • • , e \ A ) 


mod N 2 
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Observe that for j G { 1 , 2 , 3 , 4 }, 


exj = ^ l ix, j T kx ’ j = 0 gj " A = ^x7 Xdu x V /+i TkxJ mod N2 ’ 


ex = a ci---d^ = ( 5 r 


i \ , 1 y*\ 

A 92 


l y A ,i . . . ^ Xix,4 g 6 yi *’ 4 y\Aj irn P 


«A,r “a, 2 v • • • Vr Vs ^ mod ^ s - 


Thus G3 is identical to G 2 , and Pr 2 [Win] = Pr 3 [Win]. 

Game G4: This game is the same as game G3, except that, in the case of the 
challenge bit /3 = 1, to answer the A-th (A G [Q e ]) Enc query the 

challenger does not use (aq,2/i, • • • ,#4,2/4) mod N to compute e\ any more, 
and instead, it computes • • • ,ux,s) and e\ as follows: 

.(i A ,i,-,i A , 8 ):=(jj w Tii 

. T £” 

• e x := ti 


,gpT^ 


,g r 2 x ' 2 T^=i 


,gpT^ 


,gpT^ 


^■3 ,S?- 4 T£?=. 


ai ’ 2 , 5 , 3 A ’ 2 




. /i rA ^T^=l ( x i,j X i x ,j)+ b i,j(yi,j Ui x j))+C mo q jys 

Z A A 


where f x = {{a iA ,b iA , ■■■ , a M , & M } ie[n ], c) e J^fr- 


Observe that, 


a 

to. ^ 

h fx A 

=1 


£}=i 

( a i,j( x i,j x i X ,p~^^i,j 

(Vi,j 

-yi x j))+ c 

n-= 


. t'EZ* 1 

S)=i 

( a i,j( x i,j 

( Vi,j 

-yi x j))+ c 


-M Xi > 


•iy a, 

j . rjymx~YTi= 1 Ej = l< 


v% x ,j+bi,jVi x 

a 

=1 VP 

c 

l iJ ) 

Xi ^(gpT^ b < 


Vi X ’0 . 

~~ x i 

U X,1 

i \ , 1 ~ Vi 
U X,2 


A , 7 

4 up x ’ 4 T mi mod 

TV S , 



where the third equality follows from mi = X^=i + + c - 

Therefore, can be computed from ( 7 tA,i, • • • , £&a, 8/ m the same way as in 
G3 and G4. Hence the only difference between G3 and G4 is the distribution 
of ,u\,s) themselves. We analyze the difference via the following 

lemma, and the proof is presented in the full version [HLL 16 ]. 

Lemma 4 . There exists a PPT adversary B\ against the IV 5 assumption w.r.t. 

GenN and QR N s, such that | Pr 3 [Win] — Pr 4 [Win] | < Adv^ e 5 nN 

- Game G5: This game is the same as game G4, except that, the challenger 
chooses random r* G [ |_iV/ 4 j ] and aq, • • • G Z^v beforehand (in Initial- 
ize). In addition, to respond to the A-th (A G [Q e ]) Enc query ( f\,i\ ), the 
challenger computes (u\ 1, • • • , u\ 5) as follows: 

• Kv- ,«A,e) :=(br*r“ 1 ) rk »-" ,(9Z*T a5 Y x ) mod N 2 . 

The only difference between G4 and G5 is the distribution of (1^,1, * * • ,^,5). 
In game G4, it equals ( g[ x , ••• ,g^ A ) mod TV 2 , while in game G5, it equals 
((g[ T ai ) rA ,--- , (#£* T a5 ) rx ) mod TV 2 . Similar to the previous lemma, it is 
straightforward to construct a PPT adversary to solve IV5 problem by employ- 
ing the power of adversary A. Thus | Pr4[Win] — PrsJWin] | < Adv£f nN W- 
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- Game Ge: This game is the same as game G5, except that, the challenger 
chooses a random tuple k* = (fc* , k 3 , k%) beforehand (in Initialize). In 

addition, to respond to the A-th (A G [Q e ]) Enc query the challenger 

uses a different way to generate = (&a,i> &a,2 5 &a,3> &a, 4 ) and (eA,i, • • • , e\ : 4): 

• pick s A = (sa,i,Sa,2,Sa,3,Sa,4) ^>4 and r A [|_ 4 V/ 4 j] uniformly, 
and compute k A = (&a,i, &a, 2, k x , 3, k XA ) := {r x k\ + s A ,i, • • • , r x k% + s a ,4)- 

• (eA,i, • • • , ex, 4) ■= 


(Ji r * r *T rx ^~ aiXi A. 1 —CK 22/i A ,l)+SA,l . . . fo r * r \J i r\(k2-a4Xi x ,4-a5yi x ,4)+ s \,4'j 

Clearly kA is uniformly distributed over as in game G5. At the same time, 
observe that for j G { 1 , 2 , 3 , 4 }, 


e A,j 


^5 x i\ ,j y i \,3 




A,j +1 


\,j j-ikxj — ( Q r*jiat j \-rx-Xi x j / r* jia j+ 1 \-rx-yi x ,jjikx,j 

4-1 \tf 7 ) \zJj-\-l J 


= (g- Xix,j g .^ z 1 x,j y* rx T kx ’ j ~ rx ^ ajXi x^ +a 3 + iyi X’ j ) 
= h r * r *T r x '( k j- a 3 Xi \’ 3 ~ aj + iyi \’ 3')+ sx >3 mod TV 2 . 

l x i 3 


Thus G6 is identical to G5, and PrsfWin] = Pr6[Win]. 

- Game G7: This game is the same as game Gg, except for a modification to 
answering the Dec queries ((aux, aiae.ct), i G [n]). The challenger uses the i- th 
user’s secret key sk^ = (2^1, y^i, • • • , 4, 2/1,4) together with (j)(N) to com- 
pute the decryption of ciphertext (aux, aiae.ct), where aux = (iq, --- , ii 5 ,e 1, 
• • • , 64). More precisely, it computes k = (Aq, • • • , £q) and m as follows: 

• ,<*5) : = (dlog T (uf W )/<l)(N),--- ,dlog T (u^ (JV) )/</>(AT)) mod N, 

(Yi,-- , 74 ) := (dl 0 g T (ef (jV) )/ </>( 4 V), • • • , dlog T (ef N) )/HN)) mod N, 
k = (kx, ■ ■ ■ ,k 4 ) := (a' 1 x itl +a' 2 y itl +'y' 1 , ■ ■ ■ , a' 4 x iA +a' 5 y iA +74) mod N, 

• £. ct = (ux, ■ ■ ■ ,U 8 ,e, f)/± <— AIAE.Dec(k, aiae.ct, aux), 

• (di,--- ,a 8 ) := (dlog T (uf (N) )/<fi(N),--- ,dlog T (uf N) )/ 0 (N)) mod 

./V s-1 , 7 := dlog T (e‘^ iV ))/</>(./V) mod N 3-1 , and m := 07271 + 02171 + 
03272 + 047,2 + 05273 + 067,3 + 07X1,4 + 087,4 + 7 m od N 3 - 1 . 

According to Eq. (1), for j £ {1,2,3, 4 }, we have that 


ki = dlog Aeju^vfci) = dlog T ((e jW ;^ W J«)^ (JV) )/ 0 (A) mod N 


= dlog^q^^’OMA) + dlog T (uT+l rm ' j )/HN) + dlog T (ef JV O/0(iV) 

= dlog T (uf N) )/ 4 >(N) ■ Xij + dlog T (u^°)/c/>(lV) -y itj + d\og T (ef N) )/ 4 >(N), 


<KN)-yi,. 




^6 ii \ ~ViA ~x i 2 ~Vi ,2 ~Vi,3 ~^i,d ~Vi,d\ i IXJS — 1 

m = dlog T {eu 1 ’ u 2 u 3 ’ u 4 ’ u 5 ’ u 6 ’ u 7 ’ u 8 ’ ) mod TV 


= dlog T (iif (JV) )/ 0 (A) . Xi ,x + • • • + dlog T (ut (N) )/<t>(N) ■ y iA + dlog T (e' #>(JV) )/ 0 (A) . 


These changes are conceptual. So G7 is identical to G6, Pi'(j[Win] = Pr 7 [Win]. 
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- Game G 8 : This game is the same as game G 7 , except that, the challenger adds 
an additional rejection rule when answering Dec queries as follows: 

• if a[ 7 ^ 0 V • • • V c ^5 7 ^ 0 V di\ 7 ^ 0 V • • • V d 8 7 ^ 0, return _L. 

That is, the challenger will not output m in Dec unless ot! x = • • - « a' 5 » 0 
and dii = • • * = dg = 0 holds. Thus the values of (xi,j->yi,j)j=i mod TV, in 
particular (xj : yj)^ = ± mod TV, are not used any more in Dec. 

Let Bad denote the event that A makes a Dec query ((aux, aiae.ct), i £ M)> 
such that 


eiu[ tA u 1 ^' 1 , • • • , £ MU/V 2 A AIAE.Dec(k, aiae.ct, aux) 7 ^ _L (2) 

A eu\ l ^u^u^uf’ 2 £ WU N s A t = gf mod TV (3) 

A ( a'i ^ 0 V • • • V Oig 7 ^ 0 V di 7 ^ 0 V • • • V d 8 7 ^ 0) . 

Clearly, games G 7 and G 8 are the same until Bad happens. Therefore, we have 
that | Pr 7 [Win] — Pr 8 [Win] | < Pr 8 [Bad]. 

To prove that G 7 and G 8 are indistinguishable, we have to show that Pr 8 [Bad] 
is negligible. This is not an easy task, and we further divide Bad to two disjoint 
sub-events: 

* Bad 7 denotes the event that A makes a Dec query such that 

Conditions (2), (3) hold A (aq 7 ^ 0 V • • • V a f 5 7 ^ 0). 

* Bad denotes the event that A makes a Dec query such that 

Conditions (2), (3) hold A (cq = • • • = aq = 0) A (di / 0 V • • • V / 0) . 


Then Pr 8 [Bad] < Pr 8 [Bad / ] +Pr 8 [Bad]. We give an upper bound for Pr 8 [Bad'] 
via the following lemma. See the full version [HLL16] for the proof. The analy- 
sis of Pr 8 [Bad] is deferred to subsequent games. 

Lemma 5. Pr 8 [Bad'] < 2 Q d ■ (?) + Qd • 2~ n W . 

- Game Gg: This game is the same as game G 8 , except that, the chal- 
lenger chooses another random tuple k = (fc*,^, ^ 3 , &|) besides k* = 
(fc*, fcjf, fcg, in Initialize. In addition, to answer the A-th (A £ [Q e ]) Enc 
query (/a, Ty), the challenger uses a different key for A I AE to compute aiae.ct a: 

• Set ky = (fcA > U*A,2 J *A,3 J *A,4)j= { r X^l + ^A,l, ’ ’ ’ + Sy j4 ); 

• invoke aiae.ct y AIAE.Enc(kA, £ .cty, auxy) . 

But the challenger still uses k* = (fc*, k^k^kt) 1° compute (eyq, * * * , eyq). 

In game G 8 , the only place that needs the value of ( xi,yi , • • • , # 4 , yA) mod TV 
is the computation of (ey 1 , • • • , ey 4 ) in Enc. More precisely, for j £ 
{ 1 , 2 , 3 , 4 }, 
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e A ,• = hfrx T r n<k]-<*j x i X ,j-°‘j+ iVi x ,j)+^,j m0( j _/v 2 

= h r * r *T rx '( k j- ajXj - aj+iyj - aj * i *’ j - aj+i y i xA+ s x,j mod Af 2 . 

l \i3 

We stress that the computation of t\ = mod N in Enc only uses the 
values of (#1,2/1, • • • ,#4, 2/4) mod </>(7V)/4, since the order of g\ G §CMat s is 
4 >{N)/ 4. We also note that neither k* = (fc* , k^k^kl) nor (xj,yj) 1 j =1 mod Af 
is involved in Dec since Dec rejects the ciphertext unless a[ = • • • = = 0 

and aq = • • • = a$ = 0. As a result, k* = (&*, ^3, k%) is totally hidden by 

the entropy of (#1,2/1, * • * , #4, 2/4) mod AT and is uniformly random to A. 

Thus the challenger can use an independent k* = (&*,•• • , k%) to compute kA, 
and use kA to do the encryption of the AIAE scheme in Enc, as in Gg. 

Then games Gg and Gg are identically distributed from the point of view of 
A, thus we have Prg[Win] = Prg[Win] and Prg[Bad] = Prg[Bad]. 

- Game Gnp This game is the same as game Gg, except that, to answer the A-th 
(A G \Q e \) Enc query the challenger computes aiae.ctA as follows: 

• invoke aiae.ctA AIAE.Enc(kA, Q* M , auxA). 

That is, the challenger computes the AIAE encryption of a constant 0 £m 
instead of f.ctA in Enc. Note that in games Gg and G10, the key k = 
(fc*, ^3, fc|) is used only in the computation of the AIAE encryption, 
where it uses kA = r\ • k + sa, sa = (sa,i,--- , sa, 4)? as the encryp- 
tion key. The difference between Gg and G10 can be reduced to the IND- 
JTraff-RKA security of the AIAE scheme directly. Thus we have that both 
I Prg [Win] - Prio[Win] |, | Pr 9 [B^d] - Pri 0 [Bad] | < Adv^^W- 

Now in G10, the challenger computes the AIAE encryption of a constant 0^ 
in Enc, thus the challenge bit /? is completely hidden. Then Prio[Win] = 

We give an upper bound for Prio[Bad] via the following lemma, and present 
its proof in the full version [HLL16]. 

Lemma 6. Pri 0 [Bad] < (Q d + 1) • 2~ n ^ + M\/^ enN (£). 

Taking all things together, the n.-KDM [ JP, af ] - C C A security of PKE follows. ■ 

6 PKE with n-KDM[^ p d oly ]-CCA Security 

6.1 The Basic Idea 

We consider how to construct a PKE which is n-KDM-CCA secure w.r.t. the set 
of polynomial functions of bounded degree d, denoted by d ~^ oly , where d can be 
polynomial in security parameter £. We will consider adversaries submitting / in 
the format of Modular Arithmetic Circuit (MAC) [MTY11], i.e., a polynomial- 
size circuit which computes /. In particular, we do not require a prior bound 
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on the size of circuits, but only require a prior bound d on the degree of the 
polynomials. Our construction still follows the approach in Fig. 1. In fact, our 
n-KDM[Fp oly ]-CCA secure PKE shares the same building blocks KEM and AIAE 
with the previous PKE in Fig. 7 which has n-KDM[^ a ff]-CCA security. What we 
should do is to design a new building block £, which can function as an entropy 
filter for polynomial functions. Our new £ still share the same secret/public key 
pair with KEM. Hence for i E [n\, we have sk^ = (x^i, y^i, • • • 4,^,4) and 

PK = {hi, 1, • • • , K, 4) with hi, 1 = g ^' 1 g^’ 1 , • • • , h iA = g^ XiA g^ ViA mod N s . 


6.2 Reducing Polynomials of 8n Variables to Polynomials of 8 
Variables 

How to Reduce 8n- Variable Polynomial f\ in Enc E [n]). In the 

n-KDM[.Fp oly ]-CCA game, the adversary will submit E [n]) to Enc 

as its A-th KDM encryption query. Here f\ is a degree-d polynomial 
yi,j)ie[n\,je[4]) °f the n secret keys, which has 8n variables. Note that f\ 
will contain at most ( 8 g^ d )= 0(d 8n ) monomials, which is exponentially large. 

To reduce the number of monomials, we can always change the polynomial 
f \{{ x i,j iVi,j)ie[n} ,j e [4] ) of 8 n variables to a polynomial fx{(xi x ,j,yi x ,j)je[ 4 ]) of 
8 variables as follows. Then f' x will contain at most ( 8 p) = 0 {d 8 ) monomials, 
which is polynomial in i. 

In Initialize, the secret keys can be generated with Xij := Xj + Xij 
and yij := yj + yij mod |_A^ 2 / 4 J for i E [n\ and j E [ 4 ]. Then with the 
values of ( x ij,yi,j)ie[n],je[4]i we can represent (x^j, yi,j)ie[n], je[4] as shifts of 

x i,j = x i\,j + x i,j ~ x i\ ,j i Ui,j = Vi\,j + Vi,j ~ Vixji 

and reduce the polynomial f\ in Sn variables (a^j, yi,j)ie[n], je[4] t° a polynomial 
f'x in 8 variables (x ix j, y ix ,j)je[ 4 ]‘ 


fx {f x i,j j yi,j)iE.[n\, j'G[4]) — fx(( x i x ,j + x i,j x i X ,j T yi,j yi x ,j )ie [n\ , je [4] ) 


0<ci T" ■ Tcs — d 


The resulting polynomial f' x is also of degree at most d, and the coefficients 
a(ci,-,c 8 ) are determined by ( x i,j,Vi,j)ie[n\je[ 4] completely. 

How to Determine Coefficients ,c 8 ) f° r f'x Efficiently with Only 

( x i,jiyi,j)ie[n\,je[ 4]- Repeat choosing values of (x ixij ,y ix j) je [ 4] randomly, feed- 
ing MAC (which functions as f\) with input of (xi x j + x^j — X i x ,j : yi x ,j + Vi,j ~ 
yi x ,j)ie[n\,je[ 4], where ( x i,j,yi,j)ie[ n ],je[ 4] always takes the values chosen in Ini- 
tialize, and recording the output of MAC. After about ( 8 g d ) = 0 (d 8 ) times, 
we can extract all a( Clj ... jCg ) by simply solving a system of linear equations (with 
a( Cl ,..., C8 ) unknowns): 
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f\(( x i\,j+ x i,j x i\,ji yi\,3 + Vi, 3 yi\,j)ie[n\, je[ 4]) 


a (c 1 , 

0<ci -\ |-c 8 <c£ 


. ci c 2 c 3 c 4 c 5 c 6 c 7 c 8 

• ,c 8 ) x i X ,iyi X ,i x i X , 2 yi X , 2 x i X , 3 yi X , 3 x i X Ayi X , 4 - 


This can be done in time polynomial in £. 


6.3 How to Design £: A Warmup 

Let us first consider a simple case: design £ w.r.t. a specific type of monomials 


We describe the encryption and decryption algorithms £.Enc, £.Dec in Fig. 8. 


£.ct £.Enc(pk = (hi, A2, A3, /u), m): 


For l G [0,8], 


n,i,n,2,n,3,n )4 [LtJ]- 

~ \ t n % r t l r t 2 

[Ul, 1C-- 5 ^,s) (#1 ,0 2 >#2 j 


n, 2 
#3 : 


H,3 

93 5 


n,3 
#4 : 


n,4 

#4 : 


r l, 4\ 
#5 ) 


hz := 




UO,l 

U0,2 


U0,8 

Ul,l • Vo 

Ui,2 


Ul,8 

U2,l 

U2,2 ’ Vl 


U2,8 





U8, 1 

Ug,2 


U8,8 • V7 


e := vs • T m mod AT 5 . 
t := mod A/ - G Zjv- 
Return £.ct := (table, e,t). 


m/ 1 . <— £.Dec(sk = (m, 2/1, * • * , x 4 , 2/4), £.ct): 
Parse £.ct = (table, e, t). 


Parse table = 


U0,1 

Uo,2 


Uo,8 

Ul,l 

Ul,2 


Ui,8 





U8,l 

U8,2 


U8,8 

~ —Xo 

U 0,3 

1 o' 

a-X4 

u 0,7 


Vl := (^l,l/f)o) Xl Wi, 2 1 ^i , 3 2 ^i, 4 2 ■ 

£2 := ■ 


H,7 4 ^l,8 4 ‘ 


■^2,8 


U8 '^8,1 1 ^'8,2 1 '^'8,3 2 '^8,4 2 ’ ’ ' ^8,7 4 (^8,8/^7) • 

If e/Ds G IUjvs, m := dlog T (e/u8) mod A/ - s_1 . 

If £ = gF mod A/ - , Return m. 

Otherwise, Return _L. 


Fig. 8. £ designed for specific monomials a • Xi x ^yi Xy \Xi x ^yi x ,2Xi x ^yi x ,8Xi x ^yi x ,A- 


Security proof. We can prove KDM-CCA security w.r.t. the specific type of 
monomials, i.e., a-x ixr iy ix ^ x iAj 22/i A ,2^i A ,32/i A ,3^i A ,42/i A ,4, in a similar way as the 
proof of Theorem 2. The only difference lies in games G3-G4, which are related 
to £. We replace G3-G4 with the following three steps (Step 1-Step 3). More 
precisely, we change the £.Enc part of Enc so that it can reserve the entropy 
of (#1,2/1, • • • ,#4,2/4) mod N , behaving like an entropy filter w.r.t. this specific 
kind of monomials. 

Suppose that the adversary submits ( f\,i\ E [n]) to Enc. Our aim is to reserve 
the entropy of (x j} Vj)j =1 mod N from £.Enc(pk^, yi,j)ie[n],je[4\))- 
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Step 0: In Initialize, the secret keys are generated with Xij := Xj + Xij and 
Uij := i/j +Vij mod |_A^ 2 /4J for i e [n\, j G [4]. This is the same as G2 in the 
proof of Theorem 2. 

Step 1: Use (zij,27ij)i e [ n ]j e [. 4] to re-explain G [n\) as G [n]), and 

determine the coefficient a of the monomial 


/a (( x i\,j j yi\,j)je[4i) 




Step 2 : Use secret key sk ix = (xi x ,jiyi\,j)je[ 4] (together with public key 
pk iA = (^ A ,j)je[4]) to implement £.Enc (This corresponds to G3 in the proof 
of Theorem 2). 

- Setup table, just like £ .Enc. 

- Compute ho, • • • ,vg from table, just like £ .Dec. 

- Use vg instead of vg to compute e with e := vg • 

4]) mod N s , and t := g ^ Xi ^’ Vi x^hew) mod N _ 

It is easy to check that ho, • • • , hs computed from table (via £ .Dec) are identi- 
cal to ho, • • • , vg that are used to generate table (via £ .Enc). Thus this change 
is conceptual. 

Step 3: This corresponds to G4 in the proof of Theorem 2. 

- table is set up in a similar way as in £ .Enc, but with the following dif- 
ference. The item of row 1 and column 1 in table now is computed as 
hi,i = (hi ? iT a ) • ho instead of hqi = foq - ho- This change is compu- 
tationally indistinguishable, due to the IV5 assumption. (We refer to a 
detailed analysis in the full version [HLL16].) 

- Compute ho, • • • , vg from table, just like £ .Dec. 


e := v 8 .T f 'M Xi ^’ Vi x-ihew) mo d ap, an d t := Q {'^ Xi ^^x.ihew) mod N _ 


9 1 


AVix 


It is easy to check that ho = ho, hi = hi • T~ aXi * 5l ,h 2 = h 2 • T~ 

. . . 5 v 8 = v 8 . X~ aXi x^ yi x^'" Xi x^ yi x^ = Vg • T~f*(( Xi *’ j,yi A»ih'e[4]) 5 thus e = Vg- 

= y gm Therefore we can also implement Step 3 equivalently 


as follows. 

Step 3 (Equivalent Form): 

- table is set up in a similar way as in £.Enc, but with the following 
difference. The item of row 1 and column 1 in table is computed as 
hi,i = (hi ? iT a ) • ho instead of hi ? i = hqi • ho- 

- e := vs mod N‘, and t := «n)/4 mod ^ 

In this step, £ .Enc does not use (£1,3/1, • • • ,£4,3/4) mod N at all (only uses 
(xi,j,Vi,j)ie[n],je[ 4] and (x 1 ,y 1 ,--- , x A ,y 4 ) mod 4>(N)/A). 


Consequently, through the computationally indistinguishable change, the 
entropy of (aq, 3/1, • • • , £4, 3/4) mod N is reserved by the £ .Enc part of Enc. 
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Similarly, Dec can be changed to do decryptions without (xj, 2/j)|=i mod N. 
This can be done with c/)(N) and the (mod 4>(N)/ 4) part of secret key. (This 
corresponds to G7-G8 in the proof of Theorem 2). Use (j)(N) to make sure that 
all items in table of £ .ct belong to §CMat s • If not, reject immediately. As a result, 
Dec does not leak any information of (xi,2/i, • • • ,#4,2/4) mod N. This change 
is computationally indistinguishable, just like the analysis of Pr[Bad] as in the 
proof of Theorem 2. 

6.4 The General £ Designed for 

The previous subsection showed how to design £ for a specific type of monomials. 
A general f' x of degree d contains at most ( 8 g d ) = 0(d 8 ) monomials. To design a 
general £ for , we have to consider all possible types of monomials. For each 
type of non-constant monomial, we create a table and each table is associated 
with a v, which is called a title, and those x’s are used to hide message in e. We 
describe f.Enc and £.Dec in Fig. 9. 

There are totally ( 8 ^ d ) — 1 types of non-constant monomials of degree at 
most d if we neglect the coefficients. Each type of non-constant monomial 

X ? x ,i Vil, 1 X Z,2 yit,2 x il,3Vit,3 x Z,4yilA is associated wit h a tuple c = (ci,---c 8 ), 

which determines degrees of each variable. Denote by S the set containing all 
such tuples, i.e., S := {c = (ci, • • • eg) | 1 < c± + • • • + eg < d}. 

For each c ■= (ci, • • • c$) G <S, we generate table^ and its title v ^ for mono- 
mial xU x y c ^ 2 Uil 2 x il 3V i\ 3 X ? X 4 ^a 4 v ^ a algorithm TableGen illustrated 

in Fig. 9. Intuitively, TableGen generates table^ of 1 + ciH h eg rows. The 0-th 

row of table^ is uo,h • • • , fto,8- The form of other rows are similar to row 0 with 
a small difference: the next c\ rows in the 1-st column are multiplied with xq, 
hi, • • • ,h Cl _i respectively; the next C2 rows in the 2-nd column are multiplied 
with h Cl , h Cl _j_i , • • • , h Cl+C2 _ i respectively, and so forth. TableGen also generates 
a title for tabled The product of all the titles, i.e., rices y( c \ is used to 
hide T m in e. 

On the other hand, the title v ^ = v ^ can be recovered from table^ with 
secret key sk = (xi, 2/1, • • • , X4, 2/4) via the CalculateV algorithm in Fig. 9. There- 
fore, one can always use the secret key to extract the titles (v^) ce s from tables 
(table^ ) ce5 one by one with CalculateV and then recover m correctly. 

Security proof. The proof of KDM[jF^ oly ]-CCA security is similar to that of 
Theorem 2. But games G3-G4 should be replaced with the following three steps 
(Step 1-Step 3), so that the £ .Enc part of Enc can be changed to work as an 
entropy filter, i.e., reserving the entropy of (xi, 2/1, • • • 5X4, 2/4) mod N, w.r.t. any 
polynomial of degree at most d. 

Suppose that the adversary submits ( f\,i\ E [n]) to Enc. Our aim 
is to reserve the entropy of (xj, 2/j)^i mod TV from £.Enc(pk 

yij)ie[ri\,je[ 4]))- 
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m/_L <— £.Dec(sk, £.ct): 

Parse £.ct = ((table^) ce5 , e, t) . 

For each c = (ci, • • • , cs) E S 

CalculateV(sk, tabled, c). 

If e- ( rices £(c) ) _1 eRUjv. 

m := dlog T (e- (Ilces^^) *) m °d -W 
If t = g™ mod N , Return m. 
Otherwise, Return _L. 


£.ct $ £.Enc(pk, m): 

For each c = (ci, • • • , cs) E <S 

(table^, v^) TableGen(pk, c). 

e := n ce ^ (c) • Tm mod N °- 

t := g™ mod A/" E Zjv. 

Return £.ct := ((table^) c e<s, e, t). 


TableGen(pk = (hi, / 12 , / 13 , / 14 ), c = (ci, • • • , c s))‘- 
For each l E {0, 1, • • • , X^=i c i) 

n,i,n,2,n,3,n,4 [LtJ]- 

/- ~ \ / n,i n,i n,2 n,2 n 3 A, 3 A, 4 n,4\ 

Kif’ 5 ^,s) := (g 1 ’ ,p 2 ^2 >£3 ,9s >94 ,94 ,95 ) 

1 h,l 1 h,2 1 r i 3 , r t 4 

vi := h 1 h 2 ri 3 h 4 . 


tabled := 


Uo,l 

^0,2 


«0,8 

u 1,1 • Vo 

«1,2 


«1,8 





Uci,l ' Vcx—1 

fici,2 


^ci ,8 

^Cl+1,1 

f^ci+1,2 ' Vci 


Wci+1,8 





^Cl+C2,l 

i^Cl+C2,2 ' A 1 +C 2 — 1 


tici+C2,8 





“ELxCj+1,1 

“EU8/+1,2 


S El = iC,+l,8" 5 El = iC i 








“E?_i Oj,8 ' ®E?_1 c*-l 


Ci 

rows 


c 2 

rows 


C 8 

rows 


Return (tabled , := ^Y^._ lCj )' 


CalculateV(sk = (xi,yi, • • • , X4, 2 / 4 ), tabled, c = (ci, • • • ,cg)): 
Parse table (c) = |ih, 2 1- • • \uiM 

V 1 1 1 lj 0 , 1 ,- ,E?„! 

u 0 •— “0,1 a 0,2 a 0,3 ^0,4 a 0,5 ^0,6 a 0,7 a 0,8 ■ 

For each / E {1, • • * , c\} 

vi := (h^i/hz-i) 1 UiJ? 1 u l , 3 2 u l jl 2 u l ’ 5 3 u l J? 3 u l j 4 u l ^ 4 . 

For each Z E {ci + 1, • • • , ci + C 2 } 

vi := ^ 1,1 1 (ui^/vi-i) yi u l , 3 2 u l J 2 u l , 5 3 UiJ? 3 Uij 4 Ui^ 4 . 


For each l E {Ej=i O' + 1, * • ■ , E*=i ffi} 
Return := tvs _ . 

2^j = l C 3 


Fig. 9. Top: £.Enc (left) and £.Dec (right) of 8 designed for :Fp oly ; Middle: TableGen, 
which generates table^ together with a title v^; Bottom: CalculateV, which calculates 
a title from table^ using secret key. 
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Step 0: In Initialize, the secret keys are generated with Xij := Xj + Xij and 
yij := yj +Vi,j mod |_A^ 2 /4J for i G [n\, j G [4]. This is the same as G2 in the 
proof of Theorem 2. 

Step 1: Use (5tj,yij) ie [„]j e [ 4 ] to re-explain G [n]) as (f x ,h G [«]), and 

determine the coefficients ,c 8 ) °f each monomial of f' x , as discussed in 

Subsect. 6.2. Note that n( Cl ,..., C8 ) = 0 if the associated monomial does not 
appear in f x . Then 


(Cl,— ,c 8 )G5 


where S = a( 0) ... ? o) denotes the constant term of f' x . 

Step 2 : Use secret key sk* A = (xi x ,j,yi x ,j)je[ 4] (together with public key 
pk iA = (hi x j)j e [ 4 ]) to implement £.Enc (This corresponds to G3 in the proof 
of Theorem 2). 


- For each c = (ci, • • • , eg) G <S 


(1) (tabled, v^) 


TableGen(pk iA , c), 


(2) 


u(c) 


CalculateV(sk^ A , tabled, c). 


- Use (v^) ceS instead of (^) ceS to compute e with e := ' 

mod N s , and t := g^ ((xi x ^’ K mod N _ 

It is easy to check that for each c = (ci, • • • , eg) G S , v ^ computed from 
table^ via CalculateV is identical to associated with table^ via TableGen. 
Thus this change is conceptual. 

Step 3: This corresponds to G4 in the proof of Theorem 2. 

- For each c = (ci, • • • , eg) G S 

(1) Compute table^ via (tabled, v^) TableGen(pk iA , c), but with one 
difference. The item of row 1 and column j := min{z | 1 < i < 8 , q 7^ 
0} in table^ now is computed as uij = (uijT a ^ c i> ’ c «)) • v 0 instead 
of uij = uij • vq. This change is computationally indistinguishable, 
due to the IV5 assumption. 

(2) Invoke <— Ca leu lateV(ski A , tabled, c) to extract a title from 
the modified tabled 

- e := U ceS vV ■ T f x^ Xi xd,Vix,ihew) f an d t := g ^ x *x,s^i)mM) mod N _ 
Observe that for each c = (ci, • • • , eg) G <S, 


dc) 


XT C1 1I C2 T° 3 7 A 4 T° 5 1I° 6 T° 7 7/ C§ 

. 2 1 a (ci, - ,c 8 )^i A! i‘/i A ,i^i A ,2y-i A ,2 X i A ,3yi A ,3 X i A ,4yi A ,4 


Then e = rice<s^^ C ^ * 


rices (^ (C) • T~ a< - C1 ’"' • c 8 )2: <r iy *°A .1*^ • 2 "' V *X -3 X *l - iy *X .4 ) . T/UUiAJ.!/iA>Uj€[4]) 

rices ^ (C) -2A 
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where S is the constant term of f' x . Therefore we can implement Step 3 
equivalently as follows. 

Step 3 (Equivalent Form): 

- For each c = (ci, • • • , eg) £ S 


Compute table^ via (table^, v^) TableGen(pk iA , c), but with one 
difference. The item of row 1 and column j := min{i | 1 < i < 8 , q ^ 
0 } in table^ now is computed as uij = (uijT a ( c i>--- ’ c «)) • t 5 0 instead 
of u ltj = Uij • v Q . 


n 


ce5 1 


w • T s , and t := «***•''"*•' mod mod N. 


In this step, £. Enc does not use (#1,7/1, • • • ,#4,7/4) mod N at all (only uses 
(xi,j’yi,j)ie[n],je[4\ and (x 1 ,yi,--- , x 4 ,y 4 ) mod 4 >{N)/ 1 ). 


As a result, through the computationally indistinguishable change, the entropy 
of (#1,7/1, • • • , #4, 7/4) mod N is reserved by the ^.Enc part of Enc. 

Similarly, Dec can be changed to do decryptions without (xj,yj) 1 j =1 mod AT, 
the same argument as in Subsect. 6 . 3 . 
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Abstract. Smooth projective hashing has proven to be an extremely 
useful primitive, in particular when used in conjunction with commit- 
ments to provide implicit decommitment. This has lead to applications 
proven secure in the UC framework, even in presence of an adversary 
which can do adaptive corruptions, like for example Password Authenti- 
cated Key Exchange (PAKE), and 1-out-of-m Oblivious Transfer (OT). 
However such solutions still lack in efficiency, since they heavily scale on 
the underlying message length. 

Structure-preserving cryptography aims at providing elegant and effi- 
cient schemes based on classical assumptions and standard group oper- 
ations on group elements. Recent trend focuses on constructions of 
structure-preserving signatures, which require message, signature and 
verification keys to lie in the base group, while the verification equa- 
tions only consist of pairing-product equations. Classical constructions 
of Smooth Projective Hash Function suffer from the same limitation as 
classical signatures: at least one part of the computation (messages for 
signature, witnesses for SPHF) is a scalar. 

In this work, we introduce and instantiate the concept of Structure- 
Preserving Smooth Projective Hash Function, and give as applications 
more efficient instantiations for one-round PAKE and three-round OT, 
and information retrieval thanks to Anonymous Credentials, all UC- 
secure against adaptive adversaries. 


Keywords: Smooth projective hash functions • Structure preserv- 
ing • Oblivious transfer • Password authenticated key exchange • UC 
Framework • Credentials 


1 Introduction 

Smooth Projective Hash Functions (SPHF) were introduced by Cramer and 
Shoup [30] as a means to design chosen-ciphertext-secure public-key encryption 
schemes. These hash functions are defined such as their value can be computed 
in two different ways if the input belongs to a particular subset (the language ), 
either using a private hashing key or a public projection key along with a private 
witness ensuring that the input belongs to the language. 
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In addition to providing a more intuitive abstraction for their original public- 
key encryption scheme in [29], the notion of SPHF also enables new efficient 
instantiations of their scheme under different complexity assumptions such as 
DLin, or more generally k — MDDH. Due to its usefulness, the notion of SPHF 
was later extended to several interactive contexts. One of the most classical 
applications is to combine them with commitments in order to provide implicit 
decommitments . 

Commitment schemes have become a central tool used in cryptographic pro- 
tocols. These two-party primitives (between a committer and a receiver) are 
divided into two phases. First, in the commit phase, the committer gives the 
receiver an analogue of a sealed envelope containing a value m, while later in 
the opening phase, the committer reveals m in such a way that the receiver can 
verify whether it was indeed m that was contained in the envelope. In many 
applications, for example password-based authenticated key-exchange, in which 
the committed value is a password, one wants the opening to be implicit, which 
means that the committer does not really open its commitment, but rather con- 
vinces the receiver that it actually committed to the value it pretended to. 

An additional difficulty arises when one wants to prove the protocols in the 
universal composability framework proposed in [22]. Skipping the details, when 
the protocol uses commitments, this usually forces those commitments to be 
simultaneously extractable (meaning that a simulator can recover the committed 
value m thanks to a trapdoor) and equivocable (meaning that a simulator can 
open a commitment to a value m' different from the committed value m thanks 
to a trapdoor), which is quite a difficult goal to achieve. 

Using SPHF with commitments to achieve an implicit decommitment, the 
language is usually defined on group elements, with projection keys being group 
elements, and witnesses being scalars. While in several applications, this has 
already lead to efficient constructions, the fact that witnesses have to be scalars 
(and in particular in case of commitments, the randomness used to commit) leads 
to drastic restrictions when trying to build protocols secure against adaptive 
corruptions in the UC framework. 

This is the classical paradigm of protocol design, where generic primitives 
used in a modular approach lead to a simple design but quite inefficient con- 
structions, while when trying to move to ad-hoc constructions, the conceptual 
simplicity is lost and even though efficiency might be gained, a proper security 
proof gets trickier. Following the same kind of reasoning, [5] introduced the con- 
cept of structure-preserving signatures in order to take the best of both worlds. 
There has been an ongoing series of work surrounding this notion, for instance 
[3, 4, 6-8]. This has shown that structure-preserving cryptography indeed pro- 
vides the tools needed to have simultaneously simple and efficient protocols. 

1.1 Related Work 

Smooth Projective Hash Functions (SPHF) were introduced by Cramer 
and Shoup [30] and have been widely used since then, for instance for password- 
authenticated key exchange (PAKE) [2,14,35,43,44], or oblivious transfer (OT) 
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[1,28,41], and a classification was introduced separating SPHF into three main 
kinds, KV-SPHF,CS-SPHF,GL-SPHF depending on how the projection keys are 
generated and when, the former allowing one-round protocols, while the latter 
have more efficient communication costs (see Sect. 2.2). 

Password- Authenticated Key Exchange (PAKE) protocols were proposed 
in 1992 by Bellovin and Merritt [12] where authentication is done using a sim- 
ple password, possibly drawn from a small entropy space subject to exhaustive 
search. Since then, many schemes have been proposed and studied. SPPIF have 
been extensively used, starting with the work of Gennaro and Lindell [35] which 
generalized an earlier construction by Katz, Ostrovsky, and Yung [42], and fol- 
lowed by several other works [2,24]. More recently, a variant of SPPIF proposed 
by Katz and Vaikuntanathan even allowed the construction of one-round PAKE 
schemes [14,44]. The most efficient PAKE scheme so far (using completely dif- 
ferent techniques) is the recent Asiacrypt paper [40]. 

The first ideal functionality for PAKE protocols in the UC framework [22,25] 
was proposed by Canetti et al [24], who showed how a simple variant of the 
Gennaro-Lindell methodology [35] could lead to a secure protocol. Though quite 
efficient, their protocol was not known to be secure against adaptive adversaries, 
that are capable of corrupting players at any time, and learn their internal states. 
The first ones to propose an adaptively secure PAKE in the UC framework were 
Barak et al [10] using general techniques from multi-party computation. Though 
conceptually simple, their solution results in quite inefficient schemes. 

Recent adaptively secure PAKE were proposed by Abdalla et al [1,2], fol- 
lowing the Gennaro-Lindell methodology with variation of the Canetti-Fischlin 
commitment [23] . However their communication size is growing in the size of the 
passwords, which is leaking information about an upper-bound on the password 
used in each exchange. 

Oblivious Transfer (OT) was introduced in 1981 by Rabin [51] as a way to 
allow a receiver to get exactly one out of k messages sent by another party, the 
sender. In these schemes, the receiver should be oblivious to the other values, 
and the sender should be oblivious to which value was received. Since then, 
several instantiations and optimizations of such protocols have appeared in the 
literature, including proposals in the UC framework [26,48]. 

More recently, new instantiations have been proposed, trying to reach round- 
optimality [38], or low communication costs [50]. The l-out-of-2 OT scheme by 
Choi et al [28] based on the DDPI assumption seems to be the most efficient 
one among those that are secure against adaptive corruptions in the CRS model 
with erasures. But it does not scale to 1-out-of-m OT, for m > 2. [1, 17] proposed 
a generic construction of 1-out-of-m OT secure against adaptive corruptions in 
the CRS model, however the commitment was still growing in the logarithm of 
the database length. While this is not so much a security issue for OT as this 
length is supposed to be fixed at the start of the protocol, this is however a weak 
spot for the efficiency of the final construction. 
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1.2 Our Contributions 

Similarly to structure-preserving signatures requiring the message, the signature, 
and the public keys to be group elements, we propose in this paper the notion 
of structure-preserving Smooth Projective Hash Functions (SP-SPHF), where 
both words, witnesses and projection keys are group elements, and hash and 
projective hash computations are doable with simple pairing-product equations 
in the context of bilinear groups. 

This allows, for example, to build Smooth Projective Hash Functions that 
implicitly demonstrate the knowledge of a Groth Sahai Proof (serving as a 
witness). 

We show how to transform every previously known pairing-less construction 
of S PH F to fit this methodology, and then propose several applications in which 
storing a group element as a witness allows to avoid the drastic restrictions that 
arise when building protocols secure against adaptive corruptions in the UC 
framework with a scalar as witness. Asking the witness to be a group element 
enables us to gain more freedom in the simulation (the discrete logarithm of this 
element and / or real extraction from a commitment). For instance, the simulator 
can always commit honestly to a random message, since it only needs to modify 
its witness in the equivocation phase. Furthermore, it allows to avoid bit-per-bit 
construction. Such design carries similarity with the publicly verifiable MACs 
from [45], where the pairing operation allows to relax the verification procedure. 

A work from Jut la and Roy has appeared on eprint [39] considering a parallel 
between QA-NIZK and SPHF: Independently from ours, they define a transfor- 
mation from one to another. Their transformation can then be extended to view 
QA-NIZK as a special case of SP-SPHF, and so be encompassed by our framework. 

As an example, we show that the UC-commitment from [34] (while not fitting 
with the methodology of traditional SPF1F from [1]), is compatible with SP- 
SPFIF and can be used to build UC protocols. As a side contribution, we first 
generalize this commitment from DLin to the k — MDDFI assumption from [33]. 
The combination of this commitment and the associated SP-SPFIF then enables 
us to give three interesting applications. 

Adaptively secure 1-out-of-m Oblivious Transfer. First, we provide a con- 
struction of a three-round UC-secure 1-out-of-m OT. Assuming reliable erasures 
and a single global CRS, we show in Sect. 5 that our instantiation is UC-secure 
against adaptive adversaries. Besides having a lesser number of rounds than most 
recent existing OT schemes with similar security levels, our resulting protocol 
also has a better communication complexity than the best known solutions so 
far [1,28] (see Table 1 for a comparison). For ease of readability, we emphasize in 
this table the SXDFI communication cost 1 , which is simply &-MDDH for k = 1. 
Our protocol is “nearly optimal” in the sense that it is still linear in the number 
of lines m, but the constant in front of m is 1. 

1 Our OT and PAKE protocols are described in /c-MDDH but one directly obtains the 
SXDH versions by simply letting k — 1 in the commitment presented in Sect. 4.2 (see 
the paper full version [15] for details). 
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Table 1 . Comparison with existing UC-secure OT schemes 



Flow 

Communication Complexity 

Assumption 

1-out-of 

[28] 

4 

26 G T 7 Zp 

DDH 

2 

[1] 

3 

(m + 8 log m) x Gi + log m x G 2 + 1 x Z p 

SXDH 

m 

This paper 

3 

(k + 3) x Gi + (2 + (3 + k)m + k(k + 1)) 

X G 2 + TO X Zp 

k - MDDH 

m 

This paper 

3 

4 x Gi + 12 x G 2 + 2 x Zp 

SXDH 

m 


One-round adaptively secure PAKE. Then, we provide an instantiation of a 
one-round UC-secure PAKE under any k — MDDH assumption. Once again, we 
show in Sect. 6 that the UC-security holds against adaptive adversaries, assum- 
ing reliable erasures and a single global CRS. Contrarily to most existing one- 
round adaptively secure PAKE, we show that our scheme enjoys a much better 
communication complexity while not leaking information about the length of 
the password used (see Table 2 for a comparison, in particular for the SXDH 
version). Only [40] achieves a slightly better complexity as ours, but only for 
SXDH, while ours easily extends to k— MDDH. Furthermore, our construction is 
an extension to SP-SPHF of well-known classical constructions based on SPHF, 
which makes it simpler to understand. We omit [17] from the following table, as 
its contribution is to widen the construction to non-pairing based hypotheses. 

Anonymous Credential-Based Message Transmission. Typical credential 
use involves three main parties. Users need to interact with some authorities to 
obtain their credentials (assumed to be a set of attributes validated / signed), 
and then prove to a server that a subpart of their attributes verifies an expect 
policy. We present a constant-size, round-optimal protocol that allow to use a 
Credential to retrieve a message without revealing the Anonymous Credentials 
in a UC secure way, by simply building on the technique proposed earlier in the 
paper. 


Table 2. Comparison with existing UC-secure PAKE schemes where | password] s= m 



Adaptive 

One-round 

Communication complexity 

Assumption 

[2] 

yes 

no 

2 x (2m + 22mA) x G + OTS 

DDH 

[44] 

no 

yes 

« 2 x 70 x G 

DLIN 

[14] 

no 

yes 

2 x 6 x Gi + 2 x 5 x G 2 

SXDH 

[1] 

yes 

yes 

2 x 10m x Gi + 2 x m x G 2 

SXDH 

[40] 

yes 

yes 

4 x Gi T 4 x G 2 

SXDH 

this paper 

yes 

yes 

2 x (k T 3) x Gi T 2 x (k T 3 

T k(k T 1)) x G 2 

fc-MDDH 

this paper 

yes 

yes 

2 x 4 x Gi + 2 x 5 x G 2 

SXDH 
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2 Definitions 

2.1 Notations 

If x G5 n , then \x\ denotes the length n of the vector, and by default vectors are 
assumed to be column vectors. Further, x ^ S denotes the process of sampling 
an element x from the set S uniformly at random. 


2.2 Primitives 

Encryption. An encryption scheme C is described through four algorithms 
(Setup, KeyGen, Encrypt, Decrypt), defined formally in Appendix A.l. 

Commitments. We refer the reader to [1] for formal definitions and results 
but we give here an informal overview to help the unfamiliar reader with the 
following. A non-interactive labelled commitment scheme C is defined by three 
algorithms: 

- SetupCom(l*^) takes as input the security parameter & and outputs the global 
parameters, passed through the CRS p to all other algorithms; 

- Com^(x) takes as input a label i and a message x, and outputs a pair (C, 5), 
where C is the commitment of x for the label t, and S is the correspond- 
ing opening data (a.k.a. decommitment information). This is a probabilistic 
algorithm. 

- VerCorr/((7, x, S) takes as input a commitment C, a label £, a message x, and 
the opening data S and outputs 1 (true) if S is a valid opening data for C, x 
and £. It always outputs 0 (false) on x = _L. 

The basic properties required for commitments are correctness (for all cor- 
rectly generated CRS p, all commitments and opening data honestly generated 
pass the verification VerCom test), the hiding property (the commitment does 
not leak any information about the committed value) and the binding property 
(no adversary can open a commitment in two different ways). More complex 
properties (equivocability and extractability) are required by the UC framework 
and described in Appendix A. 2 for lack of space. 

Smooth Projective Hash Functions. SPHF were introduced by Cramer and 
Shoup [30] for constructing encryption schemes. A projective hashing family is 
a family of hash functions that can be evaluated in two ways: using the (secret) 
hashing key, one can compute the function on every point in its domain, whereas 
using the (public) projected key one can only compute the function on a special 
subset of its domain. Such a family is deemed smooth if the value of the hash 
function on any point outside the special subset is independent of the projected 
key. The notion of SPHF has already found numerous applications in various 
contexts in cryptography {e.g. [2,19,35,41]). 

Definition 1. Smooth Projective Hashing System. A Smooth Projective 
Hash Function over a language £ C X, is defined by five algorithms (Setup, 
HashKG, ProjKG, Hash, ProjHash); 
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- Setup(l^) generates the global parameters param of the scheme , and the 
description of an NT language £ 

- HashKG(£, param), outputs a hashing key hk for the language £; 

- ProjKG(hk, (£, param), W), derives the projection key hp, using the hashing key 

hk, 

- Hash(hk, (£, param), W), outputs a hash value v, thanks to the hashing key hk, 
and W, 

- ProjHash(hp, (£, param), W,w), outputs the hash value v' , thanks to hp and the 
witness w that W G £. 

In the following, we consider £ as a hard-partitioned subset of X , i.e. it 
is computationally hard to distinguish a random element in £ from a random 
element in X \ £. 

A Smooth Projective Hash Function SPHF should satisfy the following 
properties: 

- Correctness : Let W G £ and w a witness of this membership. Then, for all 
hashing keys hk and associated projection keys hp we have 

Hash(hk, (£, param), W ) = ProjHash(hp, (£, param), IF, w). 

- Smoothness : For all IF G X \ £ the following distributions are statistically 
indistinguishable : 


Aq = < (£, param, IF, hp, v) 


Ai = < (£, param, IF, hp, v) 


param = Setup(l^), hk = HashKG(£, param), 
hp = ProjKG(hk, (£, param), IF), 
v = Hash(hk, (£, param), IF) G G 

param = Setup(l^), hk = HashKG(£, param), 
hp = ProjKG(hk, (£, param), IF), v G 


A third property called Pseudo-Randomness , is implied by the Smoothness 
on Hard Subset membership languages. If IF G £, then without a witness of 
membership the two previous distributions should remain computationally indis- 
tinguishable: for any adversary A within reasonable time the following advantage 
is negligible 

Ad v gpHF ^ 4 ( A) = I Pr^i [A(£, param, W, hp, v) = 1] — Pr ^ 0 [A(£, param, W, hp, v) = 1] | 

In [14], the authors introduced a new notation for SPHF: for a language £, 
there exist a function T and a family of functions 0, such that u G £, if and only 
if, 0{u) is a linear combination A of the rows of T{u). We furthermore require 
that a user, who knows a witness of the membership u G £, can efficiently 
compute the linear combination A. The SPHF can now then be described as: 

- HashKG(£, param), outputs a hashing key hk = a for the language £, 

- ProjKG(hk, (£, param), u), derives the projection key hp = 7 (u), 

- Hash(hk, (£, param), u), outputs a hash value H = 0 (u) O a, 

- ProjHash(hp, (£, param), u , A), outputs the hash value H' = A © 7 (u). 
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In the special case where hp = 7 (u) = 7 , we speak about KV-SPHF when 
the projection key can be given before seeing the word tx, and of CS-SPHF, 
when the projection key while independent of the word is given after seeing it. 
(In reference to [30,44] where those kinds of SPHF were first use). We give in 
Sect. 3.3 an example of KV-SPPIF for Cramer-Shoup encryption, both in classical 
and new notations. 

We will need a third property for our one-round PAKE protocol. This prop- 
erty, called strong pseudo-randomness in [14], is recalled in Appendix A. 3 for 
lack of space. 


2.3 Building Blocks 

Decisional Diffie-Hellman (DDFi). The Decisional Difhe-Hellman hypothesis 
says that in a multiplicative group (p, G, < 7 ) when we are given (< 7 A ,# M ,< 7 ^) for 
unknown random A, /x, 'ip 4- Z p , it is hard to decide whether ^ = A x /i. 

Pairing groups. Let GGen be a probabilistic polynomial time (PPT) algorithm 
that on input 1^ returns a description Q = (p, Gi, G2, G t, e, pi, < 72 ) of asymmetric 
pairing groups where Gi, G2, G t are cyclic groups of order p for a .ft-bit prime 
p, pi and p 2 are generators of Gi and G 2 , respectively, and e : Gi x G 2 is an 
efficiently computable (non-degenerated) bilinear map. Define gr := e(pi,p2)? 
which is a generator in G t- 

Matricial Notations. If A G Z ^ fc+1 ^ xn i s a matrix, then A G Z^ xn denotes the 
upper matrix of A and A G Z* xn denotes the last row of A. We use classical 
notations from [36] for operations on vectors (. for the dot product and © for the 
product component-wise). Concatenation of matrices having the same number 
of lines will be denoted by A\\B (where a\\b + c should be implicitly parsed as 
a ||(6 + c)). 

We use implicit representation of group elements as introduced in [33]. For 
s G {1,2,T} and a G Z p define [a] s = G G s as the implicit representation of 
a in G s (we use [a] = g a G G if we consider a unique group). More generally, for 
a matrix A = (aij) G Z^ xm we define [A] s as the implicit representation of A 
in G s : 

f 9a 11 ”• 9s lm \ 

[A] a := U G^ xm 

\^ nl ••• 9 a s nrn ) 

We will always use this implicit notation of elements in G s , i.e., we let [a\ s G 
G s be an element in G s . Note that from [a\ s G G s it is generally hard to compute 
the value a (discrete logarithm problem in G s ). Further, from [&] T G G t it is 
hard to compute the value \b\ % G Gi and [b] 2 G G 2 (pairing inversion problem). 
Obviously, given [a\ s G G s and a scalar x G Z p , one can efficiently compute 
[ax\ s G G s . Further, given [a\ 1, [b\ 2 one can efficiently compute [ab\T using the 
pairing e. For a, 6 G Zj define e([a] 1, [b] 2) := [a T b\r G G t- 
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If a G Z p , we define the (k + 1)- vector: L s (a) := (l s , . . . , l s , [a\ s ) (this notion 
can be implicitly extended to vectors a G Z™), and the k + 1 by k + 1 matrix 


Gr(a) 




Assumptions. We recall the definition of the matrix Diffie- Heilman (MDDH) 
assumption [33]. 


Definition 2. Matrix Distribution. Let k G N. We call V & a matrix distrib- 
ution if it outputs matrices in Zp C+1 ^ xfe of full rank k in polynomial time. 


Without loss of generality, we assume the first k rows of A 4- form an invertible 
matrix. The XVMatrix Diffie- Heilman problem is to distinguish the two distribu- 
tions ([A], [Ait;]) and ([A], [n]) where A A iy A Zj and u A Z^ +1 . 

Definition 3 (D& -Matrix Diffie-Hellman Assumption XVMDDH). Xe£ 

P/c 6e a matrix distribution and s G {1, 2, T}. We say that the V^-Matrix Diffie- 
Hellman (XVMDDH,) Assumption holds relative to GGen in group G s if for all 
PPT adversaries V, 


Adv^GGenOD) := | Pr [V(g, [A] a , [Aw\ s ) = 1] - Pt[D(Q, [A] S: [u] a ) = 1] | 

= negl(A), 

where the probability is taken over Q 4- GGen(l A ) ; A 4- V k , w 4- Z£, u 4- Zp +1 . 

For each k > 1, [33] specifies distributions £&, Uk , • • • such that the corre- 
sponding XV MDDH assumption is the X-Linear assumption, the X-uniform and 
others. All assumptions are generically secure in bilinear groups and form a hier- 
archy of increasingly weaker assumptions. The distributions are exemplified for 
k = 2, where ai, . . . , a$ 4- Z p . 


( ai 0\ (a x a 2 \ 

0 a 2 I IA 2 : A = I a% I . 

11/ \«5 ae) 

It was also shown in [33] that XV MDDH is implied by all other XVMDDH 
assumptions. In the following, we write k — MDDH for V & — MDDH. 

Lemma 4 (Random self reducibility [33]). For any matrix distribution XV 
XVMDDH is random self- reducible. In particular, for any m > 1, 

Adv Vk , GGen (V) + -F > Adv^ iGGen (P0 

where Adv^ GGen (D') := Pr [V(Q, [A], [AW\) =* 1] - Pr [V(Q, [. A],[V \ ) =► 1], 
with Q GGen(l A ) ; A A V k , W 4- z£ xm , 1/4- z/ +1)xm 
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Remark: It should be noted that C\,C 2 are respectively the SXDH and DLin 
assumptions that we recall below for completeness. 

Definition 5 (Decisional Linear ( DLin [20])). The Decisional Linear hypoth- 
esis says that in a multiplicative group (p, G, p) when we are given (p A ,p^,p aA , 
ghv^g^) for unknown random cq/3,A ,/i 4- Z p , it is hard to decide whether 
= a + /3. 

Definition 6 (Symmetric External DifRe Heilman ( SXDH [9])). This 
variant of DDH , used mostly in bilinear groups in which no computationally 
efficient homomorphism exists from G 2 in Gi or Gi to G 2 , states that DDH is 
hard in both Gi and G 2 . 

Labelled Cramer- Shoup Encryption. We present here the well-known 
encryption schemes based on DDH, and we show in Sect. 4 how to extend it 
to P fc -MDDH. We focus on Cramer-Shoup [29] in all the following of the paper, 
but one easily obtains the same results on El Gamal IND-CPA scheme [32] by 
simply omitting the corresponding parts. We are going to rely on the IND-CCA 
property to be able to decrypt queries in the simulation. 

Vanilla Cramer-Shoup Encryption. The Cramer-Shoup encryption scheme 
is an IND-CCA version of the ElGamal Encryption. We present it here as a labeled 
public-key encryption scheme, the classical version is done with i — 0. 

- Setup(l^) generates a group G of order p, with a generator g 

- KeyGen(param) generates (pi,p2) G 2 , dk = (aq, aq, Pi, P2, z) 4- Z^, and 

sets, c = Pi 1 # 2 2 > ^ = 9 V ig y 2 2 , an d h = pf. It also chooses a Collision- Resistant 
hash function S)k in a hash family Tt (or simply a Universal One-Way Hash 
Function). The encryption key is ek = (pi, # 2 , c, d, ft, S)k)- 

- Encrypt(£, ek, M; r), for a message Me G and a random scalar r G Z p , the 

ciphertext is C = (t, u = (p[, P 2 ), e = M- h r ,v = (cft^) r ), where v is computed 
afterwards with £ = u, e )- 

- Decrypt^, dk, C): one first computes £ = u, e) and checks whether 

u xi+£yi m u x 2 +€y 2 j_ v jf equality holds, one computes M = e/(u\) and 
outputs M. Otherwise, one outputs _L. 

The security of the scheme is proven under the DDH assumption and the fact 
the hash function used is a Universal One-Way Hash Function. 

In following work [30] they refined the proof, explaining that the scheme can be 
viewed as a 2-Universal Hash Proof on the language of valid Diffie Heilman tuple. 

Vanilla Cramer-Shoup Encryption with Matricial Notations. 

- Setup(l^) generates a group G of order p, with a generator p, with an under- 
lying matrix assumption V 1 using a base matrix [A] G G 2xl ; 

- KeyGen(param) generates dk = G, £ 2 , 2 Z 2 (with t\ = (aq, aq), £2 = ( 2 / 1 , 2 / 2 ) 
and z = (z, 1)), and sets c = t\A,d — t^Affi = zA. It also chooses a hash 
function S)k in a collision-resistant hash family Ti (or simply a Universal One- 
Way Hash Function). The encryption key is ek = ([H], [c], [rf] , [ft], $)k)- 
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- Encrypt (£, ek, [ra]; r), for a message M = [ra] G G and random scalar r 4- Z p , 

the ciphertext is C = (£, u = [ Ar] ) , e = [/ir + ra] , = [( c + d © £) r] , where v 

is computed afterwards with £ = u, e). 

- Decrypt(£, dk, C): one first computes £ = u, e) and checks whether is 

consistent with £ 1 , £ 2 - 

If it is, one computes M = [e — (t/z)] an d outputs M. Otherwise, one out- 
puts _L. 

Groth-Sahai Proof System. Groth and Sahai [36] proposed non-interactive 
zero-knowledge proofs of satisfiability of certain equations over bilinear groups, 
called pairing product equations. Using as witness group elements (and scalars) 
which satisfy the equation, the prover starts with making commitments on them. 
To prove satisfiability of an equation (which is the statement of the proof), a 
Groth-Sahai proof uses these commitments and shows that the committed values 
satisfy the equation. The proof consists again of group elements and is verified 
by a pairing equation derived from the statement. 

We refer to [36] for details of the Groth-Sahai proof system, and to [33] for 
the compatibility with the &-MDDH assumptions. More details can be found in 
the paper full version [15]. We are going to give a rough idea of the technique 
for SXDH. 

To prove that committed variables satisfy a set of relations, the Groth-Sahai 
techniques require one commitment per variable and one proof element (made 
of a constant number of group elements) per relation. Such proofs are available 
for pairing-product relations and for multi-exponentiation equations. 

When based on the SXDH assumption, the commitment key is of the form 
ui = (i/1,1, ?/i, 2) ,u 2 = (i/2,i, ^2,2) e Gi and Vi = (^1,1, i/1,2) , v 2 = (i/2,1, i/2,2) G 
G| • We write 


u = 


//i,i i/1,2 
^2,1 i/2,2 


and 


v = 


id,i i/1,2 
i/2,1 i/2,2 


The Setup algorithm initializes the parameters as follows: ui = (gi,u) with 
u = g 1 and u 2 = ui M with A,/i 4 - Z*, which means that u is a Diffie- Heilman 
tuple in Gi, since ui = (#i,#i) and u 2 = (g^g^). The TSetup algorithm will 


use instead u 2 = ui M © (1, gi) 


ui 


( 51 , 51 ) and u 2 = ( 5 f, 5 i M *). And it is 


the same in G 2 for v. Depending on the definition of u 2 , v 2 , this commitment can 
be either perfectly hiding or perfectly binding. The two parameter initializations 
are indistinguishable under the SXDH assumption. 

To commit to X £ Gi, one chooses randomness si, s 2 £ Z p and sets C(X) = 

(1, x) © uf © u* 2 = (1, A) © Ky < 2 ) © («&,«&) = «1 • • u {\ 2 • «&). 

Similarly, one can commit to element in G 2 and scalars in Z p . The committed 
group elements can be extracted if u 2 is linearly dependant of ui by knowing 
the discrete logarithm x\ between uip and u 2>2 :c 2 /(c^) = V. 

In the following we are going to focus on proof of linear multi-scalar expo- 
nentiation in Gi, that is to say we are going to prove equations of the form 
Y\ i — A where Ai are public elements in Gi and yi are going to be scalars 
committed into G 2 . 
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2.4 Protocols 

UC Framework. The goal of this simulation-based model [22] is to ensure that 
UC-secure protocols will continue to behave in the ideal way even if executed 
in a concurrent way in arbitrary environments. Due to lack of space, a short 
introduction to the UC framework is given in the paper full version [15]. 

Oblivious Transfer and Password- Authenticated Key-Exchange. The 

security properties for these two protocols are given in terms of ideal function- 
alities in the paper full version [15]. 

3 Structure-Preserving Smooth Projective Hashing 

3.1 Definition 

In this section, we are now going to narrow the classical definition of Smooth 
Projective Hash Functions to what we are going to name Structure-Preserving 
Smooth Projective Hash Functions, in which both words, witnesses and projec- 
tion keys are group elements. 

Since witnesses now become group elements, this allows a full compatibility 
with Groth and Sahai methodology [36], such that for instance possessing a 
Non-Inter active Zero-Knowledge Proof of Knowledge can become new witnesses 
of our SP-SPHF, leading to interesting applications, as described later on. 

As we are in the context of Structure Preserving cryptography, we assume 
the existence of a (prime order) bilinear group (p, Gi, G 2 , pi, # 2 , Gt, e), and con- 
sider Languages (sets of elements) £ defined over this group. The hash space is 
usually Gt, the projection key space a group G™ x Gy and the witness space a 
group G^ x G 2 1 . 

Definition 7 Structure-Preserving Smooth Projective Hash Func- 
tions. A Structure- Preserving Smooth Projective Hash Function over a language 
£ C X onto a setH is defined by 4 algorithms (HashKG, ProjKG, Hash, ProjHash); 

- HashKG(£, param), outputs a hashing key hk for the language £; 

- ProjKG(hk, (£, param), W), derives the projection key hp thanks to the hashing 

key hk. 

- Hash(hk, (£, param), W), outputs a hash value H G Pi, thanks to the hashing 
key hk, and W 

- ProjHash(hp, (£, param), W, w), outputs the value H' G H, thanks to hp and 
the witness w that W G £. 

Remark 8. We stress that, contrarily to classical SPHF, both hp, W and more 
importantly w are base group elements, and so live in the same space. 
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3.2 Properties 

Properties are then inherited by those of classical Smooth Projective Hash 
Functions. 

- Correctness : On honest computations with (IF, w) compatible with £, we have 
ProjHash(hp, (£, param), FF, w) = Hash(hk, (£, param), W). 

- Smoothness : For all FF G X \ £ the following distributions are statistically 
indistinguishable : 


Aq = < (£, param, W , hp, v ) 


Ai = < (£, param, FF, hp, ?;) 


param = Setup(l^), hk = HashKG(£, param), 
hp = ProjKG(hk, (£, param), FF), > 

v = Hash(hk, (£, param), FF) G Gt J 

param = Setup(l^), hk = HashKG(£, param), 1 
hp = ProjKG(hk, (£, param), W), v G t J 


This is formalized by 


Adv! m p°H° F th (£) = 

veG 


Prb = V] — Pr[f = 

Ai A 0 


V] 


is negligible. 


As usual, a derivative property called Pseudo-Randomnness , says the pre- 
vious distribution are computationally indistinguishable from words in the lan- 
guage while the witnesses remain unknown. This is implied by the Smoothness 
on Hard Subset membership languages. 


3.3 Retro-Compatibility 

Constructing SP-SPHF is not that hard of a task. A first naive approach allows to 
transform every pairing- less SPHF into a SP-SPF1F in a bilinear setting. It should 
be noted that while the resulting Flash/Proj Flash values live in the target group, 
nearly all use cases encourage to use a proper hash function on them before com- 
puting anything using their value, hence the communication cost would remain 
the same. (Only applications where one of the party has to provide an additional 
proof that the ProjHash was honestly computed might be lost, but besides proof 
of negativity from [ 18 ], this never arises.) 

To this goal, simply given a new generator / G G2, and a scalar witness vector 
A, one generates the new witness vector A = [/©A] 2. Words and projection keys 
belong to Gi, and hash values to Gt- Any SPHF can thus be transformed into 
an SP-SPHF in the following way: 
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SPHF 

SP-SPHF 

Word u 

[A©r(w)]i 

[A©r(u)]i 

Witness w 

A 

A = [f® A] 2 

hk 

OL 

a 

hp = [7(u)]i 

[r(u) O a] i 

[r(u) O a]i 

Hash(hk, u ) 

[O(u) 0 a] i 

[/ o 0(u) O ol\t 

ProjHash(hp, u , w ) 

[A©7(w)]i 

[A © 7(m)]t 


- Correctness is inherited for words in C as this reduces to computing the same 
values but in G t- 

- Smoothness : For words outside the language, the projection keys, remaining 
unchanged, do not reveal new information, so that the smoothness will remain 
preserved. 

- Pseudo-Randomness : Without any witness, words inside the language are 
indistinguishable from words outside the language (under the subgroup deci- 
sion assumption), hence the hash values remain pseudo-random. 

It should be noted that in case this does not weaken the subgroup decision 
assumption (/c-MDDH in the following) linked to the original language, one can 
set Gi G 2 « 

We give in Fig. 1 two examples of regular Smooth Projective Hash Functions 
on Diffie-Hellman and Cramer-Shoup encryption of M, where a = 7Y(u, e), and 
their counterparts with SP-SPHF. ElGamal being a simplification of Cramer- 
Shoup, we skip the description of the associated SP-SPHF. We also give in Fig. 2 
the matricial version of Cramer-Shoup encryption, in which we denote by C' the 
Cramer-Shoup encryption C of M in which we removed M. 



SPHF 

SP-SPHF 

DH 

h r ,g r 

h r ,g r 

Witness w 

r 

g 5 

hk 

A, i-i 

A, yU 

hp 

h x g^ 

h x g» 

Hash(hk, u) 

C h r ) x (g r r 

e((h r ) x (g r y,g 2 ) 

ProjHash(hp, -u, w) 

hp" 

e(hp ,g 2 ) 

CS(M;r) 

h r M, f r ,g r ,(cd a ) r 

h r M , f r ,g r ,(cd a ) r 

Witness w 

r 

r 

g 2 

hk 

Xi,\ 2 ,lJ.,v,ri 

Ai, \ 2 ,g,iy,v 

hp 

h Xl f i g''c',h’*<r 

h Xl f^g v c r] ,h X2 d'' 

Hash(hk, u) 

h = (h r ) Xi+ak2 {f r y( g r y{(cd a yy 

e(H,g 2 ) 

ProjHash(hp, u , w) 

(hpihpj ) r 

e (hPihp2 , g 2 ) 

(with hp = (hpj,hp 2 )) 




Fig. 1 . Example of conversion of classical SPHF into SP-SPHF 
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SPHF 


SP-SPHF 


CS(M;r) 
fh\ 

f 

9 

W 

Witness w 

hk 

h P 


Flash(hk, it) 
ProjFlash(hp, it, w) 


[hr + M, Ar, (c + da)r] [hr + M, Ar , (c + da)r\ i 


Br + 


/0\ 

0 

0 

\dj 


ar + 


( M \ 

0 

0 


Br + 


M /M\ 
0 
0 


ar + 


0 
0 

\d) 

M2 

Ai, A 

[ h Pi]i , [ h P 2 li 


\0 / 


Ai,A 2,n,v,v 
[hpj. ® (Ai /x v rj) B] , 

/h\ 

hp 2 = (A 2 0 0 rj) ® 

W 

[(Ai + a\ 2 fJ, v rj) (C")] [(Ai + aX 2 9 , v rj) (C ')] T 
[(hp, + ahp 2 )r] [(hp t +ahp 2 )r] 2 


Fig. 2. Example of conversion of SPFIF into SP-SPFIF (matricial notations) 


3.4 Possible Applications 

Nearly Constant 1-out-of-m Oblivious Transfer Using FLM. Recent 
pairing-based constructions [1,28] of Oblivious Transfer use SPFIF to mask each 
line of a database with the hash value of as SPFIF on the language corresponding 
to the first flow being a commitment of the said line. 

Sadly, those constructions require special UC commitment on scalars, with 
equivocation and extraction capacities, leading to very inefficient constructions. 
In 2011, [34] proposed a UC commitment, whose decommitment operation is 
done via group elements. In Sect. 5, we are going to show how to combine the 
existing constructions with this efficient commitment using SP-SPHF, in order to 
obtain a very efficient round-optimal where there is no longer a growing overhead 
due to the commitment. As a side result, we show how to generalize the FLM 
commitment to any MDDH assumption. 

Round- Optimal Password Authenticated Key Exchange with Adap- 
tive Corruptions. Recent developments around SPHF-based PAKE have either 
lead to Round-Optimal PAKE in the BPR model [11], or with static corruptions 
[14,44]. In order to achieve round-optimality, [1] needs to do a bit-per-bit com- 
mitment of the password, inducing a communication cost proportional to the 
maximum password length. 

In the following, we show how to take advantage of the SP-SPHF constructed 
on the FLM commitment to propose a One- Round PAKE UC secure against 
adaptive adversaries, providing a constant communication cost. 

Using a ZKPK as a witness, Anonymous Credentials. Previous applica- 
tions allow more efficient instantiations of protocols already using scalar-based 
SPHF. However, one can imagine additional scenarios, where a scalar based app- 
roach may not be possible, due to the inherent nature of the witness used. 
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For example, one should consider a strong authentication scenario, in which 
each user possesses an identifier delivered by an authority, and a certification 
on a commitment to this identifier, together with a proof of knowledge that this 
commitment is indeed a commitment to this identifier. (Such scenario can be 
transposed to the delivery of a Social Security Number, where a standalone SSN 
may not be that useful, but a SSN officially linked to someone is a sensitive 
information that should be hidden.) In this scenario, a user who wants to access 
his record on a government service where he is already registered, should give 
the certificate, and then would use an implicit proof that this corresponds to his 
identifier. With our technique, the server would neither learn the certificate in 
the clear nor the user identifier (if he did not possess it earlier), and the user 
would be able to authenticate only if his certificate is indeed on his committed 
identifier. 

In our scenario, we could even add an additional step, such that Alice does 
not interact directly with Bob but can instead use a pawn named Carol. She 
could send to Carol a commitment to the signature on her identity, prove in a 
black box way that it is a valid signature on an identity, and let Carol do the 
interaction on her behalf. For example, to allow a medical practitioner to access 
some subpart of her medical record concerning on ongoing treatment, in this 
case, Carol would need to anonymously prove to the server that she is indeed a 
registered medical practitioner, and that Alice has given her access to her data. 

4 Encryption and Commitment Schemes Based 

on fc-MDDH 

4.1 fc-MDDH Cramer-Shoup Encryption 

In this paper, we supersede the previous constructions with a fc-MDDH based 
one: 

- Setup(l*^) generates a group G of order p, with an underlying matrix assump- 
tion using a base matrix [A] E G /c+lx/c ; 

- KeyGen(param) generates dk = t\,t 2l z 4- Z^ +1 , and sets, c = t\A E Zp, d = 
t 2 A E Zp, h = zA E Zp. It also chooses a hash function S)k in a collision- 
resistant hash family Ti (or simply a Universal One-Way Hash Function). 

The encryption key is ek = ([c], [d], [h], [A\,$)k)- 

- Encrypt(^, ek, [m\; r), for a message M = [m\ E G and random scalars r Zp, 

the ciphertext is C = (u = [Ar]), e = [hr + m], v = [(c + d 0 £)r]i, where v 
is computed afterwards with £ = u, e). 

- Decrypt^, dk, C): one first computes £ = u, e) and checks whether v is 

consistent with t\,t 2 . 

If it is, one computes M = [e — ( uz)\ and outputs M. Otherwise, one out- 
puts _L. 

Theorem 9. The fc-MDDH Cramer-Shoup Encryption is IND-CCA 2 under 
fc-MDDH assumption and the collision resistance (universal one-wayness) of the 
Hash Family. 
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Proof. To sketch the proof of the theorem, one should remember that the original 
proof articulate around three main cases noting £, u, e, v the challenge query, and 
^',u, e f ,v f the current decryption query: 

- (£,u,e) = (f,u',e') but v 7 ^ v' . This will fail as v is computed to be the 
correct checksum, hence we can directly reject the decryption query. 

- (£, u, e) 7 ^ (l! , u', e') but £ = £', this is a collision on the Hash Function. 

- (£,u,e,v) 7 ^ (£, u, e, v) and £ 7 ^ £'. This is the argument revolving around 

the 2- Universality of the Hash Proof system defined by c, d. c,d gives 2 k 
equations in 2k + 2 variables, hence answering decryption queries always in 
the same span can give at most 1 more equation leaving at least 1 degree of 
freedom in the system. □ 

Structure-Preserving Smooth Projective Hash Function 






f°V 

For ease of readability we are going to set B = 

[W] 

and D = 


W. 


and write C' = [Br + ZDr] 1 the ciphertext without the message M . 

- HashKG(£, param), chooses A 4 - Zp fc+2 ^ xl , A 4 - Z p and sets 

hki = A, hk 2 = | 0 j ; 

\Ak+ 2 / 

fh\ 

- ProjKG(hk, (£, param), W), outputs hp a = hk^ B, hp 2 = hkj I 0 I ; 

VJ 

- Hash(hk, (£, param), W), outputs a hash value H = [(hki + £hk2) T C']T; 

- ProjHash(hp, (£, param), W, w), outputs the value H' = [(hp x + £hp 2 )^]t- 

The Smoothness comes inherently from the fact that we have 2k-\-2 unknowns 
in hk while hp gives at most 2k equations. Hence an adversary has a negligible 
chance to find the real values. 

4.2 A Universally Composable Commitment with Adaptive 
Security Based on MDDH 

We first show how to simply generalize FLM’s commitment [34] from DLin to 
k-MDDH. 

FLM’s Commitment on DLin. At Asiacrypt 2011, Fischlin, Libert and 
Manulis presented a universally composable commitment [34] with adaptive secu- 
rity based on the Decision Linear assumption [20]. We show here how to gen- 
eralize their scheme to the Matrix Decisional Diffie- Heilman assumption from 
[33] and recalled in Sect. 2 . We first start by recalling their original scheme. Note 
that sid denotes the session identifier and cid the commitment identifier and that 
the combination (sid, cid) is globally unique, as in [34,37]. 
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- CRS Generation: SetupCom(l^) chooses a bilinear group (p, G, G t) of order 
p > a generator g of G, and sets g\ — g ai and g 2 = g a2 with ran- 
dom 01,02 G Z*. It defines the vectors gi = (#i,l,g), g2 = (l,g 2 ,g) 
and g3 = gi^g2^ 2 with random £1,^2 G Z*, which form a Groth-Sahai 
CRS g = (gi,g2,g3) for the perfect soundness setting. It then chooses a 
collision-resistant hash function H : { 0 , 1 }* — » 7 L V and generates a public key 
pk = (Xi, . . . ,Xq) for the linear Cramer-Shoup encryption scheme. The CRS 
consists of crs = (£, G, G t, #, g, H , pk). 

- Commitment algorithm: Com (crs, M, sid, cid, P^, Pj), to commit to message 
M G G for party Pj, party Pi parses crs as (£, G, Gt, #, g, P, pk) and conducts 
the following steps: 

• It chooses random exponents r, s in 7 L V and computes a linear Cramer- 
Shoup encryption ipcs = (Pi, U 2 , P3, P4, U§) of M G G under the label 
£ = P^ 1 1 sid 1 1 cid and the public key pk. 

• It generates a NIZK proof ir va i-enc that ipcs = (U\,U2,Uz,U±,U$) is 
indeed a valid encryption of M G G. This requires to commit to expo- 
nents r, s and prove that these exponents satisfy the multi-exponentiation 
equations U x = gi r , U 2 = g 2 s , U 3 = g r+s , U 4 /M = X 3 r X 6 s and 

p 5 = (MsT • (M 4 T- 

• Pi erases (r, 5) after the generation of ir va i-enc but retains the Dm = 

val—enc • 

The commitment is !pcs • 

- Verification algorithm: the algorithm VerCom(crs, M, Pm, sid, cid, P^, Pj) 
checks the proof n va i- enc and ignores the opening if the verification fails. 

- Opening algorithm: OpenCom(crs, M, Pm, sid, cid, P$, Pj) reveals M and 

Dm 7 T val—enc to P j • 

The extraction algorithm uses Cramer-Shoup decryption algorithm, while the 
equivocation uses the simulator of the NIZK. It is shown in [ 1 ] that the IND-CCA 
security notion for C and the computational soundness of 7 r make it strongly- 
binding-extractable, while the IND-CCA security notion and the zero-knowledge 
property of the NIZK provide the strong-simulation-indistinguishability. 

Moving to k-MDDH: We now show how to extend the previous commitment 
to the &-MDDH assumption. Compared to the original version of the commit- 
ment, we split the proof 7 r va i- enc into its two parts: the NIZK proof denoted 
here as [ 77 ] 1 is still revealed during the opening algorithm, while the Groth- 
Sahai commitment [R] 2 of the randomness r of the Cramer-Shoup encryption 
is sent during the commitment phase. Furthermore, since the hash value in the 
Cramer Shoup encryption is used to link the commitment with the session, we 
include this value [R] 2 to the label, in order to ensure that this extra commitment 
information given with the ciphertext is the original one. We refer the reader to 
the original security proof in [ 34 , Theorem 1 ], which remains exactly the same, 
since this additional commitment provides no information (either computation- 
ally or perfectly, depending on the CRS), and since the commitment [R ] 2 is not 
modified in the equivocation step (only the value [ 77 ] 1 is changed). 
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- CRS Generation: algorithm SetupCom(l^) chooses a bilinear asymmetric 
group (p, Gi, G 2 , Gt, e,#i, # 2 ) of order p > 2 s *, and a set of generators [A\i 
corresponding to the underlying matrix assumption. 

As explained in [33], following their notations, one can define a Groth-Sahai 
CRS by picking w 4- Z£ +1 , and setting [17 ] 2 = [B\\Bw }2 for a hiding CRS, 
and [B\\Bw + (0||z) T ]2 otherwise, where [B ] 2 is an &-MDDH basis, and w,z 
are the elements defining the challenge vector. 

For the Cramer-Shoup like CCA-2 encryption, one additionally picks t\,t 2 , 
z 4- Z^ +1 , and a Universal One-Way Hash Function Ti and sets \h]i = \z-A] 1 , 

The CRS consists of crs = (£,p, Gi, G 2 , G r , [A]i G G^ x/c+1 , [ U} 2 , [h\ t G 
[c]i G Gf, [d\ 1 G 

- Commitment algorithm: Com (crs, M, sid, cid, Pj ), to commit to message 
Mg Gi for party Pj , party Pi conducts the following steps: 

• It chooses random exponents r in Z^ and commits to r in [R\ 2 with 
randomness p 4- Z^ x/c+1 , setting [ 77 ] 2 = [Fp + t 2 (r )]2 G G 2 X/c+1 . It also 
computes a Cramer-Shoup encryption ipcs = [C]± of M G Gi under the 
label i — Pi||sid||cid and the public key pk: 

[Cl = [Ar\\hrpM\\(cPd&H(£\\Cl\C 2 \\R))r\ 1 = [C^ C 2 \\ C s ]i 

For simplicity we write i' = ^||[C'i]i||[C , 2]i||[i2]2- 

• It generates a NIZK proof Dm = [i7]i that !pcs is indeed a valid encryp- 
tion of M G Gi for the committed r in [R\ 2 . This requires to prove that 
these exponents satisfy the multi-exponentiation equations: 

[CU = [Ar] u [C 2 - M], = [hrl, [C 3 = (c + d © W))r] 1 

The associated proof is then [77] 1 = [p T (A\\h\\c + d © 

• Pi erases r after the generation of [ 77 ] 2 and [ 77 ] 1 but retains Dm = [ 77 ] 1 . 
The commitment is ([C]i,[R\ 2 ). 

- Verification algorithm: the algorithm VerCom(crs, M, Dm, sid, cid, Pi, Pj) 
checks the consistency of the proof ir va i- enc with respect to [C] 1 and [ 77 ] 2 . 
and ignores the opening if the verification fails. 

- Opening algorithm: OpenCom(crs, M, Pm, sid, cid, Pi, Pj) reveals M and 

Dm = [77] 1 to Pj. 

One can easily see that [C 3 \ 1 is the projective hash computation of a 2- 
universal hash proof on the language “[C 1 ] 1 in the span of A”, with [C 2 \ 1 
being an additional term that uses the same witness to mask the committed 
message, so that [ C] 1 is a proper generalization of the Cramer-Shoup CCA-2 
encryption. Details on the &-MDDH Groth-Sahai proofs are given in the paper 
full version [15]. 

It is thus easy to see that this commitment is indeed a generalization of the 
FLM non-interactive UC commitment with adaptive corruption under reliable 
erasures (in which we switched the CRS, the Cramer-Shoup encryption and the 
Groth-Sahai proof in the /c-MDDH setting). 
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4.3 A Structure-Preserving Smooth Projective Hash Function 
Associated with This Commitment 

Structure-Preserving Smooth Projective Hash Function. We now want 
to supersede the verification equation of the commitment by a smooth projective 
hash function providing implicit decommitment, simply using the proof as a 
witness. We consider the language of the valid encryptions of M using a random r 
which is committed into [R] 2 \ 

C M = {[C] 1 | 3r3p such that [R \ 2 = [Up + ^(r)] 2 

and [C]x = [Ar\\hr + M\\(c + d®H(l\\C 1 \\C 2 \\R))r} 1 } 

The verifier picks a random hk = a 4- Z^ +3x/c+1 and sets hp = [a © U] 2 . 

On one side, the verifier then computes: 

Hash(hk, ([C] 1 , [R} 2 )) = [a®({C 1 \\C 2 - M\\C 3 ) - (A||h||c + d 0 W(*')) • «)]t 
While the prover computes ProjHash(hp, 17) = [17 • hpj^. 

- Correctness : comes directly from the previous equations. 

- Smoothness : on a binding CRS, last column is in the span of the k first 

(which are simply [B] 2 ), hence as hk G 2^ +1 , the k equations given in hp are 
not enough to determine its value and so it is still perfectly hidden from an 
information theoretic point of view. 

- Pseudo-Randomness : Under the MDDH assumption, the subset membership 
decision is a hard problem, as the generalized Cramer-Shoup is IND-CCA-2, 
and [R\ 2 is an IND-CPA commitment to r. 

Theorem 10. Under the &-MDDH assumption, the above SP-SPHF is strongly 
pseudo-random on a perfectly hiding CRS. 

For sake of compactness, the proof is postponed to the paper full version [15]. 

Efficiency. The rough size of a projection key is k x (k + 3) (number of elements 
in each proof times number of proofs). It should be noted, that for a CS-SPHF 
(in the case of the oblivious transfer), instead of repeating the projection key 
k 3- 3 times (in order to verify each component of the Cramer-Shoup), one can 
generate a value e Z p , an hp for a single equation, and say that for the other 
component, one simply uses hp £ , as the trick explained in [1]. 

5 Application: Nearly Optimal Size 1-out-of-m Oblivious 
Transfer 

5.1 Main Idea of the Construction 

Our oblivious transfer scheme builds upon that presented by Abdalla et al at 
Asiacrypt 2013 [1]. In their scheme, the authors use a SPHF-friendly commitment 
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(which is a notion stronger than a UC commitment) along with its associated 
SPHF in a now classical way to implicitly open the commitment. They claim that 
the commitment presented in [34] cannot be used in such an application, since 
it is not “robust”, which is a security notion meaning that one cannot produce 
a commitment and a label that extracts to x' (possibly x' = _L) such that there 
exists a valid opening data to a different input x, even with oracle access to 
the extraction oracle (ExtCom) and to fake commitments (using SCom). Indeed, 
because of the perfectly-hiding setting of Groth-Sahai proofs, for any ciphertext 
C and for any message x, there exists a proof 77 that makes the verification 
of C on x. However, we show in this section that in spite of this result, such a 
commitment can indeed be used in a relatively close construction of oblivious 
transfer scheme. To this aim, we use our construction of structure-preserving 
SPHF on FLM’s commitment, simply using the decommitment value (a Groth- 
Sahai proof) as the witness, presented in Sect. 4.3. 

It should be noted that the commitment used in [1,2] has the major draw- 
back of leaking the bit-length of the committed message. While in application 
to Oblivious Transfer this is not a major problem, for PAKE this is a way more 
sensitive issue, as we show in the next section. Moreover, using FLM’s commit- 
ment is conceptually simpler, since the equivocation only needs to modify the 
witness, allowing the user to compute honestly its message in the commitment 
phase, whereas in the original commitments, a specific flow had to be sent during 
the commitment phase (with a different computation and more witnesses for the 
SPHF, than in the honest computation of the commitment). 

5.2 A Universally Composable Oblivious Transfer with Adaptive 
Security Based on MDDH 

We denote by DB the database of the server containing t = 2 m lines, and j the 
line requested by the user in an oblivious way. We assume the existence of a 
Pseudo- Random Generator (PRG) F with input size equal to the plaintext size, 
and output size equal to the size of the messages in the database and a IND-CPA 
encryption scheme £ = (Setup cpa , KeyGen cpa , Encrypt cpa , Decrypt cpa ) with plain- 
text size at least equal to the security parameter. The commitment used is the 
variant of [34] described above. It is denoted as Corr/ in the description of the 
scheme, with £ being a label. Note that sid denotes the session identifier, ssid the 
subsession identifier and cid the commitment identifier and that the combination 
(sid, cid) is globally unique, as in [34,37]. 

We present our construction, in Fig. 3, following the global framework pre- 
sented in [1], for an easier efficiency comparison (we achieve nearly optimality 
in the sense that it is linear in the number of lines of the database, but with a 
constant equal to 1 only). 

Theorem 11. The oblivious transfer scheme described in Fig. 3 is UC- secure in 
the presence of adaptive adversaries, assuming reliable erasures and authenti- 
cated channels. 

The proof is given in the paper full version [15] for completeness. 
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CRS generation: 

crs A SetupCom(C), param cpa 4- Setup cpa (l' s ). 

Pre-flow: 

1. Server generates a key pair (pk,sk) A KeyGen cpa (param cpa ) for £, stores sk and 
completely erases the random coins used by KeyGen 

2. Server sends pk to User 

Index query on j : 

1. User chooses a random value J, computes S <— F(J) and encrypts J under pk: 

Encrypt cpa (pk, J) 

2. User computes ([C]i, [R] 2 , [ 17 ] 1 ) Combers , j, sid, cid, Pi,Pj ) with the label i — 
(sid, ssid, Pi, Pj) 

3. User stores [n\ 1 and completely erases J and the random coins used by Com 
and Encrypt cpa and sends [C] 1 , [jR ] 2 and c to Server 

Database input (m, . . . , nt): 

1. Server decrypts J Decrypt cpa (sk, c) and computes 5 F(J) 

2. For s = 1 Server computes hk s HashKG(£ s ), hp s ProjKG(hk s , £ s ), 

e- Hash(hk s , (7 S , (£, [C] 1 , [R] 2 ))), and A^ s ^ S' © © n s 

3. Server erases everything except (hp s5 N a ) a =i, t ..,t and sends them over a secure 
channel 

Data recovery: 

Upon receiving (hp s , N a )a=i i ...,t, User computes 

Ki <- ProjHash(h Pj , {C„i, [C] u [fl] 2 ), [n],) and gets n j S ® Kj © Nj . 


Fig. 3. UC-Secure 1-out-of-t OT from an SPHF-Friendly Commitment (for Adaptive 
Security) 


6 Application: Adaptive and Length-Independent 
One-Round PAKE 

Password-authenticated key exchange (PAKE) protocols allow two players to 
agree on a shared high entropy secret key, that depends on their own pass- 
words only. Katz and Vaikuntanathan recently came up with the first concrete 
one-round PAKE protocols [43], where the two players just have to send simul- 
taneous flows to each other. Following their idea, [14] proposed a round-optimal 
PAKE protocol UC secure against passive corruptions. On the other hand, [2] 
proposed the first protocol UC secure against adaptive corruptions, and [1] built 
upon both [43] and [2], to propose the first one-round protocol UC secure against 
adaptive corruptions. Unfortunately, both of them share a drawback, which is 
that they use a commitment growing linearly with the length of a password. 
Besides being an efficiency problem, it is over all a security issue in the UC 
framework. Indeed, the simulator somehow has to “guess” the length of the 
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password of the player it simulates, otherwise it is unable to equivocate the 
commitment (since the commitment reveals the length of the password it com- 
mits to). Since such a guess is impossible, the apparently only solution to get 
rid of this limitation seems to give the users an upper-bound on the length of 
their passwords and to ask them to compute commitments of this length, which 
leads to costly computations. 

In this section, we are now going to present a constant-size, round-optimal, 
PAKE UC secure against adaptive corruptions. It builds upon the protocol pro- 
posed in [1], using the same techniques as in the former section to avoid the 
apparent impossibility to use FLM’s commitment. 

It should be noted that we need the classical requirement for extraction 
capabilities (see for example [16,47] for a detailed explanation), i.e. a password 
pw is assumed to be a bit-string of length bounded by logp — 2, and then one can 
use a bijective embedding function G mapping {0, 1} 1^1 — 2 in Gi. For the sake of 
simplicity, we continue to write pv\q in the high level description, but it should 
be interpreted as a commitment to G(pw-). 

The language £ pw . is then the language of valid Cramer- Shoup encryptions 
of the embedded password G(pwJ, consistent with the randomness committed 
in the second part, and the rest of the label. 

Theorem 12. The Password Authenticated Key Exchange scheme described in 
Fig. 4 is UC- secure in the presence of adaptive adversaries , assuming reliable 
erasures and authenticated channels. 

The proof is given in the paper full version [15] for completeness. 


CRS: crs SetupCom(l^). 

Protocol execution by Pi with pwp 

1. Pi generates hki HashKG(£ pWi ), hp^ ProjKG(hki, £ pWi ) 
and erases any random coins used for the generation 

2 . Pi computes ([Ci]i, [jRi] 2 , [EG] 1) = Com** (crs, pw-, sid, cid, Pi, Pj) 
with ii = (sid, Pi, Pj , hp-) 

3. Pi stores [II i] 1 , completely erases random coins used by Com 
and sends hp-, [Ci]i, [Ri\ 2 to Pj 

Key computation: Upon receiving hp^, [Cj] 1, [Rj] 2 from Pj 

1. Pi computes H[ ProjHash(hp j , (£ pw .,U, [Gi]i, [Rih), [Pi]i)) 

and Hj Hash(hki, (£ pw - , U/, [Gj] 1 , [Rj] 2 )) with ij = (sid, Pj, Pi, hp^-) 

2. Pi computes ski = PL[ • Hj and erases everything else, except pw-. 


Fig. 4. UC-Secure PAKE from the revisited FLM Commitment 
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7 Application: Anonymous Credential-Based Message 
Transmission 

Anonymous Credential protocols [21,27,31] allow to combine security and pri- 
vacy. Typical credential use involves three main parties. Users need to inter- 
act with some authorities to obtain their credentials (assumed to be a set of 
attributes validated / signed) , and then prove to a server that a subpart of their 
attributes verifies an expect policy. 

In this section, we give another go to Anonymous Credential, this time to 
allow message recovery. This is between Anonymous Credential but also Condi- 
tional Oblivious Transfer [51] and Oblivious Signature-Based Envelope [46]. 

We present a constant-size, round-optimal protocol that allow to use a Cre- 
dential to retrieve a message without revealing the Anonymous Credentials in a 
UC secure way, by simply building on the commitment proposed earlier in the 
paper. 

7.1 Anonymous Credential System 

In a Attribute-Based Credential system, we assume that different organization 
issue credentials to users. A user i possesses a set of credential Cred^ of the form 
{Cred^j, vkj} where organization j assesses that the user verifies some property. 
(The DMV will assess that the user is indeed capable of driving, the university 
that she has a bachelor in Computer Science, while Squirrel Airways that she 
reached the gold membership, all those authorities don’t communicate with each 
other). 

A Server might have an access Policy P requiring some elements (For example 
being a female, with a bachelor, and capable of driving). 

- Setup(l^): A probabilistic algorithm that gets a security parameter A an 
upper bound t for the size of attribute sets and returns the public parameters 

param 

- OKeyGen(param): Generates a pair of signing keys skj,vkj for each organiza- 
tion. 

- UKeyGen(param): Generates a pair of keys sk^vk^ for each use. 

- CredObtain((Ui, sk^), (Oj, skj)) Interactive process that allows a user i to 
obtain some credentials from organization j by providing his public key vkj 
and a proof that it belongs to him. 

- CredUse((I/i, Credi, sk^, (S', P, M)) Interactive process that allows a user i to 
access a message guarded by the server S under some policy P by using the 
already obtained credentials. 

An attribute-based anonymous credential system is called secure if it is cor- 
rect, unforgeable and anonymous. 
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CRS generation: 

crs 4- SetupCom(C), param cpa A Setup cpa (l*). 

Pre-flow: 

1. Server generates a key pair (pk, sk) KeyGen cpa (param cpa ) for £, stores sk and 
completely erases the random coins used by KeyGen 

2. Server sends pk to User 

Credential Use by user i: 

1. User chooses a random value J, computes S <— F(J) and encrypts J under pk: 
c A Encrypt cpa (pk, J) 

2. User computes ([C]i, [_R] 2 , [JT]i) 4- Combers, Cred,, sid, cid , P, , Pj) with £ = 
(sid, ssid, Pi, Pj ) 

3. User stores [17] i and completely erases J and the random coins used by Com 
and Encrypt cpa and sends [C] 1 , [R ] 2 and c to Server 

Database input M with policy P: 

1 . Server decrypts J <— Decrypt cpa (sk, c) and computes S <— F(J) 

2. Server computes hkp A HashKG(£p), hp P <(— ProjKG(hkp, £p), Kp -t- 
Hash(hkp, (C P , (£, [C] 1 , [R] 2 ))), and Np 5 © Kp ® M 

3. Server erases everything except (hp P , Np) and sends them over a secure channel 

Data recovery: 

Upon receiving (hp P ,A/p), User computes 

K <- ProjHash(hp P , (£ P ,£, [C] 1 , [R] 2 ), [77] 1 ) and gets M <r- S © K © N P . 


Fig. 5. UC-Secure Anonymous Credential from an SPSPHF-Friendly Commitment (for 
Adaptive Security). 


7.2 Construction 

Smooth Projective Hash Functions have been shown to handle complex lan- 
guages [2,13], those properties can naturally be extended to Structure Preserv- 
ing Smooth Projective Hash Function, allowing credentials to be expressive as 
disjunction / conjunction of sets of credentials, range proofs, or even composition 
(having a credential from authority A signed by authority B for example). 

What is really new with the Structure Preserving part is that now a user can 
request to have a credential on a witness by requiring a Structure-Preserving 
signature on it, while before scalars either required to give too much information 
to the server B or prevented chaining as most signatures requires some sort of 
Hashing (BLS requires an explicit Hash, while signature a la Waters requires to 
handle a bit per bit version of the message hindering drastically the efficiency of 
the protocol). This allows more possibilities in both the Credential Generation 
step and the policy required for accessing messages, while maintaining an efficient 
construction. 
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Theorem 13. The Anonymous Credential Protocol described in Fig. 5 is UC- 
secure in the presence of adaptive adversaries, assuming reliable erasures and 
authenticated channels. 

The ideal functionality and a sketch of the proof are given in the paper full 
version [15] for completeness. 

A Commitments and Smooth Projective Hash Functions 

A.l Encryption 

An encryption scheme C is described through four algorithms (Setup, KeyGen, 
Encrypt, Decrypt): 

- Setup(l^), where & is the security parameter, generates the global parameters 
pa ram of the scheme; 

- KeyGen (pa ram) outputs a pair of keys, a (public) encryption key pk and a 
(private) decryption key dk; 

- Encrypt(ek, M; p) outputs a ciphertext C, on M, under the encryption key pk, 
with the randomness p; 

- Decrypt(dk, C) outputs the plaintext M, encrypted in the ciphertext C or _L. 

Such encryption scheme is required to have the following security properties: 

- Correctness: For every pair of keys (ek, dk) generated by KeyGen, every mes- 
sages M, and every random p, we should have 

Decrypt(dk, Encrypt(ek, M; p)) = M. 

- Indistinguishability under Adaptive Chosen Ciphertext Attack IND-CCA (see 
[49,52]): An adversary should not be able to efficiently guess which message 
has been encrypted even if he chooses the two original plaintexts, and ask 
several decryption of ciphertexts different from challenge one. 

The 0 Decrypt oracle outputs the decryption of c under the challenge decryp- 
tion key dk. The input queries (c) are added to the list CT of decrypted 
ciphertexts. 


exp^-^) 

1. param Setup(l^) 

2. (pk, dk) <— KeyGen(param) 

3. (Mq, Mi) <— *4(FIND : pk, ODecrypt(-)) 

4. c* <— Encrypt(ek, M&) 

5. b' <- A (GUESS : c*, ODecrypt(-)) 

6. IF (c*) G CT RETURN 0 

7. ELSE RETURN b' 
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A. 2 Commitments 

A commitment scheme is said equivocable if it has a second setup SetupComT(l^) 
that additionally outputs a trapdoor r, and two algorithms 

- Sim Corner) takes as input the trapdoor r and a label £ and outputs a pair 
(C, eqk), where C is a commitment and eqk an equivocation key; 

- OpenCom^(eqk, (7, x) takes as input a commitment (7, a label £, a message x, 
an equivocation key eqk, and outputs an opening data 5 for C and £ on x. 

such as the following properties are satisfied: trapdoor correctness (all simulated 
commitments can be opened on any message), setup indistinguishability (one 
cannot distinguish the CRS p generated by SetupCom from the one generated 
by SetupComT) and simulation indistinguishability (one cannot distinguish a 
real commitment (generated by Com) from a fake commitment (generated by 
SCom), even with oracle access to fake commitments), denoting by SCom the 
algorithm that takes as input the trapdoor r, a label £ and a message x and 
which outputs (C, 5) SCom ^(r, x), computed as (C, eqk) 4- SimCom^(r) and 
S OpenCom^(eqk, (7, x). 

A commitment scheme C is said to be extractable if it has a second setup 
SetupComT(l^) that additionally outputs a trapdoor r, and a new algorithm 

- ExtCom i {r,C) which takes as input the trapdoor r, a commitment (7, and 
a label £, and outputs the committed message x, or A if the commitment is 
invalid. 

such as the following properties are satisfied: trapdoor correctness (all commit- 
ments honestly generated can be correctly extracted: for all £, x, if (C, 8) 
Corr/(x) then ExtCom^ ((7, r) = x), setup indistinguishability (as above) and 
binding extractability (one cannot fool the extractor, i.e, 7 produce a commit- 
ment and a valid opening data to an input x while the commitment does not 
extract to x). 

A commitment scheme is said extractable and equivocable if the indistinguish- 
able setup algorithm outputs a common trapdoor that allows both equivocability 
and extractability, and the following properties are satisfied: strong simulation 
indistinguishability (one cannot distinguish a real commitment (generated by 
Com) from a fake commitment (generated by SCom), even with oracle access 
to the extraction oracle (ExtCom) and to fake commitments (using SCom)) and 
strong binding extractability (one cannot fool the extractor, z.e., produce a com- 
mitment and a valid opening data (not given by SCom) to an input x while the 
commitment does not extract to x, even with oracle access to the extraction 
oracle (ExtCom) and to fake commitments (using SCom)). 

A. 3 Smooth Projective Hash Functions Used with Commitments 

The strong pseudo-randomness property, from [14], is defined by the experi- 
ment Exp^ s_ps ~ rand (^) depicted in Fig. 6. It is a strong version of the pseudo- 
randomness where the adversary is also given the hash value of a commitment 
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Exp^ s ' ps - rand - f ’(il) 

(p, t) 4- SetupComT(l^) 

{£, x, state) ^scom>,o,ExtCom-(T,.)( p ). c SimCom £ (r) 

hk A HashKG^); hp <- ProjKG(hk, L x , _L) 

If (6 = 0) H <r- Hash(hk, L x , (£, C)) 

Else H A n 

(£',C', state) A ^ SCom ' (T - ) > ExtCom (T ’ ) (state, C,hp, if) 

If ((£', ?, C’) € A) THEN H' <— _L 
Else W <- Hash(hk, L x , (£' , C') 

Return ^SCom(T,),ExtCom'(T,)( ff /) 


Fig. 6. Strong Pseudo- Randomness 


of its choice (obviously not generated by SCom or SimCom though, hence the 
test with A which also contains (C,£,x)). This property only makes sense when 
the projection key does not depend on the word C to be hashed. It thus applies 
to KV-SPHF, and CS-SPHF only. 
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Abstract. A recent line of works - initiated by Gordon, Katz and 
Vaikuntanathan (Asiacrypt 2010) - gave lattice-based constructions 
allowing users to authenticate while remaining hidden in a crowd. Despite 
five years of efforts, known constructions are still limited to static sets 
of users, which cannot be dynamically updated. This work provides new 
tools enabling the design of anonymous authentication systems whereby 
new users can join the system at any time. 

Our first contribution is a signature scheme with efficient protocols, 
which allows users to obtain a signature on a committed value and sub- 
sequently prove knowledge of a signature on a committed message. This 
construction is well-suited to the design of anonymous credentials and 
group signatures. It indeed provides the first lattice-based group signa- 
ture supporting dynamically growing populations of users. 

As a critical component of our group signature, we provide a simple 
joining mechanism of introducing new group members using our sig- 
nature scheme. This technique is combined with zero-knowledge argu- 
ments allowing registered group members to prove knowledge of a secret 
short vector of which the corresponding public syndrome was certified by 
the group manager. These tools provide similar advantages to those of 
structure-preserving signatures in the realm of bilinear groups. Namely, 
they allow group members to generate their own public key without 
having to prove knowledge of the underlying secret key. This results in a 
two-message joining protocol supporting concurrent enrollments, which 
can be used in other settings such as group encryption. 

Our zero-knowledge arguments are presented in a unified framework 
where: (i) The involved statements reduce to arguing possession of a 
{ — 1, 0, 1}- vector x with a particular structure and satisfying P • x m 
v mod q for some public matrix P and vector v; (ii) The reduced state- 
ments can be handled using permuting techniques for Stern-like proto- 
cols. Our framework can serve as a blueprint for proving many other 
relations in lattice-based cryptography. 
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1 Introduction 

Lattice-based cryptography is currently emerging as a promising alternative to 
traditional public-key techniques. During the last decade, it has received a per- 
manent interest due to its numerous advantages. Not only does it seemingly 
resist quantum attacks, it also provides a better asymptotic efficiency than its 
relatives based on conventional number theory. While enabling many advanced 
functionalities [41,44,45], lattice-based primitives tend to interact with zero- 
knowledge proofs [43] less smoothly than their counterparts in abelian groups 
endowed with a bilinear map (see, e.g., [2,18,31,38,49]) or groups of hidden 
order [6,26,29,30]. Arguably, this partially arises from the fact that lattices 
have far less algebraic structure than, e.g., pairing-friendly cyclic groups. It is 
not surprising that the most efficient zero-knowledge proofs for lattice-related 
languages [15] take advantage of the extra algebraic structure available in the ring 
setting [64] . A consequence of the scarcity of truly efficient zero-knowledge proofs 
in the lattice setting is that, in the context of anonymity and privacy-preserving 
protocols, lattice-based cryptography has undergone significantly slower devel- 
opment than in other areas like functional encryption [44,45]. While natural 
realizations of ring signatures [70] showed up promptly [22,52] after the seminal 
work of Gentry, Peikert and Vaikuntanathan (GPV) [42], viable constructions 
of lattice-based group signatures remained lacking until the work of Gordon, 
Katz and Vaikuntanathan [46] in 2010. Despite recent advances [14,57,62,66], 
privacy-preserving primitives remain substantially less practical and powerful in 
terms of functionalities than their siblings based on traditional number theo- 
retic problems [6,18,38,55] for which solutions even exist outside the random 
oracle model [10,20,21,48]. For example, we still have no convenient realization 
of group signature supporting dynamic groups [13,55] or anonymous credentials 
[28,34]. 

In this paper, we address the latter two problems by first proposing a lattice- 
based signature with efficient protocols in the fashion of Camenisch and Lysyan- 
skaya [30]. To ease its use in the design of dynamic group signatures, we introduce 
a zero-knowledge argument system that allows a user to prove knowledge of a 
signature on a public key for which the user knows the underlying secret key. 

Related Work. Anonymous credentials were first suggested by Chaum [34] 
and efficiently realized by Camenisch and Lysyanskaya [28,30]. They involve 
one or more credential issuer (s) and a set of users who have a long-term secret 
key which constitutes their digital identity and pseudonyms that can be seen 
as commitments to their secret key. Users can dynamically obtain credentials 
from an issuer that only knows users’ pseudonyms and obliviously certifies users’ 
secret keys as well as (optionally) a set of attributes. Later on, users can make 
themselves known to verifiers under a different pseudonym and demonstrate 
possession of the issuer’s signature on their secret key without revealing neither 
the signature nor the key. Anonymous credentials typically consist of a protocol 
whereby the user obtains the issuer’s signature on a committed message, another 
protocol for proving that two commitments open to the same value (which allows 
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proving that the same secret underlies two distinct pseudonyms) and a protocol 
for proving possession of a secret message-signature pair. 

The first efficient constructions were given by Camenisch and Lysyanskaya 
under the Strong RSA assumption [28,30] or using bilinear groups [31]. Other 
solutions were subsequently given with additional useful properties such as 
non-interactivity [10], delegatability [9] or support for efficient attributes [24] 
(see [27] and references therein). Anonymous credentials with attributes are 
often obtained by having the issuer obliviously sign a multi-block message 
(mi, . . . , m at), where one block is the secret key while other blocks contain public 
or private attributes. Note that, for the sake of keeping the scheme compatible 
with zero-knowledge proofs, the blocks (mi, . . . ,tn/v) cannot be simply hashed 
before getting signed using a ordinary, single-block signature. 

Group signatures are a central anonymity primitive, introduced by Chaum 
and van Heyst [35] in 1991, which allows members of a group managed by some 
authority to sign messages in the name of the entire group. At the same time, 
users remain accountable for the messages they sign since an opening authority 
can identify them if they misbehave. 

Ateniese, Camenisch, Joye and Tsudik [6] provided the first scalable construc- 
tion meeting the security requirements that can be intuitively expected from the 
primitive, although clean security notions were not available yet at that time. 
Bellare, Micciancio and Warinschi [11] filled this gap by providing suitable secu- 
rity notions for static groups, which were subsequently extended to the dynamic 
setting 1 by Kiayias and Yung [55] and Bellare, Shi and Zhang [13]. In these mod- 
els, efficient schemes have been put forth in the random oracle model [38,55] (the 
ROM) and in the standard model [1,2,48]. 

Lattice-based group signatures were put forth for the first time by Gordon, 
Katz and Vaikuntanathan [46] whose solution had linear-size signatures in the 
number of group members. Camenisch, Neven and Riickert [32] extended [46] so 
as to achieve anonymity in the strongest sense. Laguillaumie et al. [56] decreased 
the signature length to be logarithmic in the number N gs of group members. 
While asymptotically shorter, their signatures remained space-consuming as, 
analogously to the Boyen- Waters group signature [20], their scheme encrypts 
each bit of the signer’s identity individually. Simpler and more efficient solutions 
with O (log AT) signature size were given by Nguyen, Zhang and Zhang [66] and 
Ling, Nguyen and Wang [62]. In particular, the latter scheme [62] achieves signif- 
icantly smaller signatures by encrypting all bits of the signer’s identity at once. 
Benhamouda et al. [14] described a hybrid group signature that simultaneously 
relies on lattice assumptions (in the ring setting) and discrete-logarithm-related 
assumptions. Recently, Libert, Ling, Nguyen and Wang [60] obtained substantial 
efficiency improvements via a construction based on Merkle trees which elimi- 
nates the need for GPV trapdoors [42]. For the time being, all known group 
signatures are designed for static groups and analyzed in the model of Bellare, 


1 By “dynamic setting” , we refer to a scenario where new group members can register 
at any time but, analogously to [13,55], we do not consider the orthogonal problem 
of user revocation here. 
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Micciancio and Warinschi [11], where no new group member can be introduced 
after the setup phase. This is somewhat unfortunate given that, in most appli- 
cations of group signatures (e.g., protecting the privacy of commuters in public 
transportation), the dynamicity property is arguably what we need. To date, 
it remains an important open problem to design a lattice-based system that 
supports dynamically growing population of users in the models of [13,55]. 

Our Contributions. Our first result is a lattice-based signature with efficient 
protocols for multi-block messages. Namely, we provide a way for a user to obtain 
a signature on a committed 7V-block message (mi, . . . ,m n ) as well as a protocol 
for proving possession of a valid message-signature pair. The signature and its 
companion protocols can serve as a building block for lattice-based anonymous 
credentials and can potentially find applications in other privacy-preserving pro- 
tocols (e.g., [25]) based on lattice assumptions. 

The main application that we consider in this paper is the design of a lattice- 
based group signature scheme for dynamic groups. We prove the security of our 
system in the random oracle model [12] under the Short Integer Solution (SIS) 
and Learning With Errors (LWE) assumptions. For security parameter A and for 
groups of up to JVg S members, the scheme features public key size 0( A 2 ) -log TVgs, 
user’s secret key size 0(A), and signature size 0(A) • log7V gs . As exhibited in 
Table 1 , our scheme achieves a level of efficiency comparable to recent proposals 
based on standard (i.e., non-ideal) lattices [56,60,62,66] in the static setting [11]. 
In particular, the cost of moving to dynamic groups is quite reasonable: while 
using the scheme from [62] as a building block, our construction only lengthens 
the signature size by a (small) constant factor. 


Table 1 . Efficiency comparison among recent lattice-based group signatures for static 
groups and our dynamic scheme. The evaluation is done with respect to 2 governing 
parameters: security parameter A and the maximum expected group size N gs . We do 
not include the earlier schemes [32,46] that have signature size 0( A 2 ) • N gs . 


Scheme 

LLLS [56] 

NZZ [66] 

LNW [62] 

LLNW [60] 

Ours 

Group PK 

(5(A 2 ) • log N gs 

<5(a 2 ) 

(5(A 2 ) • log Ngs 

<5(a 2 ) 

<5(a 2 ) • log 7Vg S 

User’s SK 

0( A 2 ) 

0( A 2 ) 

6(A) 

0(A)- log Ngs 

0(A) 

Signature 

5(A)- log iVp 

0( A + log 2 N gs ) 

0(A) ■ log Ngs 

0(A) ■ log Ngs 

0(A) ■ log Ngs 


As a stepping stone in the design of our dynamic group signature, we also 
develop a zero-knowledge argument system allowing a group member to prove 
knowledge of a secret key (made of a short Gaussian vector) and a member- 
ship certificate issued by the group manager on the corresponding public key. 
Analogously to structure-preserving signatures [2], our signature scheme and 
zero-knowledge arguments make it possible to sign public keys without hashing 
them while remaining oblivious of the underlying secret key. They thus enable 
a round-optimal dynamic joining protocol - which allows the group manager to 
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introduce new group members by issuing a membership certificate on their public 
key - which does not require any proof of knowledge on behalf of the prospec- 
tive user. As a result, the interaction is minimal: only one message is sent in 
each direction between the prospective user and the group manager. 2 Besides 
being the first lattice-based group signature for dynamic groups, our scheme 
thus remains secure in the setting advocated by Kiayias and Yung [54], where 
many users want to join the system at the same time and concurrently interact 
with the group manager. We believe that, analogously to structure-preserving 
signatures [1,2], the combination of our signature scheme and zero-knowledge 
arguments can serve as a building blocks for other primitives, including group 
encryption [53] or adaptive oblivious transfer [47]. 

Our Techniques. Our signature scheme with efficient protocols builds on the 
SIS-based signature of Bohl et al. [16], which is itself a variant of Boyen’s signa- 
ture [19]. Recall that the latter scheme involves a public key containing matrices 
A, Ao, . . . , Ai E Z™ xm and signs an Gbit message m E {0, 1 Y by computing a 

short v E Z 2m such that [A | Ao + Yfj=i Aj] * v = 0 n mod q. The variant 
proposed by Bohl et al. [16] only uses a constant number of matrices A, Ao, Ai E 
Z™ xm . Each signature is associated with a single- use tag tag (which is only used 
in one signing query in the proof) and the public key involves an extra matrix 
D E Z™ xm and a vector u E Z™. A message Msg is signed by first applying 
a chameleon hash function h = CMHash(Msg, s) E {0, l} m and signing h by 
computing a short v E Z m such that [A | Ao + tag • Ai] • v = u + D • h mod q. 

Our scheme extends [16] - modulo the use of a larger number of matrices 
({Aj}j =0 > D, {D}jL 0 ) - so that an TV-block message (mi, . . . ,tnjv) E ({0, 1} L ) N , 
for some L E N, is signed by outputting a tag r E {0, 1} £ and a short v E Z 2m 
such that [A | Ao + Yfj=i T \j] * A/] * v = u + D • CMHash(rrti, . . . , mjv, s), where 

the chameleon hash function computes c m — Do • s + ^2^=1 D& • mod q , for 
some short vector s, before re-encoding c m so as to enable multiplication by D. 

In order to obtain a signature scheme akin to the one of Camenisch and 
Lysyanskaya [30], our idea is to have the tag r E {0, 1} £ play the same role as the 
prime exponent in Strong- RSA-based schemes [30]. In the security proof of [16], 
we are faced with two situations: either the adversary produces a signature on 
a fresh tag r*, or it recycles a tag used by the signing oracle for a new, 
un-signed message (nvf, . . . ,m^). In the former case, the proof can proceed as 
in Boyen’s proof [19]. In the latter case, the reduction must guess upfront which 
tag rb f ) the adversary will choose to re-use and find a way to properly answer 
the i^-th signing query without using the vanished trapdoor (for other queries, 
the Agrawal et al technique [3] applies to compute a suitable v using a trapdoor 
hidden in {A j}j =Q ). Bohl et al. [16] solve this problem by “programming” the 
vector u E Z J in a special way and achieve full security using chameleon hashing. 


2 Note that each signature still requires the user to prove knowledge of his secret key. 
However, this is not a problem in concurrent settings as the argument of knowledge 
is made non-interactive via the Fiat-Shamir heuristic. 
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To adapt this idea in the context of signatures with efficient protocols, we 
have to overcome several difficulties. The first one is to map c m back in the 
domain of the chameleon hash function while preserving the compatibility with 
zero-knowledge proofs. To solve this problem, we extend a technique used in [60] 
in order to build a “zero-knowledge-friendly” chameleon hash function. This 
function hashes Msg = (mi, . . . ,mjv) by outputting the coordinate- wise binary 
decomposition w of Do • s + XlfcLi D& • m^. If we define the “powers-of-2” matrix 
H = 1(g) [l | 2 | ... | 2 T lo s J ^ then we can prove that w = CMHash(mi, . . . , m at, s) 
by demonstrating the knowledge of short vectors (mi, ...,mjv,s,w) such that 
H • w = Do-s + Ef =1 D fe • mfc mod g, which boils down to arguing knowledge 
of a solution to the ISIS problem [61]. 

The second problem is to prove knowledge of (r, v, s) and (mi, ...,mjv) sat- 
isfying [A | A 0 + Y?j=i T \j\ • Aj] • v =s u + D • CMHash(mi, . . . ,mjv,s), without 
revealing any of the witnesses. To this end, we provide a framework for proving all 
the involved statement (and many other relations that naturally arise in lattice- 
based cryptography) as special cases. We reduce the statements to asserting that 
a short integer vector x satisfies an equation of the form P • x = v mod q , for 
some public matrix P and vector v, and belongs to a set VALID of short vectors 
with a particular structure. While the small-norm property of x is provable using 
standard techniques (e.g., [63]), we argue its membership of VALID by leverag- 
ing the properties of Stern-like protocols [52,61,72]. In particular, we rely on the 
fact that their underlying permutations interact well with combinatorial state- 
ments pertaining to x, especially x being a bitstring with a specific pattern. We 
believe our framework to be of independent interest as it provides a blueprint 
for proving many other intricate relations in a modular manner. 

When we extend the scheme with a protocol for signing committed messages, 
we need the signer to re-randomize the user’s commitment before signing the hid- 
den messages. This is indeed necessary to provide the reduction with a backdoor 
allowing to correctly answer the i^-th query by “programming” the random- 
ness of the commitment. Since we work with integers vectors, a straightforward 
simulation incurs a non-negligible statistical distance between the simulated dis- 
tributions of re-randomization coins and the real one (which both have a discrete 
Gaussian distribution) . Camenisch and Lysyanskaya [30] address a similar prob- 
lem by choosing the signer’s randomness to be exponentially larger than that 
of the user’s commitment so as to statistically “drown” the aforementioned dis- 
crepancy. Here, the same idea would require to work with an exponentially large 
modulus q. Instead, we adopt a more efficient solution, inspired by Bai et al 
[7] , which is to apply an analysis based on the Renyi divergence rather than the 
statistical distance. In short, the Renyi divergence’s properties tell us that, if 
some event E occurs with noticeable probability in some probability space P, so 
does it in a different probability space Q for which the second order divergence 
R 2 (P\\Q) is sufficiently small. In our setting, R 2 (P\\Q) is precisely polynomially 
bounded since the two probability spaces only diverge in one signing query. 

Our dynamic group signature scheme avoids these difficulties because the 
group manager only signs known messages: instead of signing the user’s secret key 
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as in anonymous credentials, it creates a membership certificate by signing the 
user’s public key. Our zero-knowledge arguments accommodate the requirements 
of the scheme in the following way. In the joining protocol that dynamically 
introduces new group members, the user i chooses a membership secret consisting 
of a short discrete Gaussian vector z im This user generates a public syndrome 
Vi = F • z^ mod g, for some public matrix F, which constitutes his public key. 
In order to certify v$, the group manager computes the coordinate- wise binary 
expansion bin(v^) of v^. The vector bin(v^) is then signed using our signature 
scheme. Using the resulting signature (r, v, s) as a membership certificate, the 
group member is able to sign a message by proving that: (i) He holds a valid 
signature (r, v,s) on some secret binary message bin(v^); (ii) The latter vector 
bin(v^) is the binary expansion of some syndrome of which he knows a GPV 
pre-image z im We remark that condition (ii) can be proved by providing evidence 
that we have = H • bin(v^) = F • z* mod g, for some short integer vector z i 
and some binary bin(v^), where H is the “powers-of-2” matrix. Our abstraction 
of Stern-like protocols [52,61,72] allows us to efficiently argue such statements. 
The fact that the underlying chameleon hash function smoothly interacts with 
Stern-like zero-knowledge arguments is the property that maintains the user’s 
capability of efficiently proving knowledge of the underlying secret key. 

Organization. In the forthcoming sections, we first provide some background 
in Sect. 2. Our signature with efficient protocols is presented in Sect. 3, where we 
also give protocols for obtaining a signature on a committed message and proving 
possession of a message-signature pair. Section 4 uses our signature scheme in 
the design of a dynamic group signature. The details of the zero-knowledge 
arguments used in Sect. 3 and Sect. 4 are deferred to Sect. 5, where we present 
them in a unified framework. 

2 Background and Definitions 

In the following, all vectors are denoted in bold lower-case letters, whereas 
bold upper-case letters will be used for matrices. If b E M n , its Euclid- 
ean norm and infinity norm will be denoted by ||b|| and HbHoo, respectively. 
The Euclidean norm of matrix B E M mxn with columns (b^< n is denoted 
by ||B || = max^< n ||b^||. If B is full column-rank, we let B denote its Gram- 
Schmidt orthogonalization. 

When S' is a finite set, we denote by U(S) the uniform distribution over S 
and by x D the action of sampling x according to the distribution D. 

2.1 Lattices 

A (full-rank) lattice L is defined as the set of all integer linear combinations of 
some linearly independent basis vectors (bf)*< n belonging to some M n . We work 
with g-ary lattices, for some prime g. 
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Definition 1. Let m > n > 1, a prime q > 2, A G Z™ xm and u G Z™ ; define 
A q (A) := {e G Z m | 3s G Z™ s.t A T • s = e mod q} as well as 

yl^(A) := {e G Z m | A • e = O n mod q }, A q (A) := {e G Z m | A • e = u mod q} 

For any t G Af(A), Af(A) = A-^(A) + 1 so that Af(A) is a shift of A q ( A). 

For a lattice L, a vector c G M n and a real a > 0, define the function 
p c r, c (x) = exp(— 7r||x — c|| 2 /cr 2 ). The discrete Gaussian distribution of support L, 
parameter a and center c is defined as Dl^,c( y) = p a , c (y) / Pa,c{L) for any y G L. 
We denote by Dl^( y) the distribution centered in c = 0. We will extensively 
use the fact that samples from Dl^ are short with overwhelming probability. 

Lemma 1 ([8, Le. 1.5]). For any lattice L CW 1 and positive real number a > 0, 
we have Prb^D^ [||b|| < ^/ncr] > 1 — 

As shown by Gentry et al. [42], Gaussian distributions with lattice support can 
be sampled efficiently given a sufficiently short basis of the lattice. 

Lemma 2 ([23, Le. 2.3]). There exists a PPT (probabilistic polynomial- time) 
algorithm GPVSample that takes as inputs a basis B of a lattice L C Z n and a 
rational a > ||B|| • L?(ylog n), and outputs vectors b G L with distribution Dl ,cr- 

Lemma 3 ([4, Th. 3.2]). There exists a PPT algorithm TrapGen that takes 
as inputs l n , l m and an integer q > 2 with m > ftfnlogq), and outputs a 
matrix A G Z^ xm and a basis Ta of A^{ A) such that A is within statistical 

distance 2“^ n ) to U{ Z£ xm ) ; and ||tX|| < 0{^FAF^q). 

Lemma 3 is often combined with the sampler from Lemma 2. Micciancio and 
Peikert [65] recently proposed a more efficient approach for this combined task, 
which should be preferred in practice but, for the sake of simplicity, we present 
our schemes using TrapGen. 

We also make use of an algorithm that extends a trapdoor for A G ZJ xm to 
a trapdoor of any B G Z^ xm whose left n x m submatrix is A. 

Lemma 4 ([33, Le. 3.2]). There exists a PPT algorithm Ext Basis that takes as 
inputs a matrix B G Z^ xm whose first m columns span Z™, and a basis Ta 
of A^-( A) where A is the left n x m submatrix of B, and outputs a basis Tb 
ofA£( B) with ||Tb|| < ||tX||. 

In our security proofs, analogously to [16,19] we also use a technique due to 
Agrawal, Boneh and Boyen [3] that implements an all-but-one trapdoor mecha- 
nism (akin to the one of Boneh and Boyen [17]) in the lattice setting. 

Lemma 5 ([3, Th. 19]). There exists a PPT algorithm SampleRight that takes 
as inputs matrices A, C G Z^ xm ; a low-norm matrix R G Z mxm ; a short basis 

Tc G Z mxm of A^-( C) ; a vector uGZJ and a rational a such that a > ||Tc|| • 
i?(\/logn), and outputs a short vector b G Z 2m such that [A A • R + C] • b = 
u mod q and with distribution statistically close to Dl where L denotes the 
shifted lattice ( [ A | A • R + C ] ) . 
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2.2 Computational Problems 

The security of our schemes provably relies (in the ROM) on the assumption that 
both algorithmic problems below are hard, i.e., cannot be solved in polynomial 
time with non-negligible probability and non-negligible advantage, respectively. 


Definition 2. Let m, q , /? be functions of n £ N. The Short Integer Solution 
problem SIS n,m, q ,p is, given A U( Z™ xm ); find x G A) with 0 < ||x|| < /3. 

If q > ^yn/3 and m, (3 < poly(n), then SIS n?m ^ ? /3 is at least as hard as standard 
worst-case lattice problem SIVP 7 with 7 = 0{(3y/n) (see, e.g., [42, Se. 9]). 

Definition 3. Let n,m > 1, q > 2, and let x be a probability distribution on Z. 
For s G Z q , let A s?x be the distribution obtained by sampling a U(Z q ) and 
e ^ x> an d outputting (a, a T • s + e) G ZJ x Z g . The Learning With Errors 
problem l_WE n?(LX asks to distinguish m samples chosen according to A s , x (f or 
s <r^> U( Zg)) and m samples chosen according to U(Z 1 f x Z q ). 

If q is a prime power, B > y/nuiffogn), 7 = 0{nq/B ), then there exists 
an efficient sampleable ^-bounded distribution x (be., X outputs samples with 
norm at most B with overwhelming probability) such that l_WE n?(LX is as least 
as hard as SIVP 7 (see, e.g., [23,68,69]). 

3 A Lattice-Based Signature with Efficient Protocols 

Our scheme can be seen as a variant of the Bohl et al. signature [16], where 
each signature is a triple (r, v,s), made of a tag r G {0,1}^ and integer vec- 
tors (v,s) satisfying [A | A 0 + J2j=i T [j] ' A'] v = u + D h mod g, where 
matrices A, Aq, . . . , A^, D G Z ™ xm are public random matrices and h G {0, l} m 
is a chameleon hash of the message which is computed using randomness s. A 
difference is that, while [16] uses a short single-use tag r G Z g , we need the tag 
to be an Gbit string r G {0, 1} £ which will assume the same role as the prime 
exponent of Camenisch-Lysyanskaya signatures [30] in the security proof. 

We show that a suitable chameleon hash function makes the scheme compat- 
ible with Stern-like zero-knowledge arguments [61,62] for arguing possession of a 
valid message-signature pair. Section 5 shows how to translate such a statement 
into asserting that a short witness vector x with a particular structure satisfies 
a relation of the form P • x = v mod g, for some public matrix P and vector v. 
The underlying chameleon hash can be seen as a composition of the chameleon 
hash of [33, Section 4.1] with a technique used in [60,67]: on input of a message 
(mi, . . . , tn/v), if outputs the binary decomposition of Dq • s + ^2 k=1 D& • m/c, for 
some discrete Gaussian vector s. 
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3.1 Description 

We assume that messages are vectors of N blocks Msg = (mi, . . . , mw), 
where each block is a 2ra-bit string m*, = m& [1] . . . m& [2ra] g {0, l} 2m for 

For each vector v G Z^, we denote by bin(v) G {0, l} L r io g<?l the vector 
obtained by replacing each coordinate of v by its binary representation. 

Keygen ( 1 A , 1^): Given a security parameter A > 0 and the number of blocks 
N = poly (A), choose the following parameters: n = 0(A); a prime modu- 
lus q = 0(N • n 4 ); dimension m = 2n[logg]; an integer i = 0(A); and 
Gaussian parameters a = log q log n), cfq = 2\/2 (N + 1 )crra 3 / 2 , and 

a\ = + cr 2 . Define the message space as ({0, l} 2 ™)^. 

1. Run TrapGen(l n , l m , g) to get A G Z™ xm and a short basis Ta of A). 

This basis allows computing short vectors in A) with a Gaussian 
parameter a. Next, choose t + 1 random Aq, Ai, . . . , A^ U{ Z™ xm ). 

2. Choose random matrices D U (Z™ xm ), Do, Di, ...,Djv ^ [/ (Z 2nx2m ) 

as well as a random vector u ^ U( Z™). 

The private key consists of SK := Ta G Z mxm and the public key is 

PK := (A, {Aj}^_ 0 , {D fe }f =0 , D, u). 

Sign (S' A, Msg): To sign an A-block message Msg =(mi, ... ,mjv) G ({O,!} 2777 )^, 

1. Choose a random string r C/({0, 1}^). Then, using S' A := Ta, com- 
pute with Ext Basis a short delegated basis T r G Z 2mx2m for the matrix 

£ 

Ar = [A | A 0 + y^r[j]Aj] e Zg X2m . (1) 

3 = 1 

2. Sample a vector s Pz 2m ,cri- Compute cm G Z 2n as a chameleon hash 

of (mi, . . . ,mjv): i.e., compute c M = D 0 • s + Y^k=i which 

is used to define u m = u + D bin(cM) G Z™ . Then, using the delegated 
basis T r G Z 2mx2m , sample a short vector v G Z 2m in D A ^ M ^ At ) ct - 
Output the signature sig = (r, v,s) G {0, 1} £ x Z 2m x Z 2m . 

Verify (PA, Msg, sig ) : Given PA, Msg = (mi, . . . , mjv) G ({0, l} 2rn ^ N and sig = 
(t,v,s)g{ 0,1}* x Z 2m x Z 2m , return 1 if ||v|| < cr\/2m , ||s|| < cj\\/ 2 m and 

N 

A r • v = u + D • bin(Do • s + D^ • m^) mod q. (2) 

fc=i 

When the scheme is used for obliviously signing committed messages, the security 
proof follows Bai et al. [7] in that it applies an argument based on the Renyi 
divergence in one signing query. This argument requires to sample s from a 
Gaussian distribution whose standard deviation <ji is polynomially larger than a. 

We note that, instead of being included in the public key, the matrices 
{D*}£Lo can be part of public parameters shared by many signers. Indeed, only 
the matrices (A,{A^}f =0 ) should be specific to the user who holds SK = Ta- 
In Sect. 3.3, we use a variant where {DULo belong to public parameters. 
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3.2 Security Analysis 

The security analysis in Theorem 1 requires that q> I. 

Theorem 1. The signature scheme is secure under chosen-message attacks 

under the SIS assumption. 

Proof (Sketched). To prove the result, we will distinguish three kinds of attacks: 

Type I attacks are attacks where, in the adversary’s forgery sig* = (r*,v*, 
s*), r* did not appear in any output of the signing oracle. 

Type II attacks are such that, in the adversary’s forgery sig* = (r*, v*, s*), r* 
is recycled from an output sig s^*)) of the signing oracle, for 
some index i* £ {1, . . . , Q}. However, if Msg* = (m*, . . . , m^) and Msg^ ^ = 
(m^ \ . . . , ^ ) denote the forgery message and the i*-th signing query, 

respectively, we have D 0 • s* + Y^k=i * tnjj ^ D 0 • s^*) + Ylk=i * m k ^ 

Type III attacks are those where the adversary’s forgery sig* = (t*,v*, s*) 
recycles r* from an output sig s^*)) of the signing oracle 
(i.e., r^ % ^ = r* for some index i* G Q }) and we have the collision 


N 


N 



(3) 


k=l 


k= 1 


Type III attacks imply a collision for the chameleon hash function of Kawachi 
et al. [52]: if (3) holds, a short vector of T^-([Dq | Di | . . . | Dy]) is obtained as 
so that a collision breaks the SIS assumption. 

The security against Type I attacks is proved by Lemma 6 which applies the 
same technique as in [19,65]. In particular, the prefix guessing technique of [50] 
allows keeping the modulus smaller than the number Q of adversarial queries 
as in [65]. In order to deal with Type II attacks, we can leverage the technique 
of [16]. In Lemma 7, we prove that Type II attack would also contradict SIS. □ 

The following lemmas are proved in the full version of the paper [59]. 

Lemma 6. The scheme is secure against Type I attacks if the SIS n,m, q ,p' 
assumption holds for /3' = m 3 / 2 < r 2 (£ + 3) + 

Lemma 7. The scheme is secure against Type II attacks under the SIS n ,m, q ,p" 
assumption for (3" = + 2)cr 2 m 3 / 2 + m 1 / 2 . 

3.3 Protocols for Signing a Committed Value and Proving 
Possession of a Signature 

We first show a two-party protocol whereby a user can interact with the signer 
in order to obtain a signature on a committed message. 

In order to prove that the scheme still guarantees unforgeability for oblivi- 
ously signed messages, we will assume that each message block nife G {0, l} 2m 
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is obtained by encoding the actual message = Mk[ 1] . . . M/Jm] G {0, l} m as 
xxik = Encod e(Mfc) = (M&[1], M/ C [l], . . . , M/Jm], M^fm]). Namely, each 0 (resp. 
each 1) is encoded as a pair (1,0) (resp. (0, 1)). The reason for this encoding is 
that the proof of Theorem 2 requires that at least one block of the forgery 
message is 1 while the same bit is 0 at some specific signing query. We will show 
(see Sect. 5) that the correctness of this encoding can be efficiently proved using 
Stern-like [72] protocols. 

To sign committed messages, a first idea is exploit the fact that our signa- 
ture of Sect. 3.1 blends well with the SIS-based commitment scheme suggested 
by Kawachi et al. [52]. In the latter scheme, the commitment key consists of 
matrices (D 0 ,Di) G Z 2nx2m x Z 2nx2m , so that message m G {0, l} 2m can 
be committed to by sampling a Gaussian vector s D Z 2 m^ a and computing 
C = Dq • s + Di • m G Z 2n . This scheme extends to commit to multiple messages 

(mi, . . . ,mjv) at once by computing C = Do • s + XlfcLi • trife G Z 2n using 
a longer commitment key (Do, Di, . . . , Djv) G (Z 2nx2m ) Ar+1 . It is easy to see 
that the resulting commitment remains statistically hiding and computationally 
binding under the SIS assumption. 

In order to make our construction usable in the definitional framework of 
Camenisch et al. [27], we assume common public parameters (i.e., a common ref- 
erence string) and encrypt all witnesses of which knowledge is being proved under 
a public key included in the common reference string. The resulting ciphertexts 
thus serve as statistically binding commitments to the witnesses. To enable this, 
the common public parameters comprise public keys Go G Z™ x ^, Gi G Z™ x2m 
for multi-bit variants of the dual Regev cryptosystem [42] and all parties are 
denied access to the underlying private keys. The flexibility of Stern-like proto- 
cols allows us to prove that the content of a perfectly hiding commitment c m is 
consistent with encrypted values. 

Global-Setup: Let B = y/mj(\ogn) and let y be a ^-bounded distribution. 
Let p = a • uj(y/m) upper-bound entries of vectors sampled from the dis- 
tribution Dj 2 m^. Generate two public keys for the dual Regev encryp- 
tion scheme in its multi-bit variant. These keys consists of a public ran- 
dom matrix B U{ Z™ Xm ) and random matrices Go = B • E 0 G Z™ x ^, 
Gi = B Ei G Z™ x2m , where E 0 G Z mx£ and E x G Z mx2m are short 
Gaussian matrices with columns sampled from a . These matrices will be 
used to encrypt integer vectors of dimension i and 2m, respectively. Finally, 
generate public parameters CK := {Dk}k=o consisting of uniformly random 
matrices D& U( Z 2nx2m ) for a statistically hiding commitment to vectors 

in ({0 , \} 2rn ^ N , Return public parameters consisting of 

par := { B G Z£ xm , G 0 G Z^ x£ , Gi G Z£ x2m , CK}. 

Issue Obtain: The signer 5, who has PK := {A, {A ^}J =0 , D, u} and 
SK := Ta, interacts with the user I/, who has (mi, . . . ,mjv), as follows. 

1. U samples s' D Z 2 m^ a and computes c m = D 0 • 

which is sent to S' as a commitment to (mi, ...,mjv). Next, U encrypts 


Signature Schemes with Efficient Protocols and Dynamic Group Signatures 385 


{m/cjfcLi and s' under the key (B, Gi) by computing for all k E [1,7V]: 
c k = (Cfe,l,Cfe j2 ) 

= (B t • Sk + i, G^ • Sk + e/c ? 2 + tri/c • |_^/ 2J ) E Z^ 7, x Z^ m (4) 
for randomly chosen s k X n , e/^i x m , e& 5 2 ^ X 2m 5 and 

c s' = (c s ',l, c s', 2 ) 

= (B t • so + e 0 ,i, Gf • so + e 0 ,2 + s' • [q/p\) E Z™ x Z 2 ™ (5) 

where So ^ x n ? e o,i ^ X™, e o ,2 ^ x 2m - The ciphertexts {c/ c }^L 1 and 
<V are sent to S along with c m . 

Then, U generates an interactive zero-knowledge argument to convince S 
that c m is a commitment to (mi, . . . ,mjv) with the randomness s' such 
that and s' were honestly encrypted to {ck}fLi an( l c sE as 

in (4) and (5) . For convenience, this argument system will be described in 
Sect. 5.3, where we demonstrate that, together with other zero-knowledge 
protocols used in this work, it can be derived from a Stern-like [72] pro- 
tocol constructed in Sect. 5.1. 

2. If the argument of step 1 properly verifies, S samples s" T>z 2 ™,cr 0 

and computes a vector u m = u + D • bin(c m + Dq • s") E Z™. Next, S 
randomly picks r {0, 1} £ and uses Ta to compute a delegated basis 
T r E Z 2mx2m for the matrix A r E Z™ x2m of (1). Using T r E Z 2mx2m , 
S samples a short vector v E Z 2m in D ™ ^( A ) It returns the vector 

(r, v, s") E {0, 1} £ x Z 2m x Z 2m to U. 

3. U computes s = s' + s" over Z and verifies that 

N 

A r • v = u + D bin (D 0 • s + ^ D& * tri/c) mod q. 

km 1 

If so, it outputs (r, v,s). Otherwise, it outputs _L. 

Note that, if both parties faithfully run the protocol, the user obtains a 
valid signature (r, v,s) for which the distribution of s is D Z 2 m ?(Jl , where o\ = 

V^ 2 + <J o- 

The following protocol allows proving possession of a message-signature pair. 

Prove: On input of a signature (r, v = (vf | ) T , s) E {0, 1 } £ x Z 2m x Z 2m on 

the message (mi, . . . , rti/v)? the user does the following. 

1. Using (B,Go) and (B,Gi) generate perfectly binding commitments to 
r E {0, 1}^, {m/c}^]^, Vi, v 2 E Z m and s E Z 2m . Namely, compute 

= (Cr, 1 1 G, 2 ) 

= (B t • s T + e T) i, G^ • s r + e r? 2 + r • [q/2\) E Z™ x Z^, 
c/fe=»(c M ,c M ) eZ™xZ 2 ™ 

= (B t • s/c + e^i, G^f • Sk + &k , 2 + tn& • |_#/2_|) Vfc E [1, N] 
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where s T , s k ^ x n , e Tj i, e fcj i ^ x m > e r , 2 ^ x\ e k,2 ^ X 2m , as well as 

— (Cv,b C Vj 2) 

= (B t • s v + e v .i ? Gf • s v + e v , 2 + v • [q/p\) G Z™ x K™ 

(c s ,l, C s?2 ) 

= (B t • so + eo,i, G^ • So + eo , 2 + s • [q/ p\ ) G Z™ x Z 2m , 

where s v ,s 0 ^ x n , e v ,i,e 0j i ^ X m , e v ,2,e 0 ,2 ^ X 2m - 
2. Prove in zero-knowledge that c r , c s , c v , {c k } k=1 encrypt a valid message- 
signature pair. In Sect. 5.4, we show that this involved zero-knowledge 
protocol can be derived from the statistical zero-knowledge argument of 
knowledge for a simpler, but more general relation that we explicitly 
present in Sect. 5.1. The proof system can be made statistically ZK for a 
malicious verifier using standard techniques (assuming a common refer- 
ence string, we can use [36]). In the random oracle model, it can be made 
non-interactive using the Fiat-Shamir heuristic [40]. 

We require that the adversary be unable to prove possession of a signature 
of a message (mi, for which it did not legally obtain a credential by 

interacting with the issuer. Note that the messages that are blindly signed by 
the issuer are uniquely defined since, at each signing query, the adversary is 
required to supply perfectly binding commitments {c k } k=1 to (mi, . . . , mjv)- 
In instantiations using non-interactive proofs, we assume that these can be 
bound to a verifier-chosen nonce to prevent replay attacks, as suggested in [27]. 

The security proof (in Theorem 2) makes crucial use of the Renyi divergence 
using arguments in the spirit of Bai et al. [7] . The reduction has to guess upfront 
the index i* G {1, . . . , Q} of the specific signing query for which the adversary 
will re-use \ For this query, the reduction will have to make sure that the 
simulation trapdoor of Agrawal et al [3] (used by the SampleRight algorithm 
of Lemma 5) vanishes: otherwise, the adversary’s forgery would not be usable 
for solving SIS. This means that, as in the proof of [16], the reduction must 
answer exactly one signing query in a different way, without using the trapdoor. 
While Bohl et al. solve this problem by exploiting the fact that they only need to 
prove security against non- adaptive forgers, we directly use a built-in chameleon 
hash function mechanism which is implicitly realized by the matrix Do and the 
vector s. Namely, in the signing query for which the Agrawal et al. trapdoor [3] 
cancels, we assign a special value to the vector s G Z 2m , which depends on 
the adaptively-chosen signed message (Msg^ \ . . . , Msg^ and some Gaussian 
matrices hidden behind {D fe }£U- 

One issue is that this results in a different distribution for the vector s G Z m . 
However, we can still view s as a vector sampled from a Gaussian distribution 
centered away from 0 2m . Since this specific situation occurs only once during the 
simulation, we can apply a result proved in [58] which upper-bounds the Renyi 
divergence between two Gaussian distributions with identical standard devia- 
tions but different centers. By choosing the standard deviation of s G Z 2m 
to be polynomially larger than that of the columns of matrices {R/ c }^ 1 , we 


Signature Schemes with Efficient Protocols and Dynamic Group Signatures 387 


can keep the Renyi divergence between the two distributions of s (i.e., the one 
of the simulation and the one of the real game) sufficiently small to apply the 
probability preservation property (which still gives a polynomial reduction since 
the argument must only be applied on one signing query). Namely, the latter 
implies that, if the Renyi divergence -^2 (s real | |s s,m ) is polynomial, the probabil- 
ity that the simulated vector s sim G Z 2m passes the verification test will only 
be polynomially smaller than in the real game and so will be the adversary’s 
probability of success. 

Another option would have been to keep the statistical distance between s real 
and s sim negligible using the smudging technique of [5]. However, this would 
have implied to use an exponentially large modulus q since G\ should have been 
exponentially larger than the standard deviations of the columns of {R/ c }^ 1 . 

The proofs of the following theorems are given in the full version of the paper. 

Theorem 2. Under the SIS n2rn q/3 assumption, where (3 = 7Vcr(2ra) 3 / 2 + 

4<Jim 3 / 2 ; the above protocols are secure protocols for obtaining a signature on a com- 
mitted message and proving possession of a valid mess age- signature pair. 

Theorem 3. The scheme provides anonymity under the LWE n ^ 5X assumption. 

4 A Dynamic Lattice-Based Group Signature 

In this section, the signature scheme of Sect. 3 is used to design a group signature 
for dynamic groups using the syntax and the security model of Kiayias and Yung 
[55], which is recalled in the full version of the paper. 

In the notations hereunder, for any positive integers n, and q > 2, we define the 
“powers-of-2” matrix H nxn q ogg -| = I n 0 [1 | 2 | 4 | . . . | 2^ ogq ^~ 1 ] G Zq Xn ^ logq \ 
Also, for each vector v G Z£, we define bin(v) G {0, l} n 4°g9l b e the vector 
obtained by replacing each entry of v by its binary expansion. Hence, we have v = 
B nX n [log q~\ • bin(v) for any v G Z£. 

In our scheme, each group membership certificate is a signature generated by 
the group manager on the user’s public key. Since the group manager only needs 
to sign known (rather than committed) messages, we can use a simplified version 
of the signature, where the chameleon hash function does not need to choose the 
discrete Gaussian vector s with a larger standard deviation than other vectors. 

A key component of the scheme is the two- message joining protocol whereby 
the group manager admits new group members by signing their public key. The 
first message is sent by the new user Ui who samples a membership secret con- 
sisting of a short vector z i D%4m j0 . (where m = 2n|4ogg"|), which is used to 
compute a syndrome = F • z^ G Z 4n for some public matrix F G Z 4nx4m . This 
syndrome v* G Z 4n must be signed by Ui using his long term secret key usk [i] 
(as in [13,55], we assume that each user has a long-term key u pk[i] for a digital 
signature, which is registered in some PKI) and will uniquely identify Ui. In 
order to generate a membership certificate for G Z 4n , the group manager GM 
signs its binary expansion bin(v^) G {0, i} 4n r io g^l using the scheme of Sect. 3. 
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Equipped with his membership certificate (r, d,s) G {0,1}^ x Z 2m x Z 2m , 
the new group member Hi can sign a message using a Stern-like protocol for 
demonstrating his knowledge of a valid certificate for which he also knows the 
secret key associated with the certified public key v* G Z 4n . This boils down to 
providing evidence that the membership certificate is a valid signature on some 
binary message bin(v^) G {0, l} 4n r io g<?l f or w hich he also knows a short z^ G Z 4m 
such that Vi = H 4nX 2 m * bin(vi) = F • z* G Z 4n . 

Interestingly, the process does not require any proof of knowledge of the 
membership secret z i during the joining phase, which is round-optimal. Analo- 
gously to the Kiayias-Yung technique [54] and constructions based on structure- 
preserving signatures [2], the joining protocol thus remains secure in environ- 
ments where many users want to register at the same time in concurrent sessions. 

4.1 Description of the Scheme 

Setup(l A , l^ 5 ): Given a security parameter A > 0 and the maximal expected 
number of group members N gs = 2^ G poly (A), choose lattice parameter 
n = 0(A); prime modulus q = 0(£n 3 ); dimension m = 2n\\ogq}] Gaussian 
parameter a = log q log n); infinity norm bounds /3 = era; (log ra) and 

B = y / no;(logn). Let x be a ^-bounded distribution. Choose a hash function 
H : {0,1}* — > {1,2,3}* for some t = u;(logn), which will be modeled as a 
random oracle in the security analysis. Then, do the following. 

1. Generate a key pair for the signature of Sect. 3.1 for signing single-block 

messages. Namely, run TrapGen(l n , l m ,g) to get A G Z™ xm and a short 
basis Ta of A), which allows computing short vectors in X~( A ) 
with Gaussian parameter a. Next, choose matrices Aq, Ai, . . . , A^, D 
U{ Z£ xm ), D 0 ,Di U( Z 2nx2m ) and a vector u U( Z%). 

2. Choose an additional random matrix F U (Z 4nx4m ) uniformly. Looking 

ahead, this matrix will be used to ensure security against framing attacks. 

3. Generate a master key pair for the Gentry-Peikert-Vaikuntanathan IBE 
scheme in its multi-bit variant. This key pair consists of a statistically 
uniform matrix B G Z^ xm and a short basis Tb G Z mxm of B). 
This basis will allow jis to compute GPV private keys with a Gaussian 
parameter ctgpv > || Tb | j * \/logrn. 

4. Choose a one-time signature scheme 77 OTS = (£/,<S, V) and a hash func- 
tion Hq : {0, 1}* — > Zq x2m , that will be modeled as random oracles. 

The group public key is defined as 

y := (A, {Aj}j =0 , B, D, Do, D 1; F, u, 77 OTS , H, H 0 ). 

The opening authority’s private key is So a := Tb and the private key of the 
group manager consists of <Sgm := Ta- The algorithm outputs (jV, <Sgm, <?oa)- 
joi n ( GM ’^): the group manager GM and the prospective user Ui run the following 
interactive protocol: [J use r(A, y), Jgm(A, St, y, <Sgm)] 
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1. Ui samples z i <— D Z 4m^ a and computes = F • z* G Z 4n . He sends 
the vector G Z 4n , whose binary representation is bin(v^) G {0,l} 2m , 
together with an ordinary digital signature sigi = Sign us k[i] (Vi) to GM. 

2. Jgm verifies that was not previously used by a registered user and that 
sigi is a valid signature on v* w.r.t. upk[i]. It aborts if this is not the case. 
Otherwise, GM chooses a fresh identifier id^ G {0, 1} £ and uses <Sgm = Ta 
to certify Ui as a new group member. To this end, GM defines 


A 


idi — 


A | A 0 + Ei=i idi W A i 


e Z 


nx2m 

Q 


(6) 


Then, GM runs T| d . <— ExtBasis(A i d i , Ta) to obtain a short delegated 
basis T| d . of T^-(AidJ G Z 2mx2m . Finally, GM samples a short vector 
Si Dj 2 m ?cr and uses the obtained delegated basis Tj d . to compute a 
short vector d* = [df^ 1 \d^ 2 ] T £ ^ 2m such that 


Aid; ’ d 


A Ao + E.iidiblAi 


•d. 


= u + D bin (Dq • bin(v^) + Di • s$) mod q. 


(7) 


The triple (id^d^s*) is sent to Ui. Then, J user verifies that the received 
(idi,di,Si) satisfies (7) and that Hd^oo < f3 , Hs^loo < f3. If these conditi- 
ons are not satisfied, J user aborts. Otherwise, J user defines the membership 
certificate as cert^ = (id^d^s^). The membership secret seq is defined 
to be seq = z ^ G Z 4m . Jgm stores transcript^ — (v$, cert^, i, upk[z], sigi) in 
the database St tr ans of joining transcripts. 

Sign(^, certi, sec i,M): To sign M using cert^ = (id*, d^, s^), where d^ G Z 2m and 
s* G Z 2m , as well as the membership secret seq = z j G Z 4m , Ui generates a 
one-time signature key pair (VK,SK) <— Q(n) and does the following. 

1. Compute Go = Ho(\/K) G Z™ x2m and use it as an IBE public key to 
encrypt bin(v^) G {0, l} 2m , where = F • z^ G Z 4n is the syndrome of 
seci = z j G Z 4m for the matrix F. Namely, compute c v . G Z™ x Z 2m as 


c Vi = (ci,c 2 ) = (B T • e 0 +Xi, Go • e 0 + x 2 + bin(v*) • [q/2\) (8) 

for randomly chosen eo x n , Xi x m ,X 2 X 2m - Notice that, as in 
the construction of [62], the columns of Go can be interpreted as public 
keys for the multi-bit version of the dual Regev encryption scheme. 

2. Run the protocol in Sect. 5.5 to prove the knowledge of id^ G {0,1}^, 
vectors G Z 2m , d^i, d$ j2 G Z m ,z i G Z 4m with infinity norm bound /?; 
eo G Z n , xi G Z m ,x 2 G Z 2m with infinity norm bound B and bin(v^) G 
{0, l} 2m , Wj G {0, l} m , that satisfy (8) as well as 


Ad 


■i, 1 


- An- d 


0 ’ CLi,2 


-E 

3 = 1 


(id* [j] ■ d ij2 ) 


A; - D 


= ueZ" 


(9) 
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and 


H 2 „xm • Wj = D 0 • bin(v*) + D a • s* e I? q n 
F • Z i = H 4nx2m ■ bin(vj) e Z q n . 


( 10 ) 


The protocol is repeated t = cj(log n) times in parallel to achieve negligible 
soundness error, and then made non-interactive using the Fiat-Shamir 
heuristic [40] as a triple ttk = ({Comm^j}J =1 , Chall#, {Resp K j}* =1 ), 
where Chall^ = H(M, VK, c Vi , {Comm^j}^^ G {1,2,3}* 

3. Compute a one-time signature sig = «S(SK, (c Vi ,7Tx))- 

Output the signature that consists of 


r = ( \/K,c Vi ,Tr K ,sig ). 


( 11 ) 


Verify (3^, M, U): Parse the signature U as in (11). Then, return 1 if and only if: 
(i) V(VK, (c v< , c Si , c i( i, 7Tk), sig) = 1; (ii) The proof i r K properly verifies. 

Open(3 7 , <Soa, M, U): Parse <Soa as Tb G Z mxm and U as in (11). 

1. Compute Go = iifo(VK) G Z^ x2m . Then, using Tb to compute a small- 
norm matrix E 0 ,vk £ Z mx2m such that B • E 0 ,vk = Go mod q. 

2. Using Eo,vk, decrypt c Vi to obtain a string bin(v) G {0, l} 2m (i.e., by 
computing |_(c 2 - E£ vk • ci)/(g/2)]). 

3. Determine if the bin(v) e (0, l} 2 '" obtained at step 2 corresponds to a 
vector v = H 4 nX 2 m ■ bin(v) mod q that appears in a record transcript^ = 
(v, cert^, z, upk[i], sigi) of the database St trans for some i. If so, output the 
corresponding i (and, optionally, upk[i]). Otherwise, output _L. 

We remark that the scheme readily extends to provide a mechanism whereby 
the opening authority can efficiently prove that signatures were correctly opened 
at each opening operation. The difference between the dynamic group signature 
models suggested by Kiayias and Yung [55] and Bellare et al. [13] is that, in the 
latter, the opening authority (OA) must be able to convince a judge that the Open 
algorithm was run correctly. Here, such a mechanism can be realized using the 
techniques of public-key encryption with non-interactive opening [37]. Namely, 
since bin(v^) is encrypted using an IBE scheme for the identity VK, the OA can 
simply reveal the decryption matrix Eo,vk, that satisfies B • Eo,vk = Go mod q 
(which corresponds to the verification of a GPV signature) and allows the verifier 
to perform step 2 of the opening algorithm himself. The resulting construction 
is easily seen to satisfy the notion of opening soundness of Sakai et al. [71]. 

4.2 Efficiency and Correctness 

Efficiency. The given dynamic group signature scheme can be implemented 
in polynomial time. The group public key has total bit-size (D(£nmlogq) = 
(D( A 2 ) • log N gs . The secret signing key of each user consists of a small constant 
number of low- norm vectors, and has bit-size 0(A). 
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The size of each group signature is largely dominated by that of the non- 
interactive argument i tk, which is obtained from the Stem-like protocol of 
Sect. 5.5. Each round of the protocol has communication cost 0(m dog q) dog N gs . 
Thus, the bit-size of ttk is t • 0(m • log q) • log 7V gs = 0( A) • log 7V gs . This is also 
the asymptotic bound on the size of the group signature. 

Correctness. The correctness of algorithm Verify^ , M, U) follows from the 
facts that every certified group member is able to compute valid witness vectors 
satisfying Eqs. (8), (9) and (10), and that the underlying argument system is 
perfectly complete. Moreover, the scheme parameters are chosen so that the 
GPV IBE [42] is correct, which implies that algorithm Open(y, <Soa, A/ - , U) is 
also correct. 

4.3 Security Analysis 

Due to the fact that the number of public matrices {A j}j =0 is only logarithmic in 
N gs = 2 £ instead of being linear in the security parameter A, the proof of security 
against misident ideation attacks (as defined in the full version of this paper 
and in [53]) cannot rely on the security of our signature scheme in a modular 
manner. The reason is that, at each run of the Join protocol, the group manager 
maintains a state and, instead of choosing the Gbit identifier id uniformly in 
{0,1}^, it chooses an identifier that has not been used yet. Since f < A (given 
that N gs = 2 £ is polynomial in A), we thus have to prove security from scratch. 
However, the strategy of the reduction is exactly the same as in the security 
proof of the signature scheme. 

The proofs of the following theorems are given in the full version of the paper. 

Theorem 4. The scheme is secure against misidentification attacks under the 
SIS n, 2 m,q,p' assumption , for [3' = 0(£a 2 m 3 / 2 ). 

Theorem 5. The scheme is secure against framing attacks under the 
SIS 4 n? 4 m? g ? / 3 // assumption, where ft" = Aa^/fn. 

Theorem 6. In the random oracle model, the scheme provides CCA-anonymity 
if the LWE n?(LX assumption holds and if 77 OTS is a strongly unforgeable one-time 
signature. 

5 Supporting Zero-Knowledge Argument Systems 

This section provides a general framework that allows obtaining zero-knowledge 
arguments of knowledge (ZKAoK) for many relations appearing in lattice-based 
cryptography. Since lattice-based cryptosystems are built upon the hardness of 
the SIS and LWE problems, the relations among objects of the schemes are typi- 
cally represented by modular linear equations. Thanks to the linearity property, 
we can often unify the given equations into one equation of the form: 


P x = v mod q, 


( 12 ) 
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where (P, v) are public and x is a secret vector (or matrix) that possesses 
some constraints to be proven in zero-knowledge, e.g., its smallness (like a SIS 
solution or an LWE noise) or a special arrangement of its entries. Starting from 
this high-level observation, we look for a tool that handles these constraints well. 

Stern’s protocol [72], originally proposed in the context of code-based cryp- 
tography, appears to be well-suited for our purpose. Stern’s main idea is simple, 
yet elegant: To prove that a binary vector x has the fixed- Hamming- weight 
constraint, simply send the verifier a random permutation 7 r(x) which should 
guarantee that the constraint is satisfied while leaking no additional information 
about x. Ling et al. [61] developed this idea to handle the smallness constraint, 
via a technique called Decomposition-Extension. This technique decomposes a 
vector with small infinity norm B > 1 into |_k)g 2 + 1 vectors with infinity 

norm 1, and then, extends these vectors into elements of sets that are closed 
under permutations. Several subsequent works [57, 62] [60] employed the tech- 
niques of [61,72] in different contexts, but did not address the applicability and 
flexibility of the protocol in an abstract, generalized manner. 

In Sect. 5.1, we abstract Stern’s protocol to capture many relations that nat- 
urally appear in lattice-based cryptography. In particular, the argument systems 
used in our signature with efficient protocols (Sect. 3) and dynamic group sig- 
nature (Sect. 4) can all be derived from this abstract protocol, which we will 
demonstrate in Sects. 5.3, 5.4 and 5.5, respectively. 

We note that several works [15,51,73] addressed the problem of proving mul- 
tiplicative and additive relations among committed linear objects (matrices and 
vectors over Z q ) in lattice-based cryptography. These results, however, do not 
yield a simple solution for the relations involved in our schemes. If we were to 
plug proof systems like [15,51,73] in our relations, we would need to commit to 
all objects using perfectly binding commitments (which would require very long 
commitment keys) and express the relations in terms of many multiplications 
and additions gates before running many instances of the proof systems depend- 
ing on the circuit. Instead of considering general circuits, our framework aims at 
a more direct (but still fairly general) solution for a large class of relations that 
naturally appear in SIS and LWE-based cryptography. 

5.1 Abstracting Stern’s Protocol 

Let D, L, q > 2 be positive integers let VALID be a subset of{ — 1,0, 1} L . Suppose 
that <S is a finite set such that one can associate every 7 r G <S with a permutation 
T n of L elements, satisfying the following conditions: 

JxG VALID <^7k(x) G VALID, 

(If x G VALID and 7 r is uniform in <S, then T^x) is uniform in VALID. 

We aim to construct a statistical ZKAoK for the following abstract relation: 

Rabstract = {(P,v),x G Z^ xL x x VALID : P x = v mod q.} 
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Note that, Stern’s original protocol corresponds to the special case when 
VALID = {x E {0,1} L : wt(x) = k} (where wt(-) denotes the Hamming weight 
and k < L is a given integer), S = Sl - hereunder the set of all permutations 
of L elements, and T n /x) = 7 r(x). 

The conditions in (13) play a crucial role in proving in ZK that x E VALID: 
To do so, the prover samples n U(S ) and let the verifier check that T n {pc) E 
VALID, while the latter cannot learn any additional information about x thanks 
to the randomness of 7 r. Furthermore, to prove in ZK that the linear equation 
holds, the prover samples a masking vector r U (Z ^ ), sends y = x + r mod q , 
and convinces the verifier instead that P • y = P • r + v mod q. 

The interactive protocol between the prover and the verifier with common 
input (P,v) and prover’s secret input x is described in Fig. 1. The protocol 
employs a statistically hiding and computationally binding string commitment 
scheme COM (e.g., the SIS-based one from [52]). 


1 . Commitment: Prover samples r U( Z^), 7 r U(S) and randomness pi,p2,P3 

for COM. Then he sends CMT = (Ci, C2, C3) to the verifier, where 

Ci = COM(7r,P.r;pi), C 2 = COM(T 7r (r); p 2 ), C 3 = COM(T 7r (x + r); p 3 ). 

2 . Challenge: The verifier sends a challenge Ch U({ 1 , 2 , 3 }) to the prover. 

3 . Response: Depending on Ch, the prover sends RSP computed as follows: 

- Ch = 1 : Let t x = T n (x) , t r = T 7 r ( r), and RSP = (t x , t r , p 2 , P3). 

- Ch = 2 : Let tt2 = tt, y = x + r, and RSP = (71-2, y, pi, ^3)- 
— Ch = 3 : Let 773 = n, r 3 = r, and RSP = (773, r 3 , pi, p 2 ). 

Verification: Receiving RSP, the verifier proceeds as follows: 

- Ch = 1 : Check that t x E VALID and C2 = COM(t r ; P2), C3 = COM(t x + t r ; p 3 ). 

- Ch = 2: Check that Ci = COM(tt 2 , P • y - v; pi), C 3 = COM(T W2 (y);p 3 ). 

- Ch = 3 : Check that Ci = COM(7 t 3 , P • r 3 ; pi), C 2 = COM^ (r 3 ); p 2 ). 

In each case, the verifier outputs 1 if and only if all the conditions hold. 


Fig. 1 . A ZKAoK for the relation Rabstract- 


The properties of the given protocol are summarized in the following lemma. 


Lemma 8. The protocol in Fig. 1 is a statistical ZKAoK for the relation 
Rabstract with perfect completeness, soundness error 2/3, and communication 
cost 0(L log q). In particular: 

- There exists an efficient simulator that, on input (P,v), outputs an accepted 
transcript which is statistically close to that produced by the real prover. 

- There exists an efficient knowledge extractor that, on input a commitment 
CMT and 3 valid responses (RSPi, RSP 2 , RSP 3 ) to all 3 possible values of the 
challenge Ch, outputs x' E VALID such that P x' = v mod q. 
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The proof of Lemma 8 employs standard simulation and extraction techniques 
for Stern-like protocols [52,61,62]. It is detailed in the full version of the paper. 


5.2 Supporting Notations and Techniques 

Below we will describe the notations and techniques, adapted from recent works 
on Stern-like protocols [39,57,60,61], that we will employ in the next subsections 
to handle 3 different constraints of the witness vectors. 

Let m be an arbitrary dimension, and B be an arbitrary infinity norm bound. 
Case 1: w G {0, l} m . We denote by the set of all vectors in {0, l} 2m having 
exactly m coordinates equal to 1. We also let Ext 2 m (w) be the algorithm that 
outputs a vector w G by appending m suitable coordinates to w G {0, l} m . 
Note that, for any permutation p G £ 2 ™, we have w G B^ p{ w) G B^. 

Case 2: w G [— £?, B] m . We define 5b '= |_l°g 2 + 1 and denote by B^ n§B the 

set of vectors in { — 1, 0, l} 3m<5s with exactly uiSb coordinates equal to j, for 
every j G { — 1,0, 1}. The Decomposition-Extension technique from [61] consists 
in transforming w G [— B,B] m to a vector DecExt m? #(w) £ B^ s , as follows. 

Define the sequence ,Bs b , where Bj = [ B+ 2 2 / for all j G [ 1 , 5 b]- 

As noted in [61], it satisfies Ylj=i^j = B, and for any w G [—B,B], one can 

efficiently compute . . . ,w^ 5b ^ G {—1,0, 1} such that Yfj=i Bj • = w. 

Next, define the matrix 


K m,B =Im® [Bl \ • • • \Bs b \ = 


Bi... Bs e 


B \ . . . B$ e 


G 


rn x b 


and its extension K m ,B = [K m? B |o mx2m<5s ] g ^ mx3m<5s . 
If we let w = (wi, . . . , ic m ) T , then we can compute 


_ („SX) 




„(^b) 


,( 1 ) 


,w£ b) ) e {-i,o, i} mSB 


satisfying K m ,B • w' = w. By appending 2 m5s suitable coordinates to w', we 
can obtain w G B^ uSb satisfying K • w = w. 

Note that for any 0 G we have w G B^ iSb <^> 0(w) G B^. 

Case 3: w G {0, l} 2m is the correct encoding of some t G {0, l} m . 

Recall that the encoding function from Sect. 3.3, hereunder denoted by 
Encode m if the input is a binary vector of length m, extends t = (ti, . . . ,t m ) T 
to Encode m (t) = (£i, ti, . . . , We define CorEnc(ra) = {w = Encode m (t) : 

t G {0, l} m } - the set of all correct encodings of ra-bit vectors. To handle the 
constraint w G CorEnc(ra), we adapt the permuting technique from [39,57,60]. 

For b = (foi , . . . , b m ) T G {0, l} m , we let E b be the permutation transforming 
vector w = (w%, w\, . . . , w^, wjj G Z 2m to E b ( w) = (w* 1 , w* 1 , . . . , ) . 

Note that, E b transforms w = Encode m (t) to E'b(w) = Encode m (t®b), where ® 
denotes the bit-wise addition modulo 2. Thus, for any b G {0, l} m , we have 


w G CorEnc(ra) <G> E'b(w) G CorEnc(ra). 
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5.3 Proving the Consistency of Commitments 

The argument system used in our protocol for signing a committed value in 
Sect. 3.3 can be summarized as follows. 

Common Input: Matrices {D^ G Z^ nx2m }^L 0 ; B G Z™ xm ; Gi G Z™ x2m ; 
vectors c m G Zf ; {c M G Z™}f =1 ; {c k<2 G Z 2 q m }% =1 ; c sM G Z™; <V , 2 G I? q m . 

Prover’s Input: m = (mp| . . . ||m^) T G CorEnc(m-iV); {s^ G [— B, B] n , e^i G 
[~B,B] m ;e k> 2 G [-B, B] 2m }£U; s 0 G [■ -B,B ] n ; e 0 ,i G [-B, B] m - e 0 )2 G 
s' e[-{p-l),{p-l)] 2m 

Prover’s Goal: Convince the verifier in ZK that: 


{ c m = Do ■ s' + J2k= 1 D * ■ m fc mod ( 1- 

<V,i = B T • So + e 0 ,i mod q; c s / )2 = Gf • s 0 + e 0)2 + [q/p\ • s' mod q; (14) 
Vfc G [N] : Ck,i = B T • s k + e/b,i; Cfe, 2 = Gf • s fc + e fcj2 + |_g/2j • m k . 

We will show that the above argument system can be obtained from the one in 
Sect. 5.1. We proceed in two steps. 

Step 1: Transforming the equations in (14) into a unified one of the form 
P x = v mod g, where Hx^ = 1 and x G VALID - a “specially- designed” set. 
To do so, we first form the following vectors and matrices: 


X 1 = ( s 0 ll e Mll e bll s tll e Mll e t2l 




2 ) T G [-£,£]( n+3m )( JV+ i); 



l C N,lll C N,2) 


G Z, 


2 Tl ~\~ 3 7TL ( N -\- 1 ) 


i Q» — 


LIJi 2m 

/D 1 |...|D JV \ 


Iplhm, 


;M 2 = 


Q 2 




/D q\ 

Qf 


;M 3 = 


Q 2/ 


o 

V ) 


We then observe that (14) can be rewritten as: 


]VI;l • Xi T ]Vf 2 * m T -M 3 • s — v G Z ( 


D 


(15) 


where D = 2n + 3m(N + 1). Now we employ the techniques from Sect. 5.2 to 
convert (15) into the form P • x = v mod q. Specifically, if we let: 


DecExt( n+ 3 m )(7v+i),B( x i) ^ xi G B^ n+3m ^ JV+1 ^ B ; 

> tv/t/ Tv/r fj" x rz ^77-Dx3(n+3m)(AT+l)(5_B 

< JVl! — IVli • h-(n+3m)(V+l),B £ ^ q , 

i DecExt 2m ,p- 1 (s') s G > M3 = M 3 • K talP -i G z°* 6mS ‘ 
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L = 3 (n + 3m)(N + 1 )Sb + 2 mN + 6ra5 p _i, and P = [M1IM2IM3] G Z ^ xL , 
and x = (xf ||m T ||s T ) T , then we will obtain the desired equation: 

P • x = v mod q. 

Having performed the above unification, we now define VALID as the set of all vec- 
torst G {-1,0, 1} L of the form t = (tf||t|’||tp T , where ti G B^ n+3m)(JV+1)(SB , 
t2 G CorEnc(raTV), and t3 G B| m s p _ 1 • Note that x G VALID. 

Step 2: Specifying the set S and permutations of L elements {T n : it G <S} for 
which the conditions in (13) hold. 

— Define S . <^3(n+3m)(./v+i)<5B ^ {0, 1} x SQ rn § p _ 1 . 

- For 7 r = (7Ti,b,7T3) G <S, and for vector w = (wf Hw^Hwg^ G Z^, where 
Wi G Zq {n+3m){N+1)5B , w 2 G Z 2miv , w 3 G Z 6 q mSp -\ we define: 

T n = (7ri(wi) T ||£’b(w2) T ||7r 3 (w3) r ) T . 

By inspection, it can be seen that the properties in (13) are satisfied, as 
desired. As a result, we can obtain the required argument system by running the 
protocol in Sect. 5.1 with common input (P, v) and prover’s input x. 


5.4 Proving the Possession of a Signature on a Committed Value 


We now describe how to derive the protocol for proving the possession of a 
signature on a committed value, that is used in Sect. 3.3. 

Common Input: Matrices A, {Aj}f_ 0 ,D G Z” XTO ; {Dfc e %2nx2mjN^. g g 
Z” xm ; G 1 G Z” x2m ; G 0 G ZJ x/ ; vectors {c M }fcL> c T>1 , c v>1 , c,,i G Z™; 
{c fei2 }f = i,c v ,2,c s ,2 e z? q m \ c T) 2 ez e q ;ue Z”. 


Prover’s Input: v = 


9, g ‘ 

| , where vi, V2 G [— /?, /3] 171 and /3 = cr-o;(logm) - the 

infinity norm bound of signatures; r G {0,1}^; s G [— (p — 1), (p — l)] 2m ; m = 
(nvfH . . . ||m^) T G CorEnc(mA); {s fc }f =1 , s v , s 0 , s T G [~B,B] n ; {e fc)1 }f =1 , 
e v,i, e o,i, e T,i G [ — B, B] m ; {efc,2}fcLi, e o, 2 , e V]2 G [— B, B] 2m ; e T]2 G [—B,BY. 
Prover’s Goal: Convince the verifier in ZK that: 


A • vi + A 0 • v 2 + V 2 — D • bin(Do • s + • mfe) = u mod q , (16) 

i= 1 k=l 


and that (modulo q) 

'\/k e [iV] : c fe ,i = B T • s k + e fcjl ; c fc)2 = Gf • s k + e fc)2 + L <?/2j ' 
c v ,i B • s v e v ,i ; 

< c V)2 = G^ • s v + e Vj2 + Lf J • v = Gf • s v + e V)2 + ^ ^ ' v i + 

c Sj i = B t • s 0 + e 0 ,i; c Sj2 = G^ • s 0 + e 0 , 2 + [q/p] • s; 

= B t • s T + e T) i; c T) 2 = G^" • s T + e T) 2 + L^/2j • r. 


0 


LgJi- 


• v 2 ; (17) 
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We proceed in two steps. 

Step 1: Transforming the equations in ( 16) and (17) into a unified one of the form 
P • x = c mod g, where Hx^ = 1 and x E VALID - a “specially- designed” set. 

Note that, if we let y = bin(D 0 • s + ^2 k=1 • m k ) E {0, l} m , then we have 

H2nxm*y = Do*S + 'Y2k=l •m/c mod g, and (16) can be equivalently written as: 



Next, we use linear algebra to combine this equation and (17) into (modulo q): 


t 

F • Vi + Fo • v 2 + ^2 ' r W v 2 + Mi • r + M 2 • y + M3 • m + M4 • s + M5 e = c, (18) 

i= 1 


where, for dimensions D = £ + 3n + 7m + 3mN and Lq = D + nlV, 

- Matrices F,F 0 ,Fi,. . . ,F* E Zf xm , Mi E Zf x£ , M 2 E Zf xm , M 3 E 
2 ) Dx 2 mN ^ ]y[ 4 ^ jDx 2 mn^ ]y[ 5 ^ j^DxLo an q vec tor c E Z^ are built from 
the public input. 

- Vector e = (sf || . . . ||s^ ||s^ ||sj \\sf ||e? 


- 1 , 1 1 


le^lle^He^He^l 


II ei: 2 II . . . II e^ )2 || e y )2 || e y )2 || e y >2 ) e[-B,B] L °. 

Now we further transform (18) using the techniques from Sect. 5.2. Specifi- 
cally, we form the following: 


DecExt m;/3 ( Vl ) vi E B^; DecExt m>i g(v 2 ) -> v 2 E B^; 

F' = [F ■ K mj/3 |F 0 • K^IFi • K mjJ a| ...\F e - K m!0 \O Dx3mS ^] G zf x3m ^ (2£+2 ) ; 
Ext m (t) - f = (r[l], r[n\) T G B f; M' = [M 1 |0 Dxi ] G 

Ext 2m (y) — *■ y G B^;M' 2 = [M 2 |0 Ox ™] G 1 ° x2m ; 

DecExt 2m , p _i(s) - s G B| m4p _ i ; = M 4 • K 2m , p -i G x6m5p - 1 ; 

DecExt i0 , s (e) ->e6 B» o4fl ;MJ = M 5 • K Lq:B G Z? x3L ° 5b . 


Now, let L = 3m5p(2£+2) + 2£ + 2m + 2mN+6mS p -i+3L 0 5B, and construct 
matrix P = [F'|Mi|M£|M 3 |Mi|Mk] G Z^ xi and vector 

x = (vf ||V2 Ik[l]v 2 II • • • IM^II • • • ||r[2f]v|’||f T ||y T ||m r ||s T ||e T ) T , 

then we will obtain the equation P • x = c mod q. 

Before going on, we define VALID as the set of w E { — 1, 0, 1} L of the form: 

W = (wp|w|’||fl-iw|’|| . . . ||52«w|’||g r ||wf ||wf ||w|’||w|’) T 
for some w b w 2 G B^, g = (g u . . ,,g 2 e) G B 2 ^, w 3 G B^, w 4 G CorEnc(mA^), 
w 5 E ms _p an d w 6 £ ^l 0 8 B ' ^ can decked that the constructed vector 
x belongs to this tailored set VALID. 
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Step 2: Specifying the set S and permutations of L elements {T n : 7r E <S} for 
which the conditions in (13) hold. 


- Define S — x SsmS^ x $2£ X S2m x {0, l} mN X Sq 171 s p _ 1 x SsLoSb- 

- For 7T = (0,^,7,p,b,J7,e G <S and z = (zj||zg||zi|| . . . ||z 2 ^||g||ti ||t 2 ||t 3 ||t 4 ) G 

Zg, where zj, z§, z 1; . . . , z 2 * G g G Zf, ti G Z 2m , t 2 G Z 2mJV , t 3 G 

Zq m<5p_ i, and t4 G Z^ l ° Sb , we define: 

T A z ) = (P z o) T |P( z o) T IP( z 7 (i) ) T II • • • ll^( z 7(2^) T |l7(s) T |l 

||p(t 1 ) T ||^(t 2 ) r ||,(t3) T ||e(t 4 ) T ) T 

as the permutation that transforms z as follows: 

1. It rearranges the order of the 2t blocks zi, , z 2 £ according to 7. 

2. It then permutes block zj according to 0, blocks Zq, {z according 
to ip, block g according to 7, block ti according to p, block t2 according 
to block t3 according to 77, and block t 4 according to £. 

It can be check that (13) holds. Therefore, we can obtain a statistical ZKAoK 
for the given relation by running the protocol in Sect. 5.1. 


5.5 The Underlying ZKAoK for the Group Signature Scheme 

The argument system upon which our group signature scheme is built can be 

summarized as follows. 

Common Input: Matrices A, {Aj}^_ 0 ,B G Z” xm , D 0 ,Di G Z 2nx2 P F G 
Zf x4m , H 2nxm G Z 2nxm , H 4n x2m e Zf x2 ”\ Gq g Z” x2m ; vectors u G ZJ, 
ci G Z™ c 2 G Z 2m . 

Prover’s Input: z G [— (3, /3] 4m , y G {0, l} 2m , w G {0, l} m , di,d 2 G [— f3, /3] m , 
s G [-p,p] 2m , id = (id[l], . . . , id[£]) T G {0, 1}*, 
e 0 G [~B,B] n , ei G [—5, B] m , e 2 G [-B,B] 2m . 

Prover’s Goal: Convince the verifier in ZK that 


F z = H 4nX 2 m • y mod q\ H 2nxm w = D 0 y + Di s mod q\ 

< A • di + A 0 • d 2 + Y?j = i ' (id[j] • d 2 ) - D • w = u mod q\ 
k Ci = B T • e 0 + ei mod q\ c 2 = Gq • e 0 + e 2 + |_ q/2\ • y mod q. 

Using the same strategy as in Sects. 5.3 and 5.4, we can derive a statistical 
ZKAoK for the above relation from the protocol in Sect. 5.1. As the transforma- 
tions are similar to those in Sect. 5.4, we only sketch main points. 

In the first step, we combine the given equations to an equation of the form: 



M 0 -d 2 + y Mj (id[j]d 2 ) + M' • 

3 = 1 


- M 


M 


z 


e 0 

ei 

e 2 


v mod q , 
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where matrices M, Mo, . . . , M', M" and vector v are built from the input. 

We then apply the techniques of Sect. 5.2 for x 0 = (df ||s T ||z T ) T G [— /?, /3] 7m , 
d 2 G [-/3,/3] m ; xi = (w T ||y T ) T e {0, l} 3m ; and x 2 = (ej ||ef||e|’) T G 
[-B, B] "+ 3 " 1 . This allows us to obtain a unified equation P • x = v mod q, 
and to define the sets VALID, 5, and permutations {T n : 7r G S} so that the 
conditions in (13) hold, in a similar manner as in Sect. 5.4. 
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Abstract. Constructing short signatures with tight security from stan- 
dard assumptions is a long-standing open problem. We present an adap- 
tively secure, short (and stateless) signature scheme, featuring a constant 
security loss relative to a conservative hardness assumption, Short Inte- 
ger Solution (SIS), and the security of a concretely instantiated pseudo- 
random function (PRF). This gives a class of tightly secure short lattice 
signature schemes whose security is based on SIS and the underlying 
assumption of the instantiated PRF. 

Our signature construction further extends to give a class of tightly 
and adaptively secure “compact” Identity-Based Encryption (IBE) 
schemes, reducible with constant security loss from Regev’s vanilla 
Learning With Errors (LWE) hardness assumption and the security of a 
concretely instantiated PRF. Our approach is a novel combination of a 
number of techniques, including Katz and Wang signature, Agrawal et al. 
lattice-based secure IBE, and Boneh et al. key-homomorphic encryption. 

Our results, at the first time, eliminate the dependency between the 
number of adversary’s queries and the security of short signature/IBE 
schemes in the context of lattice-based cryptography. They also indi- 
cate that tightly secure PRFs (with constant security loss) would imply 
tightly, adaptively secure short signature and IBE schemes (with con- 
stant security loss). 


1 Introduction 

Short signatures are useful and desirable for providing data authenticity in low- 
bandwidth and/or high-throughput applications where many signatures have to 
be processed very quickly. Most digital signature schemes are based on compu- 
tationally hard problems on specific algebraic groups, e.g., finite fields, curves, 
and lattices. A signature is “short” if the signature consists in a (small) constant 
number of group elements (e.g., field elements or lattice points). 

Although bare-bones signatures can be obtained from very weak assumptions 
(e.g., collision-resistant hash functions), constructing efficient short signatures 
satisfying standard security requirements (e.g., existential unforgeability under 
adaptively chosen- message attacks), from reasonable assumptions, appears to be 
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a challenging task. Some of the existing short signature schemes use random ora- 
cles, e.g., [10,19,36,48,50], or rely on non-standard computational assumptions 
(strong, interactive assumptions, and/or g-type parametric assumptions), e.g., 
[16,26,30,33,34], or require signers to maintain state across signatures, e.g., [45]. 

The first short signature scheme from a reasonable and non-parametric 
assumption without random oracles was proposed by Waters [56]. Hohenberger 
and Waters later proposed a short signature scheme from standard RSA [46]. 
Lattice-based short signatures from the very mild SIS assumption in the stan- 
dard model were proposed in [20,51]. Recently, the “confined guessing” technique 
developed by Bohl et al. [13] has produced short signatures from standard RSA 
and bilinear-group CDH assumptions, and also from the ring-SIS/SIS assump- 
tion in combination with lattice techniques [4,32] with very loose reductions. 

Despite these elegant constructions, signature schemes that are short and 
enjoy tight security reductions to standard assumptions in the standard model 
(without random oracle), remain unknown. Existing tightly secure signature 
schemes either have large signature size, e.g., [1,11,43], or merely have heuristic 
security arguments based on random oracles, e.g., [39,48]. We have not been 
able to ascertain the earliest occurrence of this long-standing folklore problem 
in cryptography, but here [11] is one recent formulation: 

Open Problem #1 — Tightly Secure Short Signatures 

“Construct a tightly secure and short (in the sense that the signature 
contains constant number of group elements or vectors and the security 
loss is a constant) signature scheme from standard assumptions.” — Blazy, 
Kakvi, Kiltz, Pan (2015) 


1.1 Tight Security 

The reductionist approach to cryptographic security algorithms seeks to prove 
theorems along the lines of: “If a t-time adversary attacks the scheme with suc- 
cessful probability e, then a t'-time algorithm can be constructed to break some 
computational problem with success probability e' = e/0 and £' = &•£ + o(t).”. 
The parameters 0 > 1 and k > 1, or more simply the product k-6 , measures how 
tightly the security of the cryptographic scheme is related to the hardness of the 
underlying computational problem. Alternatively, when k ~ 1 as is the case in 
many reductions, 0 measures the security loss of the security reduction of our 
cryptographic scheme from the underlying assumption. A cryptographic scheme 
is tightly secure if 0 is a small constant that in particular does not depend on 
parameters under the adversary’s control, such as the adversary’s own success 
probability e, the number of queries it chooses to make, and even the scheme’s 
security parameter. The reduction phrases “almost tight security” from the lit- 
erature refers to the case where 0 is a polynomial of the security parameter. 

Tight reduction is an elegant notion from a theoretical point of view. 
A tight reductionist proof (with respect to a well-defined security model) indi- 
cates that the security of a cryptographic scheme is (extremely) closely related 
to the hardness of the underlying hard problem, which is the optimal case we 
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expect from provable security theory. On the other hand, it is also a determi- 
nant factor to the practicality of real-world security. Its opposite, loose security, 
means that in order to realise a desired “real” target security level, one has to 
increase the “apparent” security level inside the construction to compensate for 
the loose reduction. This inflates the size of data atoms by some polynomial, 
with in turn increases the running time of cryptographic operations by another 
polynomial, combining multiplicatively. 


1.2 Identity-Based Encryption with Tight Security 

Digital signatures and identity-based encryption (IBE) are closely connected, 
which suggests that techniques that improve upon the security of signatures 
might also improve upon the security of IBE. In this work, we also investigate the 
problem of constructing tightly secure IBE from standard assumptions (without 
random oracles). 

In an IBE system, any random string that uniquely represents a user’s iden- 
tity, such as email address or driver license number, can act as a public key 
(within a certain domain or realm). Encryption uses this identity, together with 
some common domain-specific public parameters, to encrypt messages. Users 
are issued private decryption keys corresponding to their public identities, by 
a trusted authority (or distributed authorities) called Private Key Generator 
(PKG) which hold(s) (shares of) the master secret key for a domain. Decryp- 
tion succeeds if the identity associated with the ciphertext matches the identity 
associated with the private key, in the same domain. 

The strongest, most natural and most widely accepted notion of security for 
IBE is the adaptive security model or full security model, formally defined in [17]. 
In this model, the adversary is able to announce its target (the challenge identity 
it wants to attack) at any time during the course of its adaptive interaction with 
the system. Without the luxury of random oracles, an easier security model to 
achieve was the selective security model, where the adversary must announce its 
target identity at the onset of its interaction with the system. 

In the last fifteen years, a great many IBE schemes have been proposed, with 
varying efficiency, security models, hardness assumptions, and other features. In 
the standard model (i.e., without random oracles or other idealised oracles), we 
mention several notable IBE schemes which have been constructed from bilinear 
maps in the selective model [14,27] and the adaptive model [12,15,29,35,56,57], 
and from lattices in the adaptive model [2,5,28]. It is fair to say that, by now, 
the art of selectively secure IBE has been well honed. However, adaptively secure 
IBE schemes from standard assumptions with tight security (in the sense that the 
security loss is a small constant) remain unknown. The best known adaptively 
secure IBE schemes in terms of tight reduction are based on linear assumptions 
over pairings and achieve almost tight security (e.g., [6,12,29,44]). Waters [56] 
states this open problem as follows: 
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Open Problem #2 — Tight Adaptively Secure IBE 

“Construct a tightly, adaptively secure IBE scheme from standard compu- 
tational hardness assumptions without random oracles.” — Waters (2005) 

Furthermore, for all known directly constructed adaptively secure IBE 
scheme from standard post-quantum assumption (specifically the LWE assump- 
tion), i.e. [2,5,28], their security loss during reduction depends on the number 
adversary’s of queries. That is there is current no even “almost tightly” secure 
adaptive IBE scheme based on standard computational problems which are con- 
jectured to be hard under quantum attacks. The following problem is still open. 

Open Problem #3 — “Almost” Tight Adaptively Secure, Post- 
Quantum IBE 

“Construct an “almost” tightly, adaptively secure IBE scheme from stan- 
dard post-quantum assumptions without random oracles.” 


1.3 Our Results 

Our work uses pseudorandom functions (PRFs). Recall a PRF is a (determin- 
istic) function: PRF : JC x V — > 1Z with the following security property. For 
random secret key K from /C, PRF(A, •) is computationally indistinguishable 
from a random function Q : V — > 7£, given oracle access to either PRF(A, •) 
or !?(■). PRFs can be constructed from general assumptions (e.g., the existence 
of pseudo-random number generators [40]), number-theoretic assumptions (e.g., 
the DDH/&-LIN assumption [31,47,53]), and lattice assumption LWE [8,9]. 

Our contribution is a construction of a class of adaptively secure short sig- 
nature schemes/IBE schemes in the standard model. The schemes’ security is 
tightly related to SIS/LWE and the security of an instantiated PRF PRF in 
the sense that the security loss is a nearly optimal constant factor. More pre- 
cisely, let e and e' be the advantage of an adversary in attacking our signature 
and IBE schemes respectively, esis and clwe be the security level of the SIS 
and LWE assumptions on which our schemes are based, and cprf is the secu- 
rity level of the PRF instantiation PRF. Our constructions provide the following: 
e « 2(esis + epRF), e' « 2(clwe + <Trf), and the (polynomial) runtime of reduction 
is approximately the same as attacker’s runtime. Depending on the underlying 
hardness assumption and the reduction of PRF, underlying assumptions and 
tightness of our signature/IBE scheme vary. 

Our work indicates that tightly secure PRFs, which are based on standard 
assumptions and computable by polynomial size Boolean circuits, are sufficient 
for us to build tightly, adaptively secure lattice signature/IBE schemes. Ide- 
ally, it is better if the PRF instantiations assume weak assumptions and have 
shallow Boolean circuits implementations. In particular, by instantiating the 
‘almost” tightly secure PRFs from [8,9], (which are based on LWE assump- 
tion with super-polynomial modulus) we obtain the first “almost” tightly secure 
short signature/IBE schemes from LWE with super-polynomial modulus whose 
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security does not depend on the number of adversarial queries. 1 This, at the first 
time, eliminates the dependency between the number of adversary’s queries and 
the security of lattice-based short signature scheme/IBE scheme, and allows us 
to answer the Open Problem 7 ^ 3 . 

While constructing low-depth (e.g. circuits in NC 1 ), tightly secure PRFs from 
standard assumptions with constant security loss in the black-box sense 2 remains 
an open problem, any progress made in such direction will improve our work 
toward solving Open Problem #1 and ff2 (under SIS/LWE assumption). For 
instance, if the DDH/&-LIN-based PRFs from [47] achieve security loss 0( log 2 A) 
for security parameter A, we obtain signature/IBE schemes enjoy the same secu- 
rity loss under the combined assumptions. 

Table 1 provides a comparison between our signature scheme with a LWE- 
based PRF instantiation (from [9]) and a representative sample of the prominent 
lattice-based (quantum-safe) signature schemes from the literature. Note, Katz 
and Wang did not propose a SIS-based signature scheme in [48]. The scheme 
we refer to is a straightforward application of Katz- Wang’s proof technique to 
GPV’08 signature scheme. Table 2 provides a comparison between our signa- 
ture scheme with DDH-based PRF instantiation from [47] and the representa- 
tive signature schemes from traditional number-theoretic assumptions, including 
(strong) RSA, Dlog and linear assumptions over pairings. Our signature scheme 
loses a factor of 0( log 2 A) in security proof if the DDH-based PRF instantiation 
achieves the same security loss. All of those assumptions are not conjectured 
to be quantum-safe. In each case, the two tables refer to conjectured quantum 
safe and quantum-unsafe constructions respectively. Table 3 gives a comparison 
between our IBE scheme (with both direct LWE-based PRF instantiation from 
[9] and DDH-based instantiation from [47]) and a representative selection of 
existing IBE schemes from the literature. 

It needs to mention that the bit length of PRF secret key determines the num- 
ber of public matrices in our constructions. In the SIS-based signature scheme 
from [20] and LWE-based IBE schemes from [2,28], the number of public matri- 
ces are determined by the bit length of messages and identities respectively. For 
the provably secure PRFs, the bit length of secret key is usually significantly 
larger than the bit length of messages and identities needed in [2,20,28]. So 
our constructions have larger concrete size of verification key than the signa- 
ture scheme in [20] and larger concrete size of public parameters than the IBE 
schemes in [2,28]. 

Efficiency Consideration. Though we focus on tightness of reduction in the con- 
text of short signature and IBE, we do not hide the inefficiency of our schemes, 
particularly with comparison to the adptively secure lattice-based signature/IBE 
scheme obained from the “complexity leveraging” [14] of efficient selectively 


1 The (direct) lattice-based PRFs from [8,9] assume LWE assumption with super- 
polynomial modulus, which makes our schemes rely on LWE assumption for super- 
polynomial modulus. 

2 The security reduction does not require a priori information about a given adversary. 
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Table 1 . Comparison between signature schemes from quantum-safe (Ring-) SIS 
assumption 


Scheme 

Signature size 

Security loss 

Assumption(s) 

Standard 

model? 

KW’03 [48] 

0(1) x Z m 

0(1) 

SIS, 0 = J7(n 3 / 2 ) 

ROM 

GPV’08 [36] 

0(1) x Z m 

f^f^hash) 

SIS, 0 = Q(n 3 / 2 ) 

ROM 

Boyen’10 [20] 

0(1) x Z m 

o( \q s ) 

SIS, 0 = Q(n 7 / 2 ) 

✓ 

Lyu’12 [50] 

0(1) x Z m 

0{\q s ) 

SIS, i?(n 3 / 2 ) 

ROM 

MP’12 [51] 

0(1) x Z m 

0(\q s ) 

SIS, 0 = Q{n 5 / 2 ) 

✓ 

BHJKSS’13 [13] 

O(logA) x Z m 

0(\q s ) 

SIS, 0 = l?(n 5 / 2 ) 

✓ 

DM’ 14 [32] 

0(1) x^ (loS9) 

0(\q a ) 

Ring-SIS, 0 = Q(n 7 / 2 ) 

✓ 

BKKP’15 [11] 

O(A) x Z m 

0(1) 

SIS, 0 = D(n 3 / 2 ) 

✓ 

AlperinT5 [4] 

0(1) x Z m 

0(\q s ) 

SIS, 0 = Q(5 2S ■ n 11 / 2 ) 

✓ 

Ours 

0(1) x Z m 

0( A) 

SIS+LWE*, 0 = Q(£ 4c ■ n 7 / 2 ) 

✓ 


A is the security parameter, n is the lattice hardness parameter, m is the lattice dimension, 
and (3 is the SIS parameter. (?hash is the number of random-oracle queries (if applicable). q s is 
the number of signing queries. For DMT4, the ring 7 Z = Z q [X]/(f(X)) for some cyclotomic 
polynomial / of degree n and q > (3y/rwj{y/ log n). For AlperinT5, 5 satisfies 2 q^ /e < 2 L c -I for 
attacker’s success probability e and arbitrary constant d > 1. Our construction here consider 
instantiation of the direct LWE-based PRF from [9] which has security loss O(A) and can be 
computed by a NC 1 circuit with input length i and depth c\og£ for some constant c > 1. 

* The security of direct LWE-based PRF construction from [9] relies on LWE assumption with 
super-polynomial modulus. So LWE here refers to LWE assumption with super-polynomial 
modulus. 


secure lattice-based signature/IBE scheme such as [2]. Although complexity 
leveraging is not very satisfactory from a theoretical perspective, it indeed often 
leads to the most practical secure cryptographic schemes. In the context of IBE, 
we have seen that the adaptively secure IBE scheme leveraged from selective 
DBDH-based IBE scheme in [14] has higher real-world efficiency than the adap- 
tively secure Waters IBE scheme [56] (as well as the subsequent adaptive IBE 
schemes from similar standard pairing assumptions without random oracles) for 
the same security level. This may seem counter-intuitive, but to design adap- 
tively secure IBE schemes one needs to carefully embed some specially crafted 
complex structures into the scheme, to provide enough freedom for the secu- 
rity reduction. This makes directly constructed adaptive IBE schemes rather 
bulky and sometimes require even stronger assumptions (in the lattice setting). 
Therefore, our current results are of more theoretical value. One the other hand, 
directly constructing adaptively secure schemes from standard assumptions usu- 
ally requires new proof ideas and techniques which advance the state-of art and 
lead to further applications. Trying to get tighter reduction for the directly con- 
structed adaptively secure schemes should be always welcome as it remains a 
very promising way of bridging the efficiency gap. 
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Table 2. Comparison between signature schemes from various quantum- unsafe 
assumptions 


Scheme 

Sig. size 

Sec. loss 

Assumption(s) 

Standard 

model? 

GHR’99 [34] 

0(1) x Zjv 

0(1) 

Strong-RSA + D-l Hash 

✓ 

BLS’01 [19] 

O(l) x G 

0{\q s ) 

CDH 

ROM 

KW’03 [48] 

0(1) x \V\ 

0(1) 

CFP 

ROM 

BB’04 [16] 

0(1) x G 

0(1) 

q s - SDH 

✓ 

Waters’05 [56] 

0(1) x G 

0(A 9s ) 

CDH 

✓ 

HW’09 [46] 

0(1) x Zjv 

0{Xq s ) 

RSA 

✓ 

BHJKSS’13 [13] 

0(1) x G 

0(Xq -.) 

DLog 

✓ 

BHJKSS’13 [13] 

0(1) x Zjv 

0(Xq s ) 

RSA 

✓ 

ADKMO’13 [1] 

O(A) x G 

0(1) 

DUN 

✓ 

CW’13 [29] 

O(fc) x G 

O(A) 

fc-LIN 

✓ 

BKP’14 [12] 

O(fc) x G 

O(A) 

fc-LIN 

✓ 

BKKP’15 [11] 

O(A) x G 

0(1) 

DLog 

✓ 

BKKP’15 [11] 

O(A) x Zjv 

0(1) 

RSA, FAC 

✓ 

Ours 

0(1) x Z m 

0( log 2 A) 

SIS+DDH, p = Q{t c ■ n 7/2 ) 

✓ 


A is the security parameter, n is the lattice hardness parameter, m is the lattice 
dimension, q s the number of signing queries, N is the RSA modulus, m is the lattice 
dimension, f3 is the SIS parameter, and k is a non-adversary-query-dependent para- 
meter of the LIN assumption. For GHR’99, D-l hash stands for division- intractable 
hash. For KW’03, \T>\ the domain size of the instantiated claw- free permutation, which 
is abbreviated as CFP. Our construction here consider instantiating the DDH-based 
PRF from [47] which has security loss 0(log 2 A) and can be computed by a NC 1 circuit 
with input length t and depth c\og£ for some constant c > 1. 


1.4 Overview of Our Approach 

Construction Outline. Our constructions use a PRF PRF : {0, l} k x {0,1}* - 
{0, 1} which takes as input a truly random secret key from {0, l} k and a string 
from {0,1}*, and deterministically outputs a bit which is computationally indis- 
tinguishable from a random bit. In our signature scheme, 5 + fc random matrices 
are chosen from Z™ xm , comprising: a “left” matrix A, two “signature subspace 
selection” matrices Ao,Ai, k “PRF secret key” matrices {Bi} i€[k], an d two 
“message representation” matrices Co,Ci. The key generation algorithm fur- 
ther expresses PRF as a NAND Boolean circuit, which serves as a part of the 
public parameters or perhaps a common reference string. The signing key con- 
sists of a “short” basis TAof A and a PRF key K G {0, l} k for PRF. 

The signer takes three steps to generate the signature of message M = 
X1X2 . . . Xt G {0, 1 y. Firstly, it uses the key-homomorphic evaluation algorithm 
developed from [18,24,38] to compute the unique matrix Aprf,m from the circuit 


Towards Tightly Secure Lattice Short Signature and Id-Based Encryption 411 

Table 3. Comparison between adaptively secure IBE schemes from various 
assumptions 


Scheme 

Security loss 

Assumption 

Standard model? 

Quantum-safe? 

BF’01 [17] 

0(q id) 

BDH 

ROM 

X 

KW’03 [48] 

0 ( 1 ) 

BDH 

ROM 

X 

BB’04a [14] 

0(2 X ) 

DBDH, ^id-BDHI 

✓ 

X 

BB’04b [15] 

0(Ag id ) 

DBDH 

✓ 

X 

Waters ’05 [56] 

0(Ag id ) 

DBDH 

✓ 

X 

Gentry’06 [35] 

0 ( 1 ) 

(/id-ABDHE 

✓ 

X 

GPV’08 [36] 

C((/hash) 

LWE 

ROM 

✓ 

Waters’09 [57] 

0(q\i) 

DBDH 

✓ 

X 

ABB TO [ 2 ] 

0(Ag id ) 

LWE 

✓ 

✓ 

CHKP ’12 [28] 

0(Ag id ) 

LWE 

✓ 

✓ 

LW’12 [49] 

0{q) 

DLIN 

✓ 

X 

CW’13 [29] 

0( A) 

ife-LIN 

✓ 

X 

BKP’14 [12] 

0( A) 

ife-LIN 

✓ 

X 

Ours 

O(A) 

LWE* 

✓ 

✓ 


0(log 2 (A)) 

DDH++LWE 

✓ 

X 


A is the security level, (/id the number of private key queries and (/hash the number of 
random-oracle queries (if applicable)/ Here we instantiate the PRF by direct LWE- 
based PRF construction from [9] which has O(A) security loss and relies on LWE 
assumption with super-polynomial modulus. So the LWE here refers to LWE assump- 
tion with super-polynomial modulus. The schemes ABB’ 10 and CHKP’12 assume 
LWE assumption polynomial modulus. ^ Here we instantiate the PRF by DDH-based 
PRF construction from [47] which has (black-box) security loss 0(log 2 (A)). 


of PRF and the k + t matrices m *€[*]» c xi , C X2 ,. . . , C Xt . 3 Then it computes 
b = PRF(K, M) and sets the matrix Fm,i- 6 = [A | Ai_f, — Aprf,m] £ Zg X2m . 
Finally, it applies the trapdoor Ta to generate the signature: a low-norm non- 
zero vector cIm E Z 2m such that Fm,i-& • cIm = 0 (mod q). The verification 
algorithm checks whether the signature is a non-zero vector in Z 2m and has low- 
norm, and whether Fm,& • cIm = 0 (mod q) or Fm,i-6 • cIm = 0 (mod q). If all 
these conditions are satisfied, the signature is accepted. 

Our IBE scheme works as follows. The public parameters contain matri- 
ces A, Ao, Ai, {Bi} i£[k ] 5 Co, Ci, a secure PRF PRF represented as a NAND 
Boolean circuit, and a random vector u E Z™ which is used to hide mes- 
sages. The trapdoor basis Ta and a secret PRF key K E {0, l} k serve as 
master secret key. In private key generation for identity id = X1X2 . . . x t E 
{0, l} t , the key-homomorphic evaluation algorithm is invoked to compute 
the unique matrix ApRF,id from the circuit of PRF and the k + t matrices 

3 It can be shown that for different massages Mo ^ M 2 Aprf,m 0 7 ^ Aprf,Mi with all 
but negligible probability. See Sect. 3.3 for details. 
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{ B i}%elk\,C Xl ,C X 2 ,...,C Xt . It then sets the “function” matrix to Fjd,i— 6 = 
[A | Ai_^ — ApRF,id] G Z™ x2m for b = PRF(A, M), and uses Ta to sample 
a Gaussian vector djd E Z 2m as private identity key where Fjdp-6 * djd = u 
(mod q). 

To encrypt a message Msg E {0, 1} with an identity id, the encrypt or com- 
putes Aprf id and sets two “function” matrices Fjd & = [A | A5 - Aprf id] and 
Fid, 1-6 = [A | Ai_6 — ApRF,id]- It generates two independent GPV-style cipher- 
texts [ 36 ]. The first one uses Fjd, 5: 

f c bfi = sju + Vbfl + Msg • L<?/2J 

\<i = s^F id)6 + 

and the second is based on Fjd, 1-5: 

f ci- 6,0 = sj_ b u + Ux-bfi + Msg • L<?/2J 

1 c 7-6,i = s7_ 6 F idjl _ 6 + uj_ bl 

for random vectors Sfc,Si_& <— Z™, two small noise scalars ^6,05^1-6,05 and two 
low-norm noise vectors ^6,15^1-6,1- 

The decryption algorithm uses djd to try both ciphertexts; one of them should 
work. Here as a technical caveat, we need some redundant information in the 
messages in order to check whether a recovered message is well-formed. To this 
end, one option is to apply the standard way of encrypting multiple bits in 
GPV-style ciphertexts without affecting the security analysis. That is, instead 
of using just a vector u E ZJ in the public key, we use a matrix U E Z™ xz 
allowing us to encrypt z bits. A second option, which costs nothing if hybrid 
encryption is being used, is to use multi-bit GPV-style encryption to encrypt a 
symmetric session key without redundancy, again using a matrix Z™ xz and rely 
on downstream symmetric integrity checks or MACs to weed out the incorrect 
ciphertexts. 

Proof Outline. The security reduction of our signature scheme uses an efficient 
adversary to solve a of SIS problem instance A E Z™ xm : a short non-zero vector 
e E Z m such that Ae = 0 (mod q). The reduction embeds a randomly picked 
secret key K for PRF in verification key. More specifically, the reduction selects 
low-norm matrices R Ao , R Al , {RbJ^/c], R c 0 5 Rci from {l,-l} mxm , a PRF 
secret key K = S1S2 . . . Sk G {0, l} fc and sets A 0 = AR Ao , Ai = AR Al + G, 
{B^ = ARb^ + SzG}^ G [fc], Co = ARc 0 and Ci = ARc^ + G. Here, K is com- 
pletely hidden from adversary’s view. For answering a signing query on message 
M, the reduction computes Aprf,m = AR + PRF(A, M)G for some known low- 
norm mxm matrix R that depends on R Ao , R Al , {RBi}ie[/cp Rco? Rci, K 
and M. Let PRF(A, M) = 6, the reduction sets Fm,i-6 = [A | Ai_6 — Aprf,m] = 
[A | AR+ (1 — 2 &)G] and uses the trapdoor from G to compute the decryption 
key. Note, we use PRF to select the matrix A6 which is the same as the real 
scheme. For a valid forgery (M*, cIm*), since b = PRF(A, M*) is unpredictable to 
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the adversary, Fm*,& -cLm* = 0 (mod q) happens with essentially probability 1/2 
leading to a valid SIS solution. 

The security reduction for our IBE scheme is similar to the reduction of 
the signature scheme. Basically, the reduction answers key generation queries in 
the same way as answering signing queries in the signature scheme reduction. To 
construct the challenge ciphertext for a challenge identity id*, the LWE challenge 
is embedded in the function matrix Fid* = [A | AR] for which the simulator 
cannot produce private key. Another ciphertext based on Fjd*,i -b = [A | AR + 
(1 — 2b) G] is generated as in the real scheme. With essentially half probability, 
the adversary will choose the ciphertext under Fid* ,6 to attack giving out useful 
information for solving the LWE challenge. 

Related Works. In the related and concurrent work by Brakerski and Vaikun- 
tanathan [25], a similar idea of embedding PRFs into encryption schemes has 
been used to construct the first semi- adaptively secure attribute-based encryp- 
tion scheme from lattices supporting an a priori unbounded number of attributes. 
The recent work by Bai et al. [7] addresses the problem of improving efficiency of 
lattice-based cryptographic schemes via a different but novel way. Their proposal 
is about using Renyi divergence instead of statistical distance in the context of 
lattice-based cryptography which leads to (sometimes simpler) security proofs 
for more efficient lattice-based schemes. 

2 Preliminaries 

Notation. ‘PPT’ abbreviates “probabilistic polynomial-time”. If S is a set, we 

denote by a <— S the uniform sampling of a random element of S. For a posi- 
tive integer n, we denote by [n\ the set of positive integers no greater than n. 
We use bold lowercase letters (e.g. a) to denote vectors and bold capital let- 
ters (e.g. A) to denote matrices. For a positive integer q > 2, let Z q be the 
ring of integers modulo q. We denote the group of n x m matrices in Z q by 
Z q xrn . Vectors are treated as column vectors. The transpose of a vector a (resp. 
a matrix A) is denoted by a T (resp. A T ). For A E Z™ xm and B E Z™ xrn ' , let 

[A|B] E 2^ x ( m+m ) he the concatenation of A and B. We denote the Gram- 
Schmidt ordered orthogonalization of a matrix A E Z mxm by A. The inner 
product of two vectors x and y is written (x, y). For a security parameter A, a 
function negl(A) is negligible in A if it is smaller than all polynomial fractions 
for a sufficiently large A. 

We recall the following generalisation of left-over hash lemma. 

Lemma 1 ([2], Lemma 4). Suppose that m > (n + 1) logg + cj(logn) and that 
q > 2 is prime. Let Rbe anmxfc matrix chosen uniformly in {1, — l} mx/c mod q 
where k = k(n) is polynomial in n. Let A and B be matrices chosen uniformly 
in Z q xm and Z q xk respectively. Then, for all vectors w E Z™, the distribution 
(A, AR, R t w) is statistically close to the distribution (A,B,R T w). 
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For a vector u, we let ||u|| and Hu]^ denote its i 2 norm and norm, 
respectively. For a matrix R G Z kxm , we define two matrix norms: 

- || R|| denotes the 1 2 length of the longest column of R. 

- || R|| 2 is the operator norm of R defined as ||R|| 2 = sup xeRm +i ||R • x||. 

Lemma 2. ([2], Lemma 5). Let R be a random chosen matrix from 
{i, -l} mXm , then Pr[||R|| 2 > 12>/2ra] < e _m • 

2.1 Lattice Background 
Lattice Definitions 

Definition 1. Let a basis B = [bi | . . . |b m ] G (M m ) m of linearly 
independent vectors. The lattice generated by B is defined as A = 
{y G M m : 3si G Z, y = YlT=i The dual lattice A* of A is defined as A* = 

{z G M m : Vy G A, (z, y) G Z}. 

Definition 2. For q prime, A G Z™ xm and u G Z we define the m- dimensional 
(full-rank) random integer lattice A^ (A) = {e G Z m : Ae = 0 (mod q)}, and the 
u shifted lattice ” as the coset A™ (A) = {e G Z m : Ae = u (mod q)}. 


Trapdoors of Lattices and Discrete Gaussians. It is shown in [3,51] how 
to sample a “nearly” uniform random matrix A G Z nxm along with a trapdoor 
matrix T a G Z mxm which is a short or low- norm basis of the induced lattice 
A^-(A). We refer to this procedure as TrapGen. 

Lemma 3. There is a PPT algorithm TrapGen that takes as input integers n > 
1, q > 2 and a sufficiently large m = 0(n log q), outputs a matrix A G Z™ xm 
and a trapdoor matrix Ta G Z mxm ; such that A • Ta = 0, the distribution 
of A is statistically close to the uniform distribution over Z™ xm and ||Ta|| = 
0(y/n log q). 

Discrete Gaussians. Let m G Z>o be a positive integer and A C Z m . For any 
real vector c G M m and positive parameter a G M>o, let the Gaussian function 
p c r, c (x) = exp (— 7r||x — c|| 2 /ct 2 ) on M m with center c and parameter a. Define 
the discrete Gaussian distribution over A with center c and parameter a as 
Da, a = p< 7 ,c(y)/p<r(A) for Vy G A, where p a ( A) = Exga^W- For notational 
convenience, p a , 0 and Da,ct,o are abbreviated as pa- and Da,#- 

The following lemma bounds the length of a discrete Gaussian vector with 
sufficiently large Gaussian parameter. 

Lemma 4 ([52]). For any lattice A of integer dimension m with basis T, c G M m 
and Gaussian parameter a > ||T|| -uj(y/\og m), we have Pr[||x — c|| > o^fm : x <— 
Da,ct,c\ < negl(n). 
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Smoothing Parameter. We recall the very important notion of smoothing para- 
meter of a lattice A. It is the smallest value of s such that the discrete Gaussian 
D\ s “behaves” like a continuous Gaussian. 

Definition 3 ([52]). For any lattice A and positive real tolerance e > 0, the 
smoothing parameter rj e (A) is the smallest real 8 > 0 such that Pi/ s (A*\{0}) < e. 

We will make use of the following lemma, which is a special case of Corollary 
3.10 from [55]. 

Lemma 5 (special case of Corollary 3.10 of [55]). Let r G Z m be a vector 
and r, a > 0 be reals. Assume that 1/y/l/r 2 + (||r||/o) 2 > r] e (Z m ) for some e < 
1/2. Let y be a vector with distribution D and e be a scalar with distribution 
Dz,a- The distribution of (r,y) + e is statistically close to D z ^ /( T .|| r ||) 2 _ hQ; 2 ■ 

Lattice Sampling Algorithms. Our constructions make use of the “two- 
sided trapdoor” framework from [2,20] which consists of two sampling algorithms 

SampleLeft and SampleRight. 

Algorithm SampleLeft(A, B, Ta, u, s) (1) 

Inputs: a full-rank matrix A G Z™ xm and a short basis Ta of A^-(A), a matrix 
BGZJ xmi ,a vector uGZJ, and a Gaussian parameter s. 

Output: Let F = [A | B] . The algorithm outputs a vector d G Z m+mi in the 
set A“(F). 

Theorem 1 ([2,28]). Let q > 2, m > n and s > IITaII • cj(y/log(ra + mi)). 
Then the algorithm Samplel_eft(A, B, Ta, u, s) taking inputs as in (1), outputs 
a vector d G Z m+mi distributed statistically close to D A 

Algorithm SampleRight(A, B, R, Tb,u, s) (2) 

Inputs: matrices A G Z™ xk and R G Z fexm , a full-rank matrix B G Z^ xm , a 
short basis Tb of A^-(B), a vector uGZJ, and a Gaussian parameter s. 
Output: Let F = [A | AR + B] ; the algorithm outputs a vector d G Z m+mi 
in the set A“ (F) 

Theorem 2 ([2], Theorem 19). Let q > 2, m > n. Let s > ||Tb|| * ||R|| 2 * 
oj(y/\ogm). Then SampleRight(A, B, R, Tb, u, s) taking inputs as in (2), outputs 
a vector d G Z m+/c distributed statistically close to Da“(f),s- 


Gadget Matrix. The “gadget matrix” G defined in [51]. We recall the following 
two facts. 

Lemma 6 ([51], Theorem 1). Let q be a prime, and n, m be integers with 
m = n\ogq. There is a fixed full-rank matrix G G Z^ xm such that the lattice 
A^-(G) has a publicly known trapdoor matrix Tg GZ nxm with ||Tg|| < V5- 


416 X. Boyen and Q. Li 


Lemma 7 ([18], Lemma 2.1). There is a deterministic algorithm, denoted 
G _1 (-) : Z q xrn — > Z mxm , that takes any matrix A G Z q xrn as input, and 
outputs the preimage G -1 (A) of A such that G • G -1 (A) = A (mod q) and 
||G~ 1 (A)|| < to. 


Computational Assumptions. We recall the two most mainstream and con- 
servative average-case computational assumptions for lattice problems. 

The learning with errors problem was first proposed by Regev [55]. For a 

vector s Z™ and a noise distribution x over let be the distribution 

over Z™ x Z q by taking a <— Z™ and x <— x, and outputting (a, s T a+x) (mod q ). 
Usually, x is a discrete Gaussian Dz, a q for some a < 1, reduced modulo q. We 
refer to [55] for further details. 

Definition 4. For a security parameter A, let a positive integer n = n( A), a 
prime q = q(A), and a distribution x over ^ q • The learning with errors prob- 
lem LWE nj q jX is to distinguish the oracle O s , which outputs samples from the 
distribution A S:X , from the oracle 0$, which outputs samples from the uniform 
distribution over Z q x Z q , for an unspecified polynomial number of queries. We 
define the advantage ( in the security parameter X) of an algorithm A in solving 
the LWE n:q:X problem as 

Adv L / En '" x (X) = |Pr[^° s (l A ) = 1] - Pi[A° $ (1 A ) = 1]| 

We say that the (£, CLWE)-LWE n ^ x assumption holds if no t-time algorithm A 
that has advantage at least clwe in solving the LWE n q x problem. 

For polynomial size q in A, there are known quantum [55] and classical [22] 
reductions from the average-case LWE n?(??x assumption to many standard worst- 
case lattice problems (e.g., GapSVP). 4 Peikert [54] also gave a classic reduc- 
tion that applies (only) for exponential moduli q in A. These reductions further 
strengthen the appeal of the LWE assumption. 

The security of our adaptively secure signature scheme is based on the SIS 
problem, which can be seen as an average-case approximate shortest vector prob- 
lem on random integer lattices. In a sense, SIS is the computational counterpart 
to the decisional LWE. 

Definition 5. For a security parameter X, let n = n(A), m = m( A) ; and /3 = 
/3(A). Let q be a prime integer. The short integer solution problem 

is as follows. Given a uniform random matrix A Z q xm , find a non-zero 
vector e G Z m such that Ae = 0 (mod q) and ||e|| < /3. We define the advantage 
(function of the security parameter X) of an algorithm A in solving the SIS njqi p jrn 
problem as 


4 Equivalently, this is to say that many classic worst-case lattice problems reduce to 
the average-case LWE problem , for suitable parameters. 
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Adv 


SIS n 

'A 


‘(A) 


Ae = 0 (mod q ) 
and ||e|| < /?, 
and 0 . 


A d— ^ nxm 

e <— A{ P\ A) 


hEe sa?/ £/&e (t,esis)-SIS n , q ^ :rn assumption holds if no t-time algorithm A that 
has advantage at least esis in solving the S/S nj g^ ?m problem. 

It has been shown in [52] that solving the average-case instances of the 
SIS n ,q,(3,m problem for certain parameters is as hard as solving worst-case 
instances of the approximate Shortest Independent Vector Problem (SIVP). 


2.2 Pseudorandom Functions 


Definition 6 (Pseudorandom Functions). Let A > 0 be the security para- 
meter, and let k = k(X), t = t( A) and l = l( A). A pseudorandom function 
PRF : {0,l} fc x {0, 1}* — > {0, 1}* is an efficiently computable, deterministic two- 
input function where the first input, denoted by K , is the key. Let Q be the set 
of all functions that map t bits strings to l bits strings. We define the advantage 
( in the security parameter X) of an adversary A in attacking the PRF as 


Adv prf, A) 


Pv[A PRF{K ’ \l x ) = 1] -Pr[A F( ' } (l A ) = 1] 


where the probability is taken over a uniform choice of key K <— {0, l} fc and 

F <— f2, and the randomness of A. We say that PRF is ( tpRF , eppp)-secure if for 
all tppf-time adversaries A, AdvpRF,AW < £prf- 


2.3 Key-Homomorphic Evaluation Algorithm 

Recall the matrix key- homomorphic evaluation algorithm, which is developed 
by Gentry et al. [38], Boneh et al. [18] and Brakerski and Vaikuntanathan [24] 
in the context of fully homomorphic encryption and attribute-based encryption, 
works generally in the following. Given a fan-in-2 Boolean NAND circuits C : 
{0, 1 Y {0? 1}, ^ different matrices {A^ = AR^ + a^G G Z q Xrn }ie[£] which 

correspond to each input wire of C where A Z™ xm , {1, — l} mxm , 

Xi G {0, 1} and G G ZJ xm is the gadget matrix, the key-homomorphic evaluation 
algorithm deterministically computes Ac = ARc + C(x i,...,a^)G G Z™ xm 
where Re G Z mxm has low norm and C(x i, . . . , xf) G {0, 1} is the output bit of 
C on the arguments x\, . . . , xg. This is done, in general, by inductively evaluating 
each NAND gate. For a NAND gate g(u,v\w ) with input wires u,v and output 
wire w, matrices A n = AR n + x u G and A v = AR V + x v G where x u and x v 
are input bits of u and v respectively, the evaluation algorithm computes 

A w = G - A„ • G -1 (A„) 

= G - (AR„ + x u G) ■ G _1 (AR„ + x v G) 

= AR g T (1 — x u x v )G 
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where 1 — x u x v = f NAND(x u , x v ), and = — R n *G _1 (A V ) — x u H v has low-norm 
if R u , R v have low- norm. 

In this paper, we consider evaluating circuits of PRFs. Most of the well-known 
PRFs from number- theoretic assumptions (e.g. [47,53]) and lattice assumptions 
(e.g. [8,9]) can be computed by circuits in class NC 1 (i.e. with polynomial size, 
logarithmic depth 0(\ogt) in input length £ and fan-in 2). For circuits in NC \by 
applying above procedure in a general tree-fashion, the norm of Re in the matrix 
Ac is roughly bounded by m°( log ^, which in turn usually results in superpoly- 
nomial or sub-exponential LWE/SIS modulus q (in the security parameter) in 
certain applications. 

In [24] , Brakerski and Vaikuntanathan observed that the norm of Re matrix 
in above homomorphic evaluation is accumulated in an asymmetric way. They 
exploited this feature to design a special evaluation algorithm that evaluates 
NC 1 circuits with moderately increasing the norm of Re- Specifically, the obser- 
vation is that any circuit with depth d can be simulated by a length-4 d and 
width-5 branching program, through the Barrington’s theorem. Such a branch- 
ing program can be computed by multiplying A d 5-by-5 permutation matrices. It 
is showed in [24] that homomorphically evaluating the multiplication of permu- 
tation matrices using above homomorphic evaluation procedure and the asym- 
metrical noise-growth feature only increases the noise by a polynomial factor 
and, therefore, allows us to use polynomial size LWE/SIS modulus q in the secu- 
rity parameter. Such result has been used to construct efficient ABE scheme for 
branching programs (with bounded length) from LWE with polynomial mod- 
ulus [42]. In our constructions, we particularly use the Brakerski and Vaikun- 
tanathan’s evaluation algorithm [24] and denote it by Evalev- 

We recall the Barrington’s Theorem. 

Theorem 3 (Barrington’s Theorem). Every Boolean A/A A/D circuit C that 
acts on i inputs and has depth d can be computed by a width- 5 permutation 
branching program II of length 4 d . Given the description of the circuit T, the 
description of the branching program C can be computed in poly (£ , I d ) time. 

The following theorem follows from the Claim 3.4.2 and Lemma 3.6 of [24] 
and the Barrington’s Theorem. 

Lemma 8. Let C : {0, 1} £ — > {0, 1} be a NAND Boolean circuit. Let {A^ = 
AR^ + XiG G Z™ xrn }ie[£] be £ different matrices correspond to each input wire 

ofC where A 4 Z£ x "\ R; 4 {l,-l} mxm , Xi e {0,1} and G e Z" xm is the 
gadget matrix. There is an efficient deterministic algorithm EvalBv that takes as 
input C and and outputs a matrix A c = AR^ + C(x i, . . . ,xf)G = 

Evalsv{C , Ai, . . . , A^) where Re £ Z mxm and C(x i, . . . , xf) is the output of C 
on the arguments xi, . . . ,X£. Evalsv runs in time poly(4 d , £, n, logg). 
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Let ||R max || 2 = max{\\Hi\\ 2 } ie ^, the norm of He in Ac output by Evalsv 
can be bounded, with overwhelming probability, by 

||Rc || 2 < 0 (L • ||Rmax || 2 • m ) 

< 0{L- I2V2 ■ \fm ■ m) 

< 0 ( 4 d • m 3/2 ) 

where L is the length of the width- 5 branching program which simulates C and 
||R i|| 2 < 12a/2 m for i G [£] with overwhelming probability, by Lemma 2. 

Particularly, if C has depth d = clog 7 for some constant c, i.e. C is in NC 1 , 
we have L = A d = L 2c and 1 1 Ro 1 1 2 < 0(£ 2c • ra 3 / 2 ). 


2.4 Digital Signatures 

A digital signature scheme consists of three PPT algorithms: KeyGen, Sign, and 
Ver. The algorithm KeyGen takes as input a security parameter and generates a 
public verification key Vk and a private signing key Sk. The signing algorithm 
Sign takes as input the signing key Sk and a massage M, and outputs the signa- 
ture Sig of M. The verification algorithm Ver takes as input a signature- message 
pair (Sig, M) as well as the verification key Vk. It outputs 1 if Sig is valid, or 0 
if Sig is invalid. 

We review the standard security notion of digital signature schemes. The 
existential unforgeability under chosen- message attack (EUF-CMA) of a digital 
signature scheme 77 is defined through the following security game between an 
adversary A and a challenger B. 

Setup. B runs Setup(l A ) — > (Sk, Vk), and passes Vk to A. 

Query. A adaptively selects messages Mi, . . . , W\ Qs to ask for the corresponding 
signatures under Vk from B. For the query M i, B responds with a signature 

Sig z ^Sign(Sk.M i ). 

Forge. A outputs a pair (Sig*, M*) and wins if 

1. M* ^ {M 1? . . . , M gs }, and 

2. Ver(Vk, Sig*, M*) 1. 

We refer to such an adversary A as EUF-CMA adversary. We define the 
advantage (in the security parameter A) Advyj^A) of A in attacking a digital 
signature scheme LI to be the probability that A wins above game. 

Definition 7. For a security parameter \, let t = t( X), q s = q s ( A) and e = e(A). 
We say that a digital signature scheme LI is (£, q s , e)-EUF-CMA secure if for any 
t time EUF-CMA adversary A that makes at most q s signing queries and has 

Adv n ,A(A) < e. 
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2.5 Identity-Based Encryption 

An Identity-Based Encryption system (IBE) consists of four PPT algorithms: 
Setup, KeyGen, Encrypt, and Decrypt. The algorithm Setup takes as input a secu- 
rity parameter and generates public parameters Pub and a master secret key Msk. 
The algorithm KeyGen uses the master secret key Msk to produce an identity 
private key Skid corresponding to an identity id. The algorithm Encrypt takes the 
public parameters Pub to encrypt messages for any given identity id. The algo- 
rithm Decrypt decrypts ciphertexts using the identity private key if the identity 
of the ciphertext matches the identity of the private key. 

We review the adaptive (full) security under chosen-plaintext attack (IND- 
ID-CPA) of IBE system. The IND-ID-CPA security of IBE is defined through 
the following game between an adversary A and a challenger B. For a security 
parameter A, let Ai\ be the message space and C\ be the ciphertext space. 

Setup. B runs Setup(l A ) — ► (Pub, Msk), passes the public parameters Pub to A, 
and keeps the master secret Msk. 

Phase 1. A adaptively requests keys for any identity id of its choice. B responds 
with the corresponding private key Skjd by running algorithm KeyGen. 
Challenge. When A decides the Phase 1 is over, it outputs a challenge iden- 
tity id*, which is not been queried during Phase 1, and two equal length 

messages Msg 0 , Msg x G M\. B flips a fair coin 7 <— {0,1} and sets 
CtXjd* <— Encrypt(Pub, Msg 7 , id*). Finally A passes CtXjd* to A. 

Phase 2. A continues to make key quires for any identity id 7^ id*. 

Guess. A outputs 7' G {0, 1} and it wins if 7' = 7. 

We refer to such an adversary A as an IND-ID-CPA adversary. We define the 
advantage (in the security parameter A) of A in attacking an IBE scheme £ as 
Adv£^(A) = |Pr[7' = 7] - 1/2|. 

Definition 8. For a security parameter A , let t = t(\), q-,d = q-,d{ A), and e = 
e(A). We say that an IBE system £ is (t,qjd,e)-IND-ID-CPA secure if for any 
t-time IND-ID-CPA adversary A that makes at most q-,d private key queries , we 
have Advg^ 4(A) < e. 

3 Signature Scheme with Tight Security 

3.1 Constructions 

KeyGen (1 A ) The key generation algorithm does the following. 

1. Sample a matrix A along with a trapdoor basis of lattice A^-(A) by TrapGen. 

2. Select matrices A 0 , Ai, “PRF key” matrices Bi, . . . , B&, and “PRF input” 
matrices Co, Ci from Z™ xm uniformly at random. 

3. Select a secure pseudorandom function PRF : {0, l} k x {0, l} t — ► {0, 1}, 
express it as a NAND Boolean circuit Cprf with depth d = d( A), and select a 

PRF key I< = Sl s 2 . . . s k < 2 - {0, l} fe . 
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4. Select a Gaussian parameter s > 0. 

5. Output the verification key and signing key as: 

Vk = (A, {A 0 , Ax}, {Bi } ie[k] , {Co, Cx}, s, PRF, C PRF ) , Sk = (T A , K) 

Sign(Vk, Sk, M) The signing algorithm takes as input the public verification key 
Vk, the signing key Sk and a message M = m\rri 2 . . . m t G {0, l} t . It does: 

1. Compute A CprF5 m = Eval B v(Cp RF , {Bj ie[/c] , C mi , C m2 , . . . , C mt ) G Z ™ xm . 5 

2 . Compute bit value b = PRF(iG, M) and set Fm,i-& = [A | Ax_^ — Ac prf ,m]- 

3. Run SampleLeft to sample dM G Z 2m with distribution D a ±^ Fm 1 _ b ) :S - 

4. Output the signature Sig = dM- 

Ver(Vk, M, Sig) The verification algorithm takes as input the verification key Vk, 
message M and the signature of M, verifies as follows: 

1. Assume Sig = d. It checks if d G Z 2m , d^O, and ||d|| < sy/2m. 

2. Compute Ac prf ,m = Eval B v(CpR F , {B^} iE [k] 5 C mi 5 C m2 , • • • , C mt ) G Zg 
Check if F M ,&d = [A | A 5 — Ac PRF)M ] d = 0 (mod q) for b = 0 or 1. 

3. If all above verifications pass, accept the signature; otherwise, reject. 

3.2 Parameters Selection and Discussion 

Let A be the security parameter, we set n = n( A), let the message length be 
t = t( A) and the secret key length of PRF be k = k( A). For the most general 
case, let the circuit depth of C P r F be d = d( A). To ensure we can run TrapGen in 
the Lemma 3, we set m = n 1+7? for some r] (we assume n 11 > O(logg)). To run 
SampleLeft and SampleRight in the real scheme and simulation per Theorem 2 , 
we set s sufficiently large such that s > ||Tg|| * |)R || 2 * ^(\/l ogm) for R = 
Ra & — Rc P rf,m (see the security proof below). By Lemma 8 we set s = 0( 4 d • 
m 3 / 2 ) • u{y/togm). For the SIS parameter /?, we need /3 > 0{ 4 d • m 3 / 2 • sy/2m). 
So we set /? = 0( 16 d • m 7 / 2 ) • uj(y/\ogm). To ensure the applicability of the 
average-case to worst-case reduction for SIS, we need q > /3 • uj(^/n log n). So we 
set q = 0(16 d • m 4 ) • (uj{y/\ogm)) 2 . 

Particularly, if we choose PRF from the well-known efficient and provably 
secure candidates of PRFs like the ones from [8,9,31,47,53] can be computed 
by NC 1 circuits, let £ = t be the input length of PRF (which is a polynomial 
in the security parameter), the circuit depth of C P r F will be d = c\og£ for 
some constant c. In this case we can set /3 = 0(£ 4c • m 7 / 2 ) • uj(\/\ogm) and 
q = 0(£ 4c • m 4 ) • (cj(y / logm )) 2 which are polynomial in the security parameter. 

It needs to mention that if we instantiate PRF by the (direct) LWE-based 
PRF from [9] or by the LWE-based PRF from [ 8 ] whose security relies on LWE 
assumption with super-polynomial modulus, the security of our signature scheme 
has to rely on LWE assumption with super-polynomial modulus. Such LWE 
assumption is stronger than the SIS assumption with polynomial modulus (as 
we set above) from which we make the proof for the following theorem. 

5 It turns out that if PRF is secure, an efficient SIS algorithm can be tightly reduced 

to an efficient algorithm that finds M / M' such that Ac prf ,m = Ac PRF5 m'- We prove 

this in the Sect. 3.3. 


422 X. Boyen and Q. Li 


3.3 Security of the Signature Scheme 

The security of our signature scheme is stated by the following theorem. 

Theorem 4. Let X be a security parameter. The parameters n, m, and q are 
chosen as the Sect. 3 . 2 . If the (ts/s, es/s)-S/S n ^ ? /3 ?m assumption holds and the 
PRF used in the signature scheme is ( tpRp , cprf) - secure, the signature scheme is 
( t,q s ,e)-EUF-CMA secure where esis > e/2 — cprf — negl(X), for some negligible 
statistical error negl(X), and max(tp R /r, £5/5 ) < t + 0 (q s • (T$ + Te)) where q s is 
the number of signing query, Ts is the maximum running time of SampleRight, 
and Te is the maximum running time of Evalpv for one input message. 

Proof. Consider the following security game between an adversary A and a sim- 
ulator B. Upon receiving a SIS nj g 5 /3 ?m challenge A E Z™ xm , the challenger B 
prepares Vk as follows: 

1. Select k + 4 matrices R Ao , Ra 15 {Rb^ , Rc 05 Rci {l,-l} mxm . 

2. Select a secure pseudorandom function PRF : { 0 , l} k x { 0 , l} t — > { 0 , 1 } and 

express it as a NAND Boolean circuit Cprf with depth d. 

3 . Select a PRF key K = S1S2 . . . Sk { 0 , l} k . 

4 . Set A b = AR Ab + bG and C& = ARc b + bG for b = 0 , 1 . 

5 . Set = ARb, + s^G for i E [k\. 

6. Select a Gaussian parameter s > 0. 

7 . Publish Vk= (A, {Ao^UBj^p {Co, CJ, PRF, C PRF ). 

In the query phase, the adversary A adaptively issues messages for inquiring 
the corresponding signatures. Consider a message M = mim2 . . . m t E { 0 , 1 }*. B 
does the following to prepare the signature: 

1. Compute Ac prf = ARc prf ,m + PRF(A, M)G E Z™ xm by Eval B v (C PRF , 
{-^i}ze[/c]5 C mi , C m2 , ..., C mt ). 

2. Let b = PRF (A, M) , it sets 

Fm,1-6 = [A | Ai_6 — A( 7 PRF) m] 

= [A | A(R Al _ b - Rc prf ,m) + (1 - 26 )G] 

and runs SampleRight to generate the signature Sig = cIm ~ D a ±( Fm 1 _ b ), s - 

Finally, A output a forgery (d*,M*). Let PRF(A, M*) = b. If ||d|| > 
s\/ 2 m or [A | Ai_ b — Ac prf ,m*] d* = 0 (mod q), B aborts. Otherwise, we have 
[A | A b — Ac prf ,m*] d* = 0 (mod q ). Let d* = [dj | dJ] T E Z 2m . B outputs 
e = di + (R Ab — R(y P RF 5 M* )d2 where ||e|| < f 3 as a solution for the SIS n , q ,p,m 
problem instance. 

We show that Vk output by B has the correct distribution. In the real scheme, 
the matrix A is generated by TrapGen. In the simulation, A has uniform distrib- 
ution in Z™ xm as it comes from the SIS challenge. By the Lemma 3 , A generated 
in the simulation has right distribution except a negligibly small statistical error. 
Secondly, the matrices A, {Aq, Ai}, {B^ [fc] , and {Cq,Ci} computed in the 
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simulation have distribution that is statistically close to uniform distribution in 
Z™ xrn by the Lemma 1. In particular, the PRF secret key is information- 

theoretically concealed by {BJ 

Now we show that given {A 0 ,Ai}, {Bi} ie[fc ], and {Co, Ci}, it is hard to find 
two messages M / M' such that Ac PRF) m = A^ PRFjM /. Assume an efficient adver- 
sary finds M / M 7 such that Ac prf ,m = A CpRF;M /. With the public parameters 
set up above, we have 

AR Cprf , m + PRF(A, M)G = AR Cprf , M ' + PRF(A, M')G 

If PRF(iT, M) 7 ^ PRF(iT, M r ), which will happen essentially 1/2 probability if 
PRF is secure, we have Rc prf ,m + Rc prf , m' and A(R Cprf ,m - Rc prf ,mO ± G = 0 
(mod q). By Lemma 6 and Algorithm 1, a low-norm vector d G Z mxm can be 
efficiently found such that Gd = 0 (mod q) where d / 0 and ||d|| < s' y/m for 
some Gaussian parameter s' > \Zh’Uj{-\/\ogm). Then (Hc PR f,m — Rc prf ,m') d will 
be a non-zero vector with all but negligible probability and, therefore, a valid 
the SIS solution for A. 

In the query phase, the signatures replied to A have the correct distribution 
under the predefined conditions. Indeed, by the Theorem 2, for sufficient large 
Gaussian parameter s, the the distribution of signatures generated in the simula- 
tion by SampleRight is statistically close to -Da-l(f m 1 _ b ^ s where the distribution 
of signatures generated in the real scheme by SampleLeft is also statistically close 
to £>aj-(f m , !_„),«• 

In the forge phase, A will have at most advantage epRp in predicting the 
bit value b with respect to the message it wants to forge. Therefore, if A can 
not distinguish PRF from random functions, it will randomly pick either of the 
matrices Ao or Ai to make a forgery. With \ chance it will pick the one that B 
will be able to use to solve the SIS problem. So we have esis > e /2 — epRp — negl(A) 
where negl(A) stands for negligible statistical error in the simulation. 

To argue that e = di + (RA x — Rc PRF ,M*)d 2 is a valid solution of the SIS n?(?? / 3 ?m 
problem instance, we need to show e is sufficiently short, and non-zero except 
with negligible probability. First of all, we have 


[A | A*, — Ac prf ,m*] d* = [A | A(Ra 6 - Rcprf.m*)] d* 


= Adi + A(Ra 6 — Rc PRF ,M*)d2 
= A(di+R-d 2 ) 

= 0 (mod q) 


where R = Ra^ — Rc prf ,m*- Since di, d 2 have distribution with condition 

d G A^-(Fm,&), by the Lemma 4, di,d 2 < s^/m. By Lemma 8 , we have ||e|| < 
||di || + ||R || 2 • ||d 2 || < 0(4 d -ra 3 / 2 ) • s^/m. Let /3 > 0(4 d -m 3 / 2 ) -s^/m is sufficient. 

It remains to show that e = di + R • d 2 ^ 0 . Suppose d 2 ^ 0 , we have e / 0 
since d / 0. On the other hand, we have d 2 = (di, . . . , d m ) T ^ 0 and, thus, at 
least one coordinate of d 2 , say dj, is not 0. We write R = (r l5 . . . , r m ) and so 


m 
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Observe that for the fixed message M* on which A made the forgery, R (therefore 
Tj) depends on the low-norm matrices Ra 0 , Rai , {Rb* }ie[k] ? Bc 0 ? Rci and the 
secret key of PRF. The only information about r j for A is from the public 
matrices in Vk, i.e. {Ao, Ai}, ^], {Co, Ci}. So by the pigeonhole principle 

there is a (exponentially) large freedom to pick a value to Vj which is compatible 
with A s view, i.e. Ar'- = Ar" (mod q) for admissible (low- norm) r',r" where 
r '■ 7^ r f j. (In fact, here we have more freedom than the case in [20] where R is 
picked from {1, _i} mxm ). 

Finally, to answer one signing query, S’s running time is bounded by 0{Ts + 
Te). So the total running time of B in the simulation is bounded by 0(q s (Ts + 
Te))- This concludes the proof. □ 

4 IBE Scheme with Tight Security 

4.1 Construction with CPA Security 

Setup(l A ). The setup algorithm takes as input a security parameter A and does: 

1. Sample a random matrix A E Z™ xm along with a trapdoor basis Ta E Z mxm 
of lattice A^-(A) by running TrapGen. 

2. Select random matrices A 0 , Ai, random “PRF key” matrices Bi, ..., B/e, 
and random “PRF input” matrices Co, Ci from Z™ xm uniformly at random. 

3. Select a random vector u Z™ . 

4. Select a secure pseudorandom function PRF : {0, l} k x {0, l} t — > {0, 1}, 
express it as a NAND Boolean circuit C P rf with depth d = d( A), and select a 

PRF key I< = Sl s 2 . . . s k X {0, l} fe . 

5. Output the public parameters 

Pub = (A, {A 0 , Ai}, {B i}i e [k], {C 0 , Ci}, u, PRF, C P rf) 

and the master secret key Msk = (Ta, A). 

KeyGen(Pub, Msk, id). Upon an input identity \d=xiX 2 . . . x t E {0, l} t , the key 
generation algorithm does the following: 

1. Compute b = PRF(A, id). 

2. Compute A CpRF ,id = Eval BV (Cp R F, {B} iG [ fc] , C Xl , C X2 , . . . , C Xt ) E Z™ xm . 

3. Set F id>1 _ b = [A | A!_ 6 - A CpRF) id] e Z” x2m . 

4. Run SampleLeft to sample did from the discrete Gaussian distribution 
£>Ay(F id> i_ 6 ),s hence F id5 i_ 6 dj d = u (mod q). Output Sk id = d id . 

Encrypt (Pub, id, Msg). To encrypt a message Msg E {0, 1} with respect to an 
identity id = X 1 X 2 . . . x t E {0, l} t : 

1. Compute Ac PRF ,i d = Eval B v(CpRF, {Bi}ie[k\, C Xl , C X2 , • • • , C Xt ). 

2. Set F id , 6 = [A | A b - A CpRF , id ] E Z£ x2 ™ for b = 0, 1. 

3. Select two random vectors so,si Z™. 

4. Select two noise scalars ^o,o, ^i,o ctlwe an d four noise vectors i>o,i , £1,1 <— 

^ aLwE , l>q,i, ^ 1,1 where a is sufficiently larger than ctlwe - 6 


6 For instance we set a — 0(4 d • m 3 ^ 2 ) • u;(^/[ogrn) • ctlwe- 
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5. Compute the ciphertext CtXjd = (co,o, Co,i, ci,o ? ci,i) as: 

{ co,o = (sq u + i^o, o + MsgL<?/2j) mod q 
C L = (s 0 T F id ,o + [0J A | i>h]) mod q 

{ ci,o = (s^u + i/i )0 + Msg|_<?/2J) mod q 
C M = (s^Fid.i + [i>L | i>L]) mod q 

Decrypt (Pub, Skjd, CtXjd). The decryption algorithm uses the key djd to try to 
decrypt both (co,OjCo,i) and (c^o, Ciq) 7 . W.l.o.g., assume that (c^OjC^i) is the 
correct ciphertext. The decryption algorithm computes 

r = (c b , o - c^did) mod q 

View r as an integer in (—q/2,q/2\. If r is closer to 0 than ±g/ 2, the output is 
Msg = 0. Otherwise, it is Msg = 1. 

4.2 Correctness 

Following the decryption algorithm, let djd = [d^ | dJ] T . We have 

T = (c b>0 - c^jdid) mod q 
= (Msg|_<?/2J + v bfl - i/^di - mod q 

Recall, the norm of di and d 2 is bounded by Sy/m , and the norm of 1 and 
1 is bounded by ctlwev^ an d cr^/m respectively, by Lemma 4. To ensure 
correctness of decryption, we need 

M = \ c t,o - t>b,i d i -^h d 2l 

< |c 6 ,o| + IKil! • ||di || + ||i>0,i[J • ||d 2 || 

< 0(s • m • (g lwe + cr)) 

<g/4 

Accordingly, it is enough to set q such that 0(s • m • (ctlwe + cr )) < (?/4. 


7 To ensure correct decryption, the message should contain some redundancy to weed 
out the incorrect ciphertext. It is a standard technique to encrypt multiple bits in 
GPV-style encryption, by replacing u with a matrix U € Zg Xz in Pub with which we 
can now independently encrypt z > 1 bits without change to the security analysis. 
If hybrid encryption is used, the multiple bits can be used to encrypt a symmetric 
key without redundancy, deferring the integrity check to the symmetric realm where 
it can be performed at minimal cost. 
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4.3 Parameter Selection and Discussion 

We now discuss a consistent parameter instantiation that achieves both correct- 
ness and security. Let A be the security parameter, t = t( A) be the identity length, 
k = k( A) be the secret key length of PRF, and let £ = t + k be the input length 
of PRF. Let, for the most general case, the circuit depth of PRF be d = d( A). To 
ensure we can run TrapGen in the Lemma 3, we set m = n 1+7? for some rj > 0 (we 
assume n 11 > O(logg)). To make sure SampleLeft in the real scheme and Samp- 
leRight in the simulation algorithm Sim.KeyGen (see section) 4.4 have the same 
output distribution per Theorem 2, we set a sufficiently large Gaussian parame- 
ter s = || To || •0(4 d -m 3 / 2 )-o;(v / logm). To ensure the applicability of Regev’s [55] 
and Peikert’s [54] LWE reductions from worst-case lattice problems, we set the 
Gaussian parameter of LWE noise distribution to be oiwe = \/n. So the LWE 
noise distribution is (D z ^) mod q. For the security proof (specifically for the 
proofs of Lemmas 10 and 16), we set a = 0(4 d -m 3 / 2 )-cj(v / logm)-crLWE- Finally, to 
ensure correctness condition of decryption, we set q = 0(16 d -m 9 / 2 ) • (cjy/logm) 2 . 

As for our signature scheme, if we the PRF can be computed by a NC 1 
NAND circuit with depth d = c\og£ for some constant c > 1, we can set the 
LWE modulus q = 0(£ 4c -m 9 ^ 2 ) • (cjy^ogra) 2 , which is polynomial in the security 
parameter A. 

Tight Reduction and Hardness of LWE. It is known that larger modulus results 
in stronger LWE assumption, if the standard deviation of the noise distribution 
stays unchanged. More precisely, let B be the maximum magnitude of the LWE 
noise, and q be the LWE modulus. The hardness of the LWE problem depends on 
the ratio q/B. The LWE problem becomes easier when this ratio grows. In this 
regard, the appeal of our tight reduction varies: tight reduction to harder LWE 
problem is more preferable than tight reduction to easier LWE problem. This is 
true particularly when one considers the average-case hardness of LWE to worst- 
case hardness of classic lattice problems, e.g. GapSVP and SIVP, reductions 
[22,54,55] where ratio q/B is smaller, the solutions for classic lattice problems 
are better. 

One feature of our IBE scheme (and the signature scheme it induces) is that 
depending on different circuits instantiations, the assumptions we make for our 
tight reduction may vary. In addition, if we use a LWE-based PRF, our IBE 
scheme relies on the stronger one of two LWE assumptions: one is made for the 
PRF and another one is made for our construction, which uses a polynomial 
modulus q as we chose above. Currently, basing our IBE scheme solely on LWE 
needs to assume the LWE assumption with super-polynomial modulus. This is 
because the state-of-art PRFs from LWE (from [8,9]) in terms of efficiency and 
provable security require super-polynomial LWE modulus. 

On the other hand, we believe that our tight reduction is still very valuable 
even for large ratio q/B. Firstly, it shows that, at the first time, we actually can 
eliminate the dependency between the number of adversary’s queries and the 
security of lattice-based IBE scheme (as well as short lattice signature scheme). 
This is very important since the number of adversary’s queries can be quite 


Towards Tightly Secure Lattice Short Signature and Id-Based Encryption 427 


large, which will negatively impact the schemes’ security seriously. Secondly, the 
average-case to worst-case reduction does provide some security confidence for 
the LWE assumption, but this is not the whole story. For certain parameters, 
many classic lattice problems are NP-hard. However, those parameters have no 
direct connection to lattice-based cryptography. (There is even evidence that 
the classic lattice problems with parameters relevant cryptography are not NP- 
hard.) On the other hand, the LWE problem (with various parameters) could be 
assured to be a hard problem in its own right. It has shown robustness against 
various attacks in a relatively long-term period. This has made LWE widely 
accepted as standard assumption and for use in cryptography. For instance, even 
for sub-exponentially large ratios q/B = 2°( nC ) where n is the LWE dimension 
and 0 < c < 1/2, the LWE problem is still believed to be hard and leads to pow- 
erful cryptographic schemes which we were not able to obtain by other means, 
including fully homomorphic encryption, e.g. [23], attribute-based encryption for 
circuits, e.g. [18,25,37], and predicate encryption for circuits [41]. 


4.4 Proof of Security 

The security of our IBE scheme with respect to the Definition 8 can be stated 
by the following theorem. 

Theorem 5. Let X be a security parameter. The parameters n , q are chosen 
as the Sect. 4-3- Let x be the distribution D Z m If the (tLWE^LWE)-LWE n , q , x 
assumption holds and the PRF used in the IBE scheme is (tpRF, cprf) -secure, 
then the IBE scheme is ( t , g / c y , e)-IND-ID-CPA secure such that e < 2(cprf + 
clwe) + negl( A) for some negligible function negl(X), and ma x(tpRFpLWE) < t + 
O ( qid • (Ts +Te )) where T$ is the maximum running time of SampleRight and 
Te is the maximum running time of Evalpv for one input identity. 

We prove above theorem through a sequence of indistinguishable security 
games. The first game is identical to the IND-ID-CPA game. In the last game, 
the adversary has no advantage. We will show that a PPT adversary will not be 
able to distinguish the neighbouring games which will prove that the adversary 
has only negligibly small advantage in wining the first (real) game. 

Firstly, we define the following simulation algorithms Sim. Setup, Sim.KeyGen 
and Sim. Encrypt. 

Sim.Setup(l A ). The algorithm does the following: 

1. Select matrix A Z™ xm . 

2. Select k + 4 random low-norm matrices Ra 0 , Rai, {Rb^ ? Rc 0 > Rcq 
from {1, — l} mxm . 

3. Select a secure pseudorandom function PRF : {0, l} k x {0, l} t — ► {0, 1} and 
express it as a NAND Boolean circuit Cprf with depth d = d( A). 

4. Select a uniformly random string K = S 1 S 2 . . . Sk { 0, l} k . 

5. Set Afr = ARa & + bG and = ARc 6 + bG for b = 0, 1. 

6. Set = ARb; + for i e [k\. 
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7. Select vector u Z ™ . 

8. Publish Pub = (A, {A 0 , Ai}, {Bj} ie[fc ], {C 0 , Ci},u, PRF, Cprf) 

Sim.KeyGen(Pub, Msk, id). Upon an input identity id = X 1 X 2 . . . x t E {0, l} t , the 
algorithm uses the parameters generated from Sim. Setup to do the following: 

1. Compute 

ApRF,id = ARc PRF ,id + PRF(iC id)G <— EvalBv(CpRF, C Xl , . . . , C X J. 

2. Let PRF(iC, id) = b E {0, 1}. Set 

Fid, i-6 = [A | Ai_ 6 — Ac PRF ,id] 

= [A | A(R Al _ b - R CpRF , id ) + (1 - 2b) G] . 

3. Run SampleRight to sample djd E UUu(F id 1 _ b )^ s as the private key Skjd - 

Sim.Encrypt(Pub, id*, Msg). To encrypt a message Msg* E {0, 1} with respect to 
an identity id*: 

1. Compute b = PRF(A, id*). 

2. Set 

Fid*, b = [A | A b — Acp RF ,id*] 

= [A | A(R Ai) - Rcp RF ,id*)] 

and 


F^*, i-6 = [A | Ai _6 - Ac PRF ,id*] 

= [A | A(R Al _ b - Rc PRF ,id*) + (1 - 2b)G] . 

3 . Select random vectors S5,Si_5 Z™. 

4. Select noise scalars ^6,05^1-6,0 <— ^z,ctlwe* 

5 . Sample noise vectors x,y <— e f° r sufficiently large Gaussian parame- 

ter c lwe (& lwe > Vsi ^ 171 ) for some small e > 0). Set = x + y. 

6. Let R = R Ab — RpRF,id* and r* be the i-th column of R. We sample the noise 
vector z = (zi,Z2 , ... , z m ) E Z m with zi <— Dz,<t m for the sufficiently large 
Gaussian parameter o\^ — y/cr 2 — 2 ( 1 1 r * 1 1 • ctlwe) 2 - 8 Set r>6,i = R-(x— y)+z. 

7 . Select noise vectors z>i_6,i <- D zrn ^ a ^ e , z>i_6,i D Z m i<T . 

8. Set the challenge ciphertext CtXjd* = (c^o? c 6, i, c i-6,i) as: 

Jc6,o = (s^u + i / bj0 + Msg[^/2J) mod q 

\ C M = ( S f)" F id*,6 + [*>M I Ui]) mod 5 

Jci-6,0 = (s 7 - b u + + Msg L<?/ 2 J ) mod q 

lU-M = (sy 6 F id%1 _ 6 + [uj _ b>1 | Pi T _ b) i]) mod q 

In Sect. 4.3, the a is set large enough such that <j\,i can be larger than ||R|| • rj £ (Z rn ). 


8 
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Now we define a series of games and prove that the neighbouring games are 
either statistically indistinguishable, or computationally indistinguishable. 

Game 0. This is the real I ND- ID- CPA game from the definition. All the algo- 
rithms are the same as the real scheme. 

Game 1. This game is the same as Game 0 except it runs Sim. Set up and 
Sim.KeyGen instead of Setup and KeyGen. 

Game 2. This game is the same as Game 1 except that the challenge ciphertext 
is generated by Sim. Encrypt instead of Encrypt. 

Game 3. This game is the same as Game 2 except that during preparation of 
the challenge ciphertext for identity id*, it samples (c^c^i) uniformly random 
from 7L q x for b = PRF(iC, id*). Another part of the challenge ciphertext 
(ci_ 5 ? 07 c i-6,i) is computed by Sim. Encrypt as in Game 2. 

Game 4. This game is the same as Game 3 except for b = PRF(iC, id*) it runs 
real encryption algorithm Encrypt to generate (ci-^o? c i-m) °f the challenge 
ciphertext instead of using Sim. Encrypt. 

Game 5. This game is the same as Game 4 except it runs Setup and KeyGen 
to generate Pub and private identity keys. 

Game 6. This game is the same as Game 5 except that for b = PRF(iC, id*), the 
challenge ciphertext part (c^c^i) * s generated by Encrypt instead of choosing 
it randomly, and (ci_5 5 o, c i-6,i) * s chosen randomly. 

Game 7. This game is the same as Game 6 except that it runs Sim. Setup and 
Sim.KeyGen to generate Pub and private identity keys. 

Game 8. This game is the same as Game 7 except that for the bit value 
b = PRF(if, id*), it computes the challenge ciphertext (c&, ce c 6,i) by Sim. Encrypt. 

Game 9. This game is the same as Game 8 except that the whole challenge 
ciphertext is sampled uniformly at random from the ciphertext space. Therefore, 
in Game 5 the adversary has no advantage in wining the game. 

In Game i, we let Si be the event that 7' = 7 at the end of the game. The 
adversary’s advantage in Game i is | Pr[Si] — \ \. The following lemmas are used 
to prove Theorem 5. We refer to the full version of this paper ([21]) for the proofs 
of these lemmas. 

Lemma 9. Game 1 and Game 0 are statistically indistinguishable, so 
| Pr[So] — Pr[Si] | < negl(X) for some negligible function negl( A) . 

Lemma 10. Game 2 and Game 1 are statistically indistinguishable, so 
I Pr [*S' 1 ] — PrfSyi < negl(X) for some negligible function negl(X ) . 

Lemma 11. If (t,€LWE)-LWE n , q ^ x assumption holds where x stands for the dis- 
tribution Dz^ L we reduced modulo q, then \ PrfS^] — Pr [*^3] | < clwe- 


Lemma 12. | Pr[*S 3 ] — Pr[5 4 ]| = 0. 
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Lemma 13. Game 5 and Game 4 are statistically indistinguishable , so 
|Pr[S 4 ]-Pr[S 5 ]| < negl(X) for some negligible function negl(X). 

Lemma 14. If the PRF PRF is (£, epRp)-secure, then | Pr[5s] — Pr[Sy| < 2 cprr. 

Lemma 15. Game 7 and Game 6 are statistically indistinguishable, so 
|Pr[S 6 ]-Pr[S 7 ]| < negl(X) for some negligible function negl(X). 

Lemma 16. Game 8 and Game 7 are statistically indistinguishable, so 
| Pr[SV] — PrfSg]! < negl(X) for some negligible function negl(X). 

Lemma 17. If (t,€LWE)-LWE n:q ^ x assumption holds where x stands for the dis- 
tribution Dz, aLW E reduced modulo q, then | Pr[Sg] — Pr [^ 9 ] | < clwe- 

Now we prove the Theorem 5 by the established lemmas. 

Proof. Based on the lemmas that show the difference between the sequence of 
games, we have e = | Pr[So] — 1/2 1 < 2 (cprf Tclwe) + negl(A) for some negligibly 
small statistical error negl(A). The running time of B is dominated by answering 
gid private key generation queries from A. For answering one such query, B needs 
to apply the key- homomorphic algorithm on the circuit of PRF. This requires 
time Te- Besides that, B needs to run SampleRight to sample Gaussian vectors 
for constructing the private keys, which requires at most time Tg. Therefore, for 
one query, B roughly runs 0(Tg + Te) time. For all q \ d queries and constructing 
the challenge ciphertext, the total time is bounded by O (q \ d • (Tg + Te))- So if 
an adversary A has running time £, max(t|_WE, ^prf) < t + 0(q \ d • (Tg -\-Te ))• □ 

5 Conclusions 

In this paper, we propose a short adaptively secure lattice signature scheme and 
a “compact” adaptively secure IBE scheme in the standard model. Our construc- 
tions make use of PRFs in a novel way by combining several recent techniques 
in the area of lattice-based cryptography. The security of our signature and 
IBE scheme is tightly related to the conservative lattice assumptions SIS and 
LWE, respectively, and the security of an instantiated PRF, with a constant loss 
factor. By instantiating the existing efficient PRFs from lattice and number- 
theoretic assumptions which can be implemented by shallow circuits, we obtain 
the first “almost” tightly secure lattice-based short signature/IBE scheme whose 
security is based on LWE assumption with super-polynomial modulus, and an 
adaptively secure IBE scheme with the tightest security reduction so far, i.e. 
with only 0( log 2 A) factor of security loss for the security parameter A, based 
on a novel combination of lattice and number-theoretic assumptions. 

The problem of constructing a tightly and adaptively secure IBE scheme 
from standard assumptions (in the sense that the security loss of reduction is 
a constant) remains open. Our work suggests that constructing tightly secure 
PRFs, which is another important open problem left by [31,47], would solve it. 
We leave as a fascinating open problem the question of employing similar (or 
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different) techniques to construct compact and (almost) tightly secure signature 
and encryption schemes with increased expressiveness, such as hierarchical and 
attribute-based encryption scheme, or homomorphic signatures. Another inter- 
esting open question is to construct an efficient PRF from LWE assumption with 
polynomial modulus. 

Acknowledgements. We would like to thank Jacob Alperin-Sheriff and Josef Pier- 
pzyk as well as the anonymous reviewers for useful comments. 
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Abstract. This paper provides a framework to treat the problem of 
building signature schemes from identification schemes in a unified and 
systematic way. The outcomes are (1) Alternatives to the Fiat-Shamir 
transform that, applied to trapdoor identification schemes, yield signa- 
ture schemes with tight security reductions to standard assumptions (2) 
An understanding and characterization of existing transforms in the lit- 
erature. One of our transforms has the added advantage of producing 
signatures shorter than produced by the Fiat-Shamir transform. Reduc- 
tion tightness is important because it allows the implemented scheme 
to use small parameters (thereby being as efficient as possible) while 
retaining provable security. 


1 Introduction 


This paper provides a framework to treat the problem of building signature 
schemes from identification schemes in a unified and systematic way. We are 
able to explain and characterize existing transforms as well as give new ones 
whose security proofs give tight reductions to standard assumptions. This is 
important so that the implemented scheme can use small parameters, thereby 
being efficient while retaining provable security. Let us begin by identifying the 
different elements involved. 


ID-TO-SIG transforms. Recall that in a three- move identification scheme ID 
the prover sends a commitment Y computed using private randomness y , the 
verifier sends a random challenge c, the prover returns a response z computed 
using y and its secret key isk, and the verifier computes a boolean decision 
from the conversation transcript F||c||z and public key ivk (see Fig. 3). We are 
interested in transforms Id2Sig that take ID and return a signature scheme DS. 


The transform must be generic, meaning DS is proven to meet some signature 
security goal 


Slg 


assuming only that ID meets some identification security 


goal 


id 


This proof is supported by a reduction 


id 


that may be tight 
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or loose. Boxing an item here highlights elements of interest and choice in the 
id-to-sig process. 


Canonical example. In the most canonical example we have, Id2Sig = FS is 
the Fiat-Shamir transform [16] ; Pid = IMP-PA is security against impersonation 
under passive attack [1,14] ; P S i g = UF is unforgeability under chosen-message 
attack [20] ; and the reduction P S i g ^Pid is that of AABN [1], which is loose. 

We are going to revisit this to give other choices of the different elements, but 
first let us recall some more details of the above. In the Fiat-Shamir transform 
FS [16], a signature of a message m is a pair (Y, z) such that the transcript Y||c||z 
is accepting for c = H(Y||ra), where H is a random oracle. IMP-PA requires that 
an adversary given transcripts of honest protocol executions still fails to make 
the honest verifier accept in an interaction where it plays the role of the prover, 
itself picking Y any way it likes, receiving a random c, and then producing z. 
The loss in the P S i g ^Pid reduction of AABN [1] is a factor of the number q of 
adversary queries to the random oracle H: If eid,e s i g denote, respectively, the 
advantages in breaking the IMP-PA security of ID and the UF security of DS, 
then €si g (ZCd* 


Algebraic assumption to id. Suppose a cryptographer wants to build a 
signature scheme meeting the definition P S i g - The cryptographer would like to 
base security on some algebraic (or other computational) assumption P a i g 


This could be factoring, RSA inversion, bilinear Difhe-Hellman, some lattice 
assumption, or many others. Given an id-to-sig transform as above, the task 
amounts to designing an identification scheme ID achieving Pid under P a i g - (Then 
one can just apply the transform to ID.) This proof is supported by another 
reduction 


Pid^P 


alg 


that again may be tight or loose. The tightness of the 


overall reduction P S i g ~^P a i g thus depends on the tightness of both P S i g ^Pid 
and Pid > P a i g - 


Canonical example. Continuing with the FS+AABN-based example from 
above, we would need to build an identification scheme meeting Pid = IMP- 
PA under P a i g . The good news is that a wide swathe of such identification 
schemes are available, for many choices of P a i g (GQ [23] under RSA, FS [16] 
under Factoring, Schnorr [36] under Discrete Log, ...). However the reduction 
P id *P ai g is (very) loose. 

Again, we are going to revisit this to give other choices of the different ele- 
ments, but first let us recall some more details of the above. The practical iden- 
tification schemes here are typically Sigma protocols (this means they satisfy 
honest- verifier zero-knowledge and special soundness, the latter meaning that 
from two accepting conversation transcripts with the same commitment but dif- 
ferent challenges, one can extract the secret key) and P a i g = KR (“key recovery”) 
is the problem of computing the secret key given only the public key. To solve 
this problem, we have to run a given IMP-PA adversary twice and hope for 
two successes. The analysis exploits the Reset Lemma of [6]. If e a i g ,eid denote, 
respectively, the advantages in breaking the algebraic problem and the IMP-PA 
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security of ID, then it results in eid ~ y^aig- If e S i g is the advantage in breaking 
UF security of DS, combined with the above, we have e S i g ~ q yAaig. 

Approach. We see from the above that a tight overall reduction P S i g -^P a i g 
requires that the P S i g -^Pid and Pid^Pai g reductions both be tight. What we 
observe is that we have a degree of freedom in achieving this, namely the choice 
of the security goal for the identification scheme. Our hope is to pick Pid 
such that (1) We can give (new) transforms Id2Sig for which P s i g ^Pid is tight, 
and simultaneously (2) We can give identification schemes such that Pid^P a i g 
is tight. We view these as two pillars of an edifice and are able to provide both 
via our definitions of security of identification under constrained impersonation 
coupled with some new id-to-sig transforms. We first pause to discuss some prior 
work, but a peek at Fig. 1 gives an outline of the results we will expand on later. 
Following FS, we work in the random oracle model. 

Prior WORK. The first proofs of security for FS-based signatures [35] reduced UF 
security of the FS-derived signature scheme directly to the hardness of the alge- 
braic problem P a i g , assuming H is a random oracle [8] . These proofs exploit forking 
lemmas [4,5,35]. Modular proofs of the form discussed above, that use identifica- 
tion as an intermediate step, begin with [1,33]. The modular approach has many 
advantages. One is that since the id-to-sig transforms are generic, we have only 
to design and analyze identification schemes. Another is the better understand- 
ing and isolation of the role of random oracles: they are used by Id2Sig but not 
in the identification scheme. We have accordingly adopted this approach. Note 
that both the direct (forking lemma based) and the AABN-based indirect (mod- 
ular) approach result in reductions of the same looseness we discussed above. Our 
(alternative but still modular) approaches will remove this loss. 

Consideration of reduction tightness for signatures begins with BR [9] , whose 
PSS scheme has a tight reduction to the RSA problem. KW [24] give another 
signature scheme with a tight reduction to RSA, and they and GJ [18] give 
signature schemes with tight reductions to the Diffie- Heilman problem. GPV [17] 
give a signature scheme with a tight reduction to the problem of finding short 
vectors in random lattices. 

The lack of tightness of the overall reduction for FS-based signatures is well 
recognized as an important problem and drawback. Micali and Reyzin [30] give 
a signature scheme, with a tight reduction to factoring, that is obtained from 
a particular identification scheme via a method they call “swap”. ABP [2] say 
that the method generalizes to other factoring-based schemes. However, “swap” 
has never been stated as a general transform of an identification scheme into a 
signature scheme. This lack of abstraction is perhaps due in part to a lack of 
definitions, and the ones we provide allow us to fill the gap. In Sect. 6.5 we elevate 
the swap method to a general Swap transform, characterize the identification 
schemes to which it applies, and prove that, when it applies, it gives a tight 
P s i g — ^P id reduction. 

ABP [2] show a tight reduction of FS-derived GQ-based signatures to the <&- 
hiding assumption of [12] . In contrast, our methods will yield GQ-based signatures 
with a tight reduction to the standard one-wayness of RSA. AFLT [3] use a slight 
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variant of the Fiat-Shamir transform to turn lossy identification schemes into sig- 
nature schemes with security based tightly on key indistinguishability, resulting in 
signature schemes with tight reductions to the decisional short discrete logarithm 
problem, the shortest vector problem in ideal lattices, and subset sum. 

Constrained impersonation. Recall our goal is to define a notion of iden- 
tification security Pid such that (1) We can give transforms Id2Sig for which 
P sig — ^P id is tight, and (2) We can give identification schemes such that Pid~^P a ig 
is tight. In fact our definitional goal is broader, namely to give a framework that 
allows us to understand and encompass both old and new transforms, the for- 
mer including FS and Swap. We do all this with a definitional framework that 
we refer to as constrained impersonation. It yields four particular definitions 
denoted CIMP-XY for XY G {CU, UC, UU, CC}. Each, in the role of P id , will 
be the basis for an id-to-sig transform such that P S i g ^Pid is tight, and two will 
allow P id — ^P aig to bo tight. 

In constrained impersonation we continue, as with IMP-PA, to allow a passive 
attack in which the adversary A against the identification scheme I D can obtain 
transcripts Yi||ci||zi, Y 2 1 1 ^ 2 1 1 ^ 2 , • • • of interactions between the honest prover and 
verifier. Then A tries to impersonate, meaning get the honest verifier to accept. 
If X = C then the commitment in this impersonation interaction is adversary- 
chosen , while if X = U ( unchosen ) it must be pegged to a commitment from one 
of the (honest) transcripts. If Y = C, the challenge is adversary- chosen, while 
if Y = U it is as usual picked at random by the verifier. In all cases, multiple 
impersonation attempts are allowed. The formal definitions are in Sect. 3. CIMP- 
CU is a multi-impersonation version of IMP-PA, but the rest are novel. 

What do any of these notions have to do with identification if one understands 
the latter as the practical goal of proving one’s identity to a verifier? Beyond 
CIMP-CU, very little. In practice it is unclear how one can constrain a prover 
to only use, in impersonation, a commitment from a prior transcript. It is even 
more bizarre to allow a prover to pick the challenge. Our definitions however are 
not trying to capture any practical usage of identification. They view the latter 
as an analytic tool, an intermediate land allowing a smooth transition from an 
algebraic problem to signatures. The constrained impersonation notions work 
well in this regard, as we will see, both to explain and understand existing work 
and to obtain new signature schemes with tight reductions. 

Relations between the four notions of constrained impersonation are depicted 
in Fig. 1. An arrow A — > B is an implication: Every identification scheme that 
is A-secure is also B-secure. A barred arrow A B is a separation: There exists 
an identification scheme that is A-secure but not B-secure. (For now ignore the 
boxes around notions.) In particular we see that CIMP-UU is weaker than, and 
CIMP-UC incomparable to, the more standard CIMP-CU. See Proposition 1 for 
more precise renditions of the implications. 

Auxiliary definitions and tools. Before we see how to leverage the con- 
strained impersonation framework, we need a few auxiliary definitions and results 
that, although simple, are, we believe, of independent interest and utility. 
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Transform 
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No 
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Fig. 1. Top: Relations between notions Pid of security for an identification scheme 
ID under constrained impersonation. Solid arrows denote implications, barred arrows 
denote separations. A solid box around a notion means a tight Pid^Paig reduction 
for Sigma protocols; dotted means a loose one; no box means no known reduction. 
Bottom: Transforms of identification schemes into UUF (row 2, 3) or UF (rows 1, 
4, 5) signature schemes. The first column is the assumption Pid on the identification 
scheme. The third column indicates whether or not the identification scheme is assumed 
to be trapdoor. ID. cl is the challenge length and si is a seed length. In rows 1, 4 the 
commitment Y is chosen at random. The third transform has the shortest signatures, 
consisting of a response plus a single bit. 


We define a signature scheme to be UUF (Unique Unforgeable) if it is UF 
with the restriction that a message can be signed at most once. (The adversary 
is not allowed to twice ask the signing oracle to sign a particular m.) It turns out 
that some of our id-to-sig transforms naturally achieve UUF, not UF. However 
there are simple, generic transforms of UUF signature schemes into UF ones — 
succinctly, UF^UUF — that do not introduce much overhead and have tight 
reductions. One is to remove randomness, and the other is to add it. In more 
detail, a well-known method to derandomize a signature scheme is to specify the 
coins by hashing the secret key along with the message. This has been proved to 
work in some instances [26,32] but not in general. We observe that this method 
has the additional benefit of turning a UUF scheme into a UF one. We call 
the transform DR. Theorem 3 shows that it works. (In particular it shows UF- 
security of the derandomized scheme in a more general setting than was known 
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before.) The second transform, AR, appends a random salt to the message before 
signing and includes the salt in the signature. Theorem 4 shows that it works. 
The first transform is attractive because it does not increase signature size. The 
second does, but is standard-model. We stress that the reductions are tight in 
both cases, so this step does not impact overall tightness. Now we can take (the 
somewhat easier to achieve) UUF as our goal. 

Recall that in an identification scheme, the prover uses private randomness y 
to generate its commitment Y . We call the scheme trapdoor if the prover can 
pick the commitment Y directly at random from the space of commitments and 
then compute the associated private randomness y using its secret key via a 
prescribed algorithm. The concept is implicit in [30] but does not seem to have 
been formalized before, so we give a formal definition in Sect. 3. Many existing 
identification schemes will meet our definition of being trapdoor modulo possibly 
some changes to the key structure. Thus the GQ scheme of [23] is trapdoor if 
we add the decryption exponent d to the secret key. With similar changes to 
the keys, the Fiat-Shamir [16] and Ong-Schnorr [34] identification schemes are 
trapdoor. The factoring-based identification scheme of [30] is also trapdoor. But 
not all identification schemes are trapdoor. One that is not is Schnorr’s (discrete- 
log based) scheme [36]. 

Summary of results. For each notion P id e {CIMP-CU, CIMP-UC, 
CIMP-UU, CIMP-CC} we give an id-to-sig transform that turns any given Pi d - 
secure identification scheme ID into a P S i g = UUF signature scheme DS; the 
transform from CIMP-CC security achieves even a UF signature scheme. The 
reduction P S i g ^Pid is tight in all four cases. (To further make the signature 
schemes UF secure, we can apply the above-mentioned UF^UUF transforms 
while preserving tightness.) The table in Fig. 1 summarizes the results and the 
transforms. They are discussed in more detail below and then fully in Sect. 6. 

This is one pillar of the edifice, and not useful by itself. The other pillar is the 
P i d — >P a ig reduction. In the picture at the top of Fig. 1, a solid-line box around 
Pid means that the reduction P^— »P a i g is tight, a dotted-line box indicates a 
reduction is possible but is not tight, and no box means no known reduction. 
These results assume the identification scheme is a Sigma protocol, as most are, 
and are discussed in Sect. 4. We see that two points of our framework can be 
tightly obtained from the algebraic problem, so that in these cases the overall 
P sig — ^P aig reduction is tight, which was the ultimate goal. 

More details on results. The id-to-sig transform from CIMP-CU is the clas- 
sical FS one. The reduction is now tight, even though it was not from IMP-PA [1], 
simply because CIMP-CU is IMP-PA extended to allow multiple impersonation 
attempts. The result, which we state as Theorem 8, is implicit in [1], but we give 
a proof to illustrate how simple the proof now is. In this case our framework 
serves to better understand, articulate and simplify something implicit in the 
literature, rather than deliver anything particularly new. 

For CIMP-UC, we give a transform called MdCmt, for “Message-Derived 
Commitment”, where, to sign m, the signer computes the commitment Y as a 
hash of the message, picks a challenge at random, uses the identification trapdoor 
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to compute the coins y corresponding to Y, uses y and the secret key to compute a 
response z, and returns the challenge and response as the signature. See Sect. 6.1. 

For CIMP-UU, the weakest of the four notions, our transform MdCmtCh, 
for “Message-Derived Commitment and Challenge” , has the signer compute the 
commitment Y as a hash of the message. It then picks a single random bit s 
and computes the challenge as a hash of the message and seed s, returning as 
signature the seed and response, the latter computed as before. Beyond a tight 
reduction, this transform has the added feature of short signatures , the signature 
being a response plus a single bit. (In all other transforms, whether prior or ours, 
the signature is at least a response plus a challenge, often more.) See Sect. 6.2. 

Since CIMP-CC implies CIMP-UC and CIMP-UU (Fig. 1, top), for the for- 
mer the MdCmt and MdCmtCh transforms would both work. However, these 
require the identification scheme to be trapdoor and achieve UUF rather than 
UF. (The above-mentioned UF^UUF transforms would have to be applied on 
top to get UF.) We give an alternative transform called MdCh (“Message- 
Derived Challenge”) from CIMP-CC that directly achieves UF and works (gives 
a tight reduction) even if the identification scheme is not trapdoor. It has the 
signer pick a random commitment, produce the challenge as in MdCmtCh, 
namely as a randomized hash of the message, compute the response, and return 
the conversation transcript as signature. See Sect. 6.3. 

The salient fact is that the reductions underlying all four transforms are 
tight. To leverage the results we now have to consider achieving CIMP-XY. We 
do this in Sect. 4. We give reductions Pid^Paig of the Pid = CIMP-XY security 
of identification schemes that are Sigma protocols to their key-recovery (KR) 
security, the latter being the problem of recovering the secret key given only 
the public key, which is typically the algebraic problem P a i g whose hardness 
is assumed. For CIMP-UC and CIMP-UU the Pid^Paig reduction is tight, as 
per Theorem 1, making these the most attractive starting points. For CIMP-CU 
we must use the Reset Lemma [6] so the reduction (cf. Theorem 2) is loose. 
CIMP-CC is a very strong notion and, as we discuss at the end of Sect. 4, not 
achieved by Sigma protocols but achievable by other means. 

Swap. As indicated above, our framework allows us to generalize the swap 
method of [30] into an id-to-sig transform Swap and understand and characterize 
what it does. In Sect. 6.5 we present Swap as a generic transform of a trapdoor 
identification scheme ID to a signature scheme that is just like MdCmt (cf. row 
2 of the table of Fig. 1) except that the challenge c is included in the input to 
the hash function (cf. row 5 of the table of Fig. 1). Recall that MdCmt turns 
a CIMP-UC identification scheme into a UUF signature scheme. We can thence 
get a UF signature scheme by applying the AR transform of Sect. 5.2. Swap is a 
shortcut, or optimization, of this two step process: it directly turns a CIMP-UC 
identification scheme into a UF signature scheme by effectively re-using the ran- 
domness of MdCmt in AR. We note that the composition of our DR with our 
MdCmtCh yields a UF signature scheme with shorter signatures than Swap 
while also having a tight reduction to the weaker CIMP-UU assumption, and 
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would thus be superior. However we think Swap is of historical interest and 
accordingly present it. See Sect. 6.5 for details. 

Instantiation. As a simple and canonical example, in [7] we apply our frame- 
work and transforms to the GQ identification scheme to get signature schemes 
with tight reductions to RSA. It is also possible to give instantiations based 
on claw-free permutations [20] and factoring. An intriguing application area to 
explore for our transforms is in lattice-based cryptography. Here signatures have 
been obtained via the FS transform [28,29]. The underlying lattice-based iden- 
tification schemes do not appear to be trapdoor, so our transforms would not 
apply. However, via the techniques of MP [31], one can build lattice-based trap- 
door identification schemes to which our transforms apply. Whether there is a 
performance benefit will depend on the trade-off between the added cost from 
having the trapdoor and the smaller parameters permitted by the improved 
security reduction. 

Discussion. We measure reduction tightness stringently, in a model where run- 
ning time, queries and success probability are separate parameters. The picture 
changes if one considers the expected success ratio, namely the ratio of running 
time to success probability. Reduction tightness under this metric is considered 
in PS [35] and the concurrent and independent work of KMP [25]. 

We establish the classical notion of standard unforgeability (UF) [20]. Our 
transforms also establish strong unforgeability if the identification scheme has 
the extra property of unique responses. (For any public key, commitment, and 
challenge, there exists at most one response that the verifier accepts.) 

A reviewer commented that “The signature scheme with the tightest security 
in this paper is derived from the Swap transform, which makes the result less 
surprising since the Swap method, first used in [30], has already been found to 
be generic to some extent by ABP [2].” In response, first, the tightness of the 
reductions is about the same for Swap, DR o MdCmt and DR o MdCmtCh 
(cf. Fig. 14), but the third has shorter signatures, an advantage over Swap. 
Second, while, as indicated above, prior work including ABP [2] did discuss Swap 
in a broader context than the original MR [30] , the discussion was informal and 
left open to exactly what identification schemes Swap might apply. We have 
formalized prior intuition using the concept of trapdoor identification, and thus 
been able to provide a general transform and result for Swap. We view this 
as a contribution towards understanding the area, making intuition rigorous 
and providing a result that future work can apply in a blackbox way. Also, as 
noted above, our framework helps understand Swap, seeing it as an optimized de- 
randomization of the simpler MdCmt. We understand, as per what the reviewer 
says, that our results for Swap may not be surprising, but we don’t think surprise 
is the only measure of contribution. Clarifying and formalizing existing intuition, 
as we have done in this way with Swap, puts the area on firmer ground and 
helps future work. 

GK [22] give an example of a 3-move ID protocol where FS yields a secure 
signature scheme in the ROM, but the RO is not instantiable. Their protocol 
however is not a Sigma protocol, as is assumed for the ones we start with and 
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is true for practical identification schemes. Currently, secure instantiation of the 
RO, both for FS and our transforms, is not ruled out for such identification 
schemes. 

2 Notation and Basic Definitions 

Notation. We let e denote the empty string. If X is a finite set, we let x X 
denote picking an element of X uniformly at random and assigning it to x. We use 
a% \\a, 2 1| • • • || a n as shorthand for (ai, < 22 , . . . , a n ). By <^1 1| <^2 1| • • • ||a n x we mean 
that x is parsed into its constituents. We use bracket notation for associative 
arrays, e.g., T[x\ = y means that key x is mapped to value y. Algorithms may 
be randomized unless otherwise indicated. Running time is worst case. If A is 
an algorithm, we let y <— A(x 1 , . . . ; r) denote running A with random coins r on 
inputs xi, . . . and assigning the output to y. We let y A(x 1 , . . .) be the result 
of picking r at random and letting y A(xi, . . . ; r). We let [A{pc 1 , • • •)] denote 
the set of all possible outputs of (randomized) A when invoked with inputs 
xi, — We use the code based game playing framework of [10]. (See Fig. 2 for an 
example.) By Pr[G] we denote the event that the execution of game G results in 
the game returning true. Boolean flags (like bad) in games are assumed initialized 
to false, and associative arrays empty. We adopt the convention that the running 
time of an adversary refers to the worst case execution time of the game with 
the adversary. This means that the time taken for oracles to compute replies to 
queries is included. 

Our treatment of random oracles is more general than usual. In our construc- 
tions, we will need random oracles with different ranges. For example we may 
want one random oracle returning points in a group 1A N and another returning 
strings of some length Z. To provide a single unified definition, we have the pro- 
cedure H in the games take not just the input x but a description Rng of the 
set from which outputs are to be drawn at random. Thus 7 / <— $ H(x,Z^) will 
return a random element of Z)y, while c $ H(x, {0, 1}*) will return a random 
/-bit string, and so on. Sometimes if the range set is understood, it is dropped 
as an argument. 

Signatures. In a signature scheme DS, the signer generates signing key sk and 
verifying key vk via (vie, sk) $ DS.Kg H where H is the random oracle, the latter 
with syntax as discussed above. Now it can compute a signature cr DS.Sig H 
(vk, sk, m) on any message m G {0,1}*. A verifier can deterministically com- 
pute a boolean v DS.Vf H (vk, m, a) indicating whether or not cr is a valid 
signature of m relative to vk. Correctness as usual requires that DS.Vf H (vk,ra, 
DS.Si g H (vk,sk,m)) = true with probability one. Game Gj^A) associated to 
DS and adversary A as per Fig. 2 captures the classical unforgeability notion 
of [20] lifted to the ROM as per [8], and we let AdvJ^A) = Pr[Gp f s (M)] be 
the UF-advantage of A. The same figure also defines game G^^M) to capture 
unique unforgeability. The difference is the inclusion of the boxed code, which 
disallows A from getting more than one signature on the same message. We let 
Adv£s f (A) = Pr[G^ f (A)} be the UUF-advantage of A. 
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Game Gg f s (^) / |G&j f (.4) 


SiGN(m) 


If m £ M: Return false 
Return DS.Vf R (vk,m, a) 


M^0; ( vk,sk ) ^$DS.Kg H 
(m,a) M SlGN ’ H (vk) 


|If m £ M: Return _L| 
a <— $ DS.Sig H (vk, sk , m) 
MeMU {m} 

Return a 


H(x, Rng) 

If not HT[x, Rng]: HT[x, Rng] $ Rng 
Return HT[x,Rng] 


Fig. 2. Games defining unforgeability and unique unforgeability of signature 
scheme DS. Game Gos f (A) includes the boxed code and game Gds(M) does not. 

Of course, UF implies UUF, meaning any signature scheme that is UF secure 
is also UUF secure. The converse is not true, meaning there exist UUF signature 
schemes that are not UF secure (we will see natural examples in this paper). In 
Sect. 5 we give simple, generic and tight ways to turn any given UUF signature 
scheme into a UF one. 

We note that unique unforgeability (UUF) should not be confused with 
unique signatures as defined in [21,27]. In a unique signature scheme, there is, 
for any message, at most one signature the verifier will accept. If a unique sig- 
nature scheme is UUF then it is also UF. But there are UUF (and UF) schemes 
that are not unique. 

3 Constrained Impersonation Framework 

We introduce a framework of definitions of identification schemes secure against 
constrained impersonation. 

Identification. An identification (ID) scheme ID operates as depicted in Fig. 3. 
First, via (ivk, isk, itk) ID. Kg, the prover generates a public verification key 
ivk, private identification key isk , and trapdoor itk. Via (Y,y) ID.Ct(ivk) it 
generates commitment Y £ ID.CS(ivk) and corresponding private state y. We 
refer to ID.CS(ivk) as the commitment space associated to ivk. The verifier sends 
a random challenge of length ID. cl. The prover’s response z and the verifier’s 
boolean decision v are deterministically computed per z <— ID.Rp(ivk, isk, c, y) 
and v <— \D.\/f(ivk,Y\\c\\z), respectively. We assume throughout that identifi- 
cation schemes have perfect correctness. We also assume uniformly- distributed 
commitments. More precisely, the outputs of the following two processes must 
be identically distributed: the first processes generates (ivk, isk, itk) ID. Kg, 
then lets (Y,y) ID.Ct(ivk) and returns ( ivk,Y ); the second processes gener- 
ates (ivk, isk, itk) <— $ ID. Kg, then lets Y <— $ ID.CS(ivk) and returns (ivk,Y). An 
example ID scheme is GQ [23]; see [7] for a description in our notation. For basic 
ID schemes, the trapdoor plays no role; its use arises in trapdoor identification, 
as discussed next. 
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Prover 

Verifier 

Input: ivk, isk 

Input: ivk 

(Y, y) $ ID.Ct (ivk) 

Y 


— £ C 4 — S {0, l}' D d 

z <— ID.Rp (ivk, isk, c, y) 

v <- ID.Vf(ivk,y||c||z) 


Fig. 3. Functioning of an identification scheme ID. 


Game G^ mp ' xy (P) 

S 4 — 0 5 i <- 0 ; j <— 0 
(ivk, isk , itk) <— $ ID. Kg 
(k, z) V TR,Gu (ivk) 

If not (1 < k < j): Return false 

T<-CT[k]\\z 

Return ID.Vf(ivk, T) 

tr() 

i i + 1 

(Yi,yi) «-$ ID.Ct(ivk) 

a ^ {0, l} IDd 

Zt «— ID.Rp(iV.k, isk, a, yt) 

s^su{(y i)Ci )} 

Return i^||ci||«i 


Ch(Z) H xy=uu 

If not (1 < l < i): Return _L 

j*-j + l; c<-» {o,i} IDd 

CT [j] <— Yi\\c ; Return c 

Ch(Z,c) H xy=uc 
If not (1 < l < i): Return X 
If (c = q): Return _L 
3 <-3 + 1 

CT [j] <— Yi\\c; Return c 

Ch (Y) // xy=cu 

i t— j + 1 ; c ■<— * {0, 1} ID d 
CT[j] y ||c ; Return c 

CH(y, c) H xy=cc 
If (y, c) 6 S: Return 1 
3 3 + 1 

CT[j] •(— y || c ; Return c 


Fig. 4. Games defining security of identification scheme ID against constrained imper- 
sonation under passive attack. 


Trapdoor identification. We now define what it means for an ID scheme 
to be trapdoor. Namely there is an algorithm ID.Ct -1 that produces y from Y 
with the aid of the trapdoor itk. Formally, the outputs of the following two 
processes must be identically distributed. Both processes generate (ivk, isk, itk) 
ID. Kg. The first process then lets (Y,y) ID.Ct(ivk). The second process 
picks Y I D.CS (ivk) and lets y I D.Ct -1 (ivk, itk , Y). (Here I D.CS (ivk) is the 
space of commitments associated to ID and ivk.) Both processes return (ivk, isk, 
itk,Y,y). 

Security against impersonation. Classically, the security goal for an identi- 
fication scheme ID has been impersonation [1,15]. The framework has two stages. 
First, the adversary, given ivk but not isk, attacks the honest, isk- using prover. 
Second, using the information it gathers in the first stage, it engages in an inter- 
action with the verifier, attempting to impersonate the real prover by success- 
fully identifying itself. In the second stage, the adversary, in the role of malicious 
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prover, submits a commitment Y of its choice, receives an honest verifier chal- 
lenge c, submits a response 2 of its choice, and wins if ID.Vf(ivk, Y||c||z) = true. 
A hierarchy of possible first-phase attacks is defined in [6] . In the context of con- 
version to signatures, the relevant one is the weakest, namely passive attacks, 
where the adversary is just an eavesdropper and gets honestly-generated protocol 
transcripts. This is the IMP-PA notion. (Active and even concurrent attacks are 
relevant in other contexts [6].) We note that in the second stage, the adversary 
is allowed only one interaction with the honest verifier. 

Security against constrained impersonation. We introduce a new frame- 
work of goals for identification that we call constrained impersonation. There are 
two dimensions, the commitment dimension X and the challenge dimension Y, 
for each of which there are two choices, X G {C,U} and Y G {C,U}, where C 
stands for chosen and U for unchosen. This results in four notions, CIMP-UU, 
CIMP-UC, CIMP-CU, CIMP-CC. It works as follows. The adversary is allowed 
a passive attack, namely the ability to obtain transcripts of interactions between 
the honest prover and the verifier. The choices pertain to the impersonation, 
when the adversary interacts with the honest verifier in an attempt to make it 
accept. When X = C, the adversary can send the verifier a commitment of its 
choice, as in classical impersonation. But when X = U, it cannot. Rather, it is 
required (constrained) to use a commitment that is from one of the transcripts 
it obtained in the first phase and thus in particular honestly generated. Next 
comes the challenge. If Y = U, this is chosen freshly at random, as in the classi- 
cal setting, but if Y = C, the adversary actually gets to pick its own challenge. 
Regardless of choices made in these four configurations, to win the adversary 
must finally supply a correct response. And, also regardless of these choices, the 
adversary can mount multiple attempts to convince the verifier, contrasting with 
the strict two-phase adversary in classical definitions of impersonation security. 

For choices xy G {uu, uc, cu, cc} of parameters, the formalization considers 
game G^ mp_xy (T > ) of Fig. 4 associated to identification scheme ID and adversary 
V. We let 

Adv^ p_xy (7>) = Pr[G^ mp " xy (P)]. 

The transcript oracle Tr returns upon each invocation a transcript of an 
interaction between the honest prover and verifier, allowing V to mount its 
passive attack, and is the same for all four games. The impersonation attempts 
are mounted through calls to the challenge oracle Ch, which creates a partial 
transcript CT [j] consisting of a commitment and a challenge, where j is a session 
id, and it returns the challenge. Multiple impersonation attempts are captured 
by the adversary being allowed to call Ch as often as it wants. Eventually the 
adversary outputs a session id k and a response 2 for session and wins if the 
corresponding transcript is accepting. In the UU case, V would give Ch only an 
index l of an existing transcript already returned by Tr, and CT [j] consists of 
the commitment from the Z-th transcript together with a fresh random challenge. 
In the UC case, Ch takes in addition a challenge c chosen by the adversary. The 
game requires that it be different from q (the challenge in the Z-th transcript), 
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and CT[j] then consists of the commitment from the Z-th transcript together 
with this challenge. In CU, the adversary can specify the commitment but the 
challenge is honestly chosen. In CC, it can specify both, as long as the pair did 
not occur in a transcript. The adversary can call the oracles as often as it wants 
and in whatever order it wants. 

CIMP-CU is a multi-impersonation extension of the classical IMP-PA notion. 
The other notions are new, and all will be the basis of transforms of identification 
to signatures admitting tight security reductions. CIMP-CU captures a practical 
identification security goal. As discussed in Sect. 1, the other notions have no such 
practical interpretation. However we are not aiming to capture some practical 
form of identification. We wish to use identification only as an analytic tool in 
the design of signature schemes. For this purpose, as we will see, our framework 
and notions are indeed useful, allowing us to characterize past transforms and 
build new ones. 

Implications. Figure 1 shows the relations between the four CIMP-XY notions. 
The implications are captured by Proposition 1. (The separations will be dis- 
cussed below.) The bounds in these claims imply some conditions or assumptions 
for the implications which we did not emphasize before because they hold for typ- 
ical identification schemes. Namely, CIMP-UC — > CIMP-UU assumes the iden- 
tification scheme has large challenge length. CIMP-CC — > CIMP-UC assumes it 
has a large commitment space. CIMP-CC — > CIMP-CU again assumes it has a 
large challenge length. We remark that in all but one case, the adversary con- 
structed in the proof makes only one Ch query, regardless of how many the 
starting adversary made. The proof of the following is in [7]. 

Proposition 1. Let ID be an identification scheme. Let 

ID. CSS = min{ |ID.CS(ivk)| : (ivk, isk, itk) E [ID. Kg] }. 


Then: 

1. [CIMP-UC — > CIMP-UU] Given V uu making q c queries to Ch, we construct 
T nc , making one Ch query, such that Adv[^ mp ~ uu (P uu ) < Adv[^ mp ~ uc (P uc ) + 
qc 2- |D cl . 

2. [CIMP-CU — ► CIMP-UU] Given V uu , we construct V cu making as many Ch 
queries as V uu , such that Adv[^ mp ” uu (P uu ) < Advj^ mp_cu (P cu ). 

3. [CIMP-CC — > CIMP-UC] Given V uc making q t queries to Tr, we construct 
V cc , making one Ch query, such that Adv^ mp_uc (P uc ) < Adv^ mp_cc (P cc ) + 
q t (q t - 1)/2ID.CSS. 

4. [CIMP-CC —> CIMP-CU] Given T cu making q t queries to Tr and q c queries 
to Ch, we construct T cc , making one Ch query, such that Advf^ mp CU (V CU ) 
< Advfo mp ’ cc (7 3 cc ) + qtq c • 2 _ID cl . 


In all cases, the constructed adversary makes the same number of Tr queries as 
the starting adversary and has about the same running time. 
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Game Gf£(„ 4 ) 

Game G^(yt) 

(ivk, isk , itk) $ ID. Kg 

(ivk, isk, itk) $ ID. Kg ; b $ { 0 , 1 } 

(F, ci , zi , C2 , Z2) $ A(ivk , isk, itk) 

(Y u y) ID.Ct (ivk) ; ci { 0 , l} IDcl 

v 1 <- ID.Vf (ivk, F ci || 21) 

zi <— ID.Rp(ivk, isk, ci, y) 

u 2 <- ID.Vf (ivk, F \\c2i\z2) 

lo||co||^o $ ID.Sim(ivk) 

isk * <(— $ ID.Ex(ivk, F||ci | zi, F |c2 ^2) 

b' A(ivk,Y b \\c b \\z b ) 

Return (isk* ^ isk) A (ci ^ C2) A v± A V2 

Return (b = b') 


Game Gfg(X) 

(ivk, isk, itk) $ ID. Kg 
isk* <— $ I (ivk) 

Return (isk* = isk) 


Fig. 5. Games defining the extractability, HVZK and key-recovery security of an iden- 
tification scheme ID. 


Separations. We now discuss the separations, beginning with CIMP-CU 
CIMP-UC. Start with any CIMP-CU scheme. We will modify it so that it remains 
CIMP-CU-secure but is not CIMP-UC-secure. Distinguish a single challenge 
c* £ {0, l} ID cl , e.g., c* = 0 ID cl . Revise the verifier’s algorithm so that it will 
accept any transcript with challenge c*. This is still CIMP-CU-secure (as long 
as ID. cl is large) since, in the CIMP-CU game, challenges are picked uniformly 
at random for the adversary, so existence of the magic challenge is unlikely to 
be useful. This is manifestly not CIMP-UC-secure since there the adversary can 
use any challenge of its choice. CIMP-UU =^> CIMP-UC for the same reason. 

We turn to CIMP-UC CIMP-CU. Start with any CIMP-UC scheme. 
Again we will modify it so that it remains CIMP-UC-secure but is not CIMP-CU- 
secure. This time, distinguish a single commitment F*: one way of doing this 
is for ID. Kg to sample F* $ I D.CS (ivk) and include F* in the public key ivk; 
another is to agree for example that (Y*,y*) <— ID.Ct(ivk; 0 Z ) where l is the 
number of random bits required by ID.Ct. Revise the verifier’s algorithm so that 
it will accept any transcript with commitment F*. This is still CIMP-UC-secure 
(assuming |ID.CS(ivk)| is large) since, in the CIMP-UC game, commitments are 
generated randomly for the adversary, so existence of a magic commitment is 
unlikely to be useful. This is manifestly not CIMP-CU-secure since there the 
adversary can use any commitment of its choice. CIMP-UU CIMP-CU for 
the same reason. 

Finally, CIMP-UC CIMP-CC and CIMP-CU CIMP-CC since oth- 
erwise, by transitivity in Fig. 1, we would contradict the separation between 
CIMP-UC and CIMP-CU. 

4 Achieving CIMP-XY Security 

Here we show how to obtain identification schemes satisfying our CIMP-XY 
notions of security. We base CIMP-XY security on the problem of recovering the 
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secret key of the identification scheme given nothing but the public key, which 
plays the role of the algebraic problem P a i g in typical identification schemes and 
corresponds to a standard assumption. (For example for GQ it is one-wayness of 
RSA.) For CIMP-UC and CIMP-UU, the reductions are tight. For CIMP-CU, 
the reduction is not tight. CIMP-CC cannot be obtained via these paths, and 
instead we establish it from signatures. First we need to recall a few standard 
definitions. 

HVZK AND extractability. We say that an identification scheme ID is honest 
verifier zero -knowledge (HVZK) if there exists an algorithm ID.Sim (called the 
simulator) that given the verification key, generates transcripts which have the 
same distribution as honest ones, even given the verification key. Formally, if A 
is an adversary, let Advfp(M) = 2Pr[GfD(A)] — 1 where the game is shown in 
Fig. 5. Then ID is HVZK if Advf^A) = 0 for all adversaries A (regardless of the 
running time of A). We say that an identification scheme ID is extractable if there 
exists an algorithm ID. Ex (called the extractor) which from any two verifying 
transcripts that have the same commitment but different challenges can recover 
the secret key. Formally, if A is an adversary, let Adv^(M) = Pr[Gfg(M)] where 
the game is shown in Fig. 5. Then ID is extractable if Adv®p(M) = 0 for all 
adversaries A (regardless of the running time of A) . We say that an identification 
scheme is a Sigma protocol [13] if it is both HVZK and extractable. 

Security against key recovery. An identification scheme ID is resilient to 
key recovery if it is hard to recover the secret identification key given nothing but 
the verification key. This was defined by 00 [33]. Formally, if X is an adversary, 
let Adv]^(T) = Pr[G[g(Z)] where the game is shown in Fig. 5. Security against 
key recovery is precisely the (standard) assumption P a i g underlying most identi- 
fication schemes (e.g., the one-wayness of RSA for the GQ identification scheme, 
and the factoring assumption for factoring-based schemes). 

Obtaining CIMP-UU and CIMP-UC. Here we show that for Sigma protocols, 
CIMP-UU and CIMP-UC security reduce tightly to security under key recovery. 
The proof of the following is in [7]. 

Theorem 1. Let ID be an identification scheme that is honest verifier zero- 
knowledge and extractable. Then for any adversary V against CIMP-UC we 
construct a key recovery adversary X such that 

Ad v^ p - uc (P) < Adviser). (1) 

Also for any adversary V against CIMP-UU that makes q c queries to its Ch 
oracle we construct a key recovery adversary X such that 

Adv^ mp ' uu (P) < Adv[S (X) + q c ■ 2 _ID cI . (2) 

In both cases, the running time of X is about that of V plus the time for one 
execution of ID. Ex and the time for a number of executions of ID.Sim equal to 
the number of Tr queries ofV. 


450 


M. Bellare et al. 


Obtaining CIMP-CU. CIMP-CU security of Sigma protocols can also be estab- 
lished under their key recovery security, but the reduction is not tight. 

Theorem 2. Let ID be an identification scheme that is honest verifier zero- 
knowledge and extractable. For any adversary V against CIMP-CU making q 
queries to its Ch oracle, we construct a key recovery adversary 1 such that 



(3) 


The running time ofT is about twice that of V . 

To establish Theorem 2, our route will be via standard techniques and known 
results, and the proof can be found for completeness in [7]. 

Obtaining CIMP-CC. This is our strongest notion, and is quite different from 
the rest. Sigma protocols will fail to achieve CIMP-CC because an HVZK identi- 
fication scheme cannot be CIMP-CC-secure. The attack (adversary) V showing 
this is as follows. Assuming ID is HVZK, our adversary V , given the verification 
key ivk, runs the simulator to get a transcript V||c||z $ ID.Sim(ivk). It makes 

no Tr queries, so the set S in the game is empty. It then makes query Ch(Y, c) 
and returns (1 , z) to achieve Advf,l ) mp ~ cc (7 :> ) = 1. 

This doesn’t mean CIMP-CC is unachievable. We show in [7] how to achieve 
it from any UF digital signature scheme. 

While this shows CIMP-CC is achievable, and even under standard assump- 
tions, it is not of help for us, since we want to obtain signature schemes from iden- 
tification schemes and if the latter are themselves built from a signature scheme 
then nothing has been gained. We consider CIMP-CC nonetheless because our 
framework naturally gives rise to it and we wish to see the full picture, and also 
because there may be other ways to achieve CIMP-CC. 


5 From UUF to UF 


Some of our transforms of identification schemes into signature schemes naturally 
achieve UUF security rather than UF security. To achieve the latter, one can take 
our UUF schemes and apply the transforms in this section. The reductions are 
tight and the costs are low. First we observe that standard derandomization 
(removing randomness) has the additional benefit (apparently not noted before) 
of turning UUF into UF. Second, we show that message randomization (adding 
randomness) is also a natural solution. 

5.1 From UUF to UF by Removing Randomness 

It is standard to derandomize a signing algorithm by obtaining the coins from 
a secretly keyed hash function applied to the message. This has been shown 
to preserve UF security — meaning, if the starting scheme is UF-secure, so is 
the derandomized scheme — in some cases. One secure instantiation is to use 
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DS*.Kg 

DS*.Kg 

Return DS.Kg 

Return DS.Kg 

DS*.Sig H (vk, sk, 77i ) 

DS*.Sig(vk, sk, 771) 

r <— H(sk||ra) 

Return DS.Sig (vk, sk, ra; r) 

s <-* {0, 1} S| 

a •<— * DS.Sig(vt, sk, m||s) 

DS*.Vf (vk, m, cr) 

a* G- cr||s ; Return cr* 

Return DS. Vf (vk, ra, cr) 

DS*.Vf (vk, 77i, cr*) 
cr \\s <— cr* 

Return DS.Vf(vk,ra s,cr) 


Fig. 6. Left: Our construction of deterministic signature scheme DS* = DR[DS] from 
a signature scheme DS. By H(-) we denote H(*, {0, l} DS rl ), which has range {0, l} DSrl . 
Right: Our construction of added-randomness signature scheme DS* = AR[DS,sl] 
from a signature scheme DS and a seed length si G N. 


a PRF as the hash function with the PRF key added to the signing secret 
key [19], however this changes the signing key and can be undesirable in practice. 
Instead one can hash the signing key with the message using a hash function 
that one models as a random oracle. This has been proven to work for certain 
particular choices of the starting signature scheme, namely when this scheme 
is ECDSA [26]. Such de-randomization is also used in the Ed25519 signature 
scheme [11]. However, it has not been proven in the general case. This will 
follow from our results. 

The purpose of the method, above, was exactly to derandomize, namely 
to ensure that the signing process is deterministic, and the starting signature 
scheme was assumed UF secure. We observe here that the method has an addi- 
tional benefit which does not seem to have been noted before, namely that it 
works even if the starting scheme is only UUF secure, meaning it upgrades UUF 
security to UF security. It is an attractive way to do this because it preserves sig- 
nature size and verification time, while adding to the signing time only the cost 
of one hash. We specify a derandomization transform and prove that it turns 
UUF schemes into UF ones in general, meaning assuming nothing more than 
UUF security of the starting scheme. In particular, we justify derandomization 
in a broader context than previous work. 

The construction. For a signature scheme DS, let DS.rl denote the length 
of the randomness (number of coins) used by the signing algorithm DS.Sig. We 
write a DS.Sig(vk, sic, m; r) for the execution of DS.Sig on inputs vk,sk,m 
and coins r G {0, l} DS rl . Let signature scheme DS* = DR[DS] be obtained from 
DS as in Fig. 6. Here, the function H(-) used to compute r in algorithm DS*.Sig 
is H(-, {0, l} DS rl ), meaning the range is set to {0, l} DS rl . 

While algorithms of the starting scheme DS may invoke the random oracle 
(and, in the schemes we construct in Sect. 6, they do), it is assumed they do 
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not invoke H(-, {0, l} DSrl ). This can be ensured in a particular case by domain 
separation. Given this, other calls of the algorithms of the starting scheme to 
the random oracle can be simulated directly in the proof via the random oracle 
available to the constructed adversaries. Accordingly in the scheme description 
of Fig. 6, and proof below, for simplicity, we do not give the algorithms of the 
starting signature scheme access to the random oracle. That is, think of the 
starting scheme as being a standard-model one. 

Unforgeability. The following says that the constructed scheme DS* is UF 
secure assuming the starting scheme DS was UUF secure, with a tight reduction. 
The reason a deterministic scheme that is UUF is also UF is clear, namely there 
is nothing to gain by calling the signing oracle more than once on a particular 
message, because one just gets back the same thing each time. What the proof 
needs to ensure is that the method of making the scheme deterministic does not 
create any weaknesses. The danger is that including the secret key as an input 
to the hash increases the exposure of the key. The proof says that it might a 
little, but the advantage does not go up by more than a factor of two. The proof 
is in [7]. 

Theorem 3. Let signature scheme DS* = DR[DS] be obtained from signature 
scheme DS as in Fig. 6. Let A be a UF -adversary against DS* that makes q y 
queries to H and q s queries to Sign. Then from A we can construct UUF- 
adversary A such that 

Adv&,(A)<2-Adv u D l i (A). (4) 

Adversary A makes q s queries to Sign. It has running time about that of A plus 
the time for qh invocations of DS.Sig and DS.Vf . 

We remark that adversary Ao actually violates key recovery security of DS, 
not just its UUF security. 


5.2 From UUF to UF by Adding Randomness 

A complementary and natural method for constructing UF signatures from UUF 
ones is by adding randomness: before being signed, the message is concatenated 
with a random seed s of some length si, so even for the same message, the inputs 
to the UUF signing algorithm are (with high probability) distinct. Compared to 
derandomization, the drawback of this method is that the signature size increases 
because the seed must be included in the signature. The potential advantage is 
that the transform is standard model, not using a random oracle, while preserv- 
ing the secret key. (Derandomization can be done in the standard model via a 
PRF, but this requires augmenting the signing key with the PRF key.) 

The construction. Let signature scheme DS* = AR[DS,sl] be obtained from 
DS as in Fig. 6. As above, DS is for simplicity assumed to be a standard- model 
scheme, so that its algorithms do not have access to H. The transform itself does 
not use H. 
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DS.Kg H 

(ivk, isk , itk) <<— $ ID. Kg 
vk <— ivk ; sk <— (isk, itk ) 
Return (vk, sk) 

DS.Vf H (vk, m, a) 
ivk vk ; (c, z) <— a 


DS.Sig H (vk, sk, m) 

ivk <— vk ; (isk, itk) e- sk 

Y <- H (m) 

y <(— $ ID.Ct _1 (ivic, itk, Y) 

C i — $ {0,1}' D C| 
z <— ID.Rp(ivk, isk, c, y) 
a <— (c, z) 

Return a 


Y <- H (m) 


Return \D.Vf (ivk, Y\\c\\z) 


Fig. 7. The construction of signature scheme DS = MdCmt[ID] from trapdoor iden- 
tification scheme ID. By H(-) we denote H(-, ID.CS(ivIc)). 

Unforgeability. The following says that the constructed scheme DS* is UF 
secure assuming the starting scheme DS was UUF secure, with a tight reduction. 
The reason is quite simple, namely that unless seeds collide, the messages being 
signed are distinct. The proof of the following is in [7]. 

Theorem 4. Let signature scheme DS* = AR[DS, si] be obtained from signature 
scheme DS and seed length si G N as in Fig. 6. Let A be a UF -adversary against 
DS* making q s queries to its Sign oracle. Then from A we construct a UUF 
adversary A such that 



Adversary A makes q s queries to its Sign oracle and has about the same running 
time as A. 

6 Signatures from Identification 

We specify our three new transforms of identification schemes to signature 
schemes, namely the ones of rows 2, 3, 4 of the table of Fig. 1. In each case, we give 
a security proof based on the assumption P ic j listed in the 1st column of the corre- 
sponding row of the table, so that we give transforms from CIMP-UC, CIMP-UU 
and CIMP-CC. It turns out that these transforms naturally achieve UUF rather 
than UF, and this is what we prove, with tight reductions of course. The trans- 
formation UF— >UUF can be done at the level of signatures, not referring to 
identification, in generic and simple ways, and also with tight reductions, as 
detailed in Sect. 5. We thus get UF-secure signatures with tight reductions to 
each of CIMP-UC, CIMP-UU and CIMP-CC. In this section we further study 
the FS transform from [16] and our transform Swap which is inspired by the 
work of MR [30] . 
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6.1 From CIMP-UC Identification to UUF Signatures: MdCmt 


MdCmt transforms a CIMP-UC trapdoor identification scheme to a UUF sig- 
nature scheme using message-dependent commitments. 

The construction. Let ID be a trapdoor identification scheme and ID. cl its 
challenge length. Our MdCmt (message-dependent commitment) transform 
associates to ID the signature scheme DS = MdCmt [ID]. The algorithms of 
DS are defined in Fig. 7. By H(-) we denote H(-, ID.CS(ivk)), meaning the range 
is set to commitment space ID.CS(ivk). Signatures are effectively identification 
transcripts, but the commitments are chosen in a particular way. Recall that 
with trapdoor ID schemes it is the same whether one executes (Y,y) $ ID.Ct 

directly, or samples Y <— $ ID.CS followed by computing y ID.Ct -1 (T). Our 
construction exploits this: To each message m it assigns an individual commit- 
ment Y <— H(m). The signing algorithm, using the trapdoor, completes this 
commitment to a transcript (Y, c, z) and outputs the pair c, z as the signature. 
Verification then consists of recomputing Y from m and invoking the verification 
algorithm of the ID scheme. 

Unforgeability. The following theorem establishes that the (unique) unforge- 
ability of a signature scheme constructed with MdCmt tightly reduces to the 
CIMP-UC security of the underlying ID scheme, in the random oracle model. 
The proof of the following is in [7] . 


Theorem 5. Let signature scheme DS = MdCmt [ID] be obtained from trapdoor 
identification scheme ID as in Fig. 7. Let A be a UUF -adversary against DS. 
Suppose the number of queries that A makes to its H and Sign oracles are q p 
and q s , respectively. Then from A we construct a CIMP-UC adversary V such 


that 


Advps f (*4) < 


Adv£ mp ' uc (P) 

1 - 2- |D cI 


( 5 ) 


Adversary V makes qn + q s + 1 queries to Tr and one query to Ch. Its running 
time is about that of A. 


The bound of Eq. (5) may be a bit hard to estimate. The following simpler 
bound is also true and may be easier to use: 

Adv^ f (A) < Adv^ p ' uc (P) + (6) 

The justification for Eq. (6) is in [7]. 


6.2 From CIMP-UU Identification to UUF Signatures: MdCmtCh 

MdCmt Ch transforms a CIMP-UU trapdoor identification scheme to a UUF 
signature scheme using message-dependent commitments and challenges. 

The construction. Our MdCmtCh (message-dependent commitment and 
challenge) transform associates to trapdoor identification scheme ID the sig- 
nature scheme DS = MdCmtCh[ID] whose algorithms are defined in Fig. 8. 
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DS.Kg H 

(ivk, isk , itk) <— $ ID. Kg 
vie <— ivk ; sic e- (isic, itic) 
Return (vie, sic) 

PS.Vf H (vk, m, <j) 
ivk <— vk ; (z, s) cr 
y 4- Hi(ra) 
c «— H 2 (ra||s) 

Return ID.Vf(ivic, F ||c||^) 


DS.Sig H (vic, sic, m) 
s <(— $ {0, 1} 

ivk vk ; (isic, itk) A- sic 
y <- Hi(m) 

y <(— $ ID.Ct _1 (ivic, itic, y) 
c «— H 2 (m||s) 

2 ? <— ID.Rp(ivic, isic, c, y) 

<j <— (z, s) ; Return a 


Fig. 8. Our construction of signature scheme DS = MdCmtCh[ID] from a trapdoor 
identification scheme ID. By Hi(-) we denote random oracle H(-, ID.CS(ivfc)) with range 
ID.CS(ivk) and by H 2 (-) we denote random oracle H(-, {0, l} ID ' cl ) with range {0, l} IDcl . 


We specify the commitment Y as a hash of the message and use the trapdoor 
property to allow the signer to obtain y ID.Ct _1 (ivk, itk, Y). We then specify 
the challenge as a randomized hash of the message. (Unlike in the FS transform, 
the commitment is not hashed along with the message.) The randomization is 
captured by a one-bit seed s. The construction, and proof below, both use the 
technique of K W [24] . 

By Hi( •) we denote random oracle H(-, ID.CS(ivk)) with range ID.CS(ivk) 
and by H 2 (-) we denote random oracle H(-, {0, l} ID cl ) with range {0, l} ID cl . We 
assume ID.CS(ivk) ^ {0, l} ID cl so that these random oracles are independent. 
In case ID.CS(ivk) = {0,l} ID cl , the scheme should be modified to use domain 
separation, for example prefix a 1 to any query to Hi and a 0 to any query to H 2 . 

Notice that the signature consists of a response plus a bit. It is thus shorter 
than for MdCmt (where it is a response plus a challenge) or for FS (where it 
is a response plus a commitment or, in the more compact form, a response plus 
a challenge). These shorter signatures are a nice feature of MdCmtCh. 

Unforgeability of our construction. The following shows that unique 
unforgeability of our signature tightly reduces to the CIMP-UU security of the 
underlying ID scheme. Standard unforgeability follows immediately (and tightly) 
by applying one of the UUF-to-UF transforms in Sect. 5. 

Theorem 6. Let signature scheme DS = MdCmtCh[ID] be obtained from trap- 
door identification scheme ID as in Fig. 8. Let A be a UUF adversary against 
DS. Suppose the number of queries that A makes to its Hi and H 2 oracles is qy, 
and the number to its Sign oracle is q s . Then from A we construct CIMP-UU 
adversary V such that 


Adv^ f (^) < 2 • Adv“ mp - uu (P) . (7) 

Adversary V makes qy + q s + 1 queries to Tr and qy + q s queries to Ch. It has 
running time about that of A. 
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Adversary P TR;CH (ivk) 

HTi 0 ; HT 2 <- 0 
M <(— 0 ; z 0 
(m,<r) A SlGN ’ Hl ’ H 2 (ivic) 
(z,s) <- cr 
Y <- Hi(m) 
j <— Ind[m] 

Return (j, z) 


Sign (m) 

If mG M: Return A 
MgMU {m} 
y <- Hi(m) ; l <- Ind[m] 
a <— (zij si) ; Return cr 

Hi(m) 

If HTi[m]: Return HTi[m] 
i <- i + 1 ; Kllcill* $ Tr() 
HTi [m] <- Yi ; Ind[m] <- i 
Si {0, 1} ; HT 2 [m||si] <— a 
HT 2 [m\\si] ^ Ch (i) 

Return HTi [m\ 

H 2 (x) 

If HT 2 [x]: Return HT 2 [x] 
m||s x ; Y Hi (m) 
Return HT 2 [x] 


Fig. 9. Adversary for proof of Theorem 6. 


Proof (Theorem 6). Adversary V is shown in Fig. 9. It executes A, responding 
to Hi, H 2 and Sign queries of the latter via the shown procedures, which are 
subroutines in the code of V. We assume the message m in the forgery (m, a) 
returned by A was not queried to Sign and is not in the set M, since otherwise 
A would automatically lose. The “Y <— Hi(ra)” instructions in the code of 
Sign, the code of H 2 and following the execution of A ensure that Hi(ra) is 
queried at this point. Each time a new Hi(ra) query is made, a transcript is 
generated by V using its Tr oracle. The commitment in this transcript is the 
reply to the Hi(m) query. Additionally, however, steps are taken to ensure that, 
if, later, a SiGN(m) query is made, then a signature to return is available. This 
is done by picking a random one-bit seed Si and assigning H 2 (m\\si) the value 
Ci. At the time of a signing query, one can use s* as the seed and use the 
response of the corresponding transcript to create the signature. To be able to 
win via the forgery, H 2 (m||^) is assigned a challenge via Ch, where Si denotes 
the complement of the bit s*. Now, when the forgery (m, (z, s )) is obtained from 
A, the associated index j is computed, and then z is returned as a response for 
that session. Adversary V will be successful as long as A is successful and s = Sj. 
The events being independent we have 

Adv-" p - uu (p) > I . Adv^'(^l). 


Transposing terms yields Eq. (7). 


□ 
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6.3 From CIMP-CC Identification to UF Signatures: MdCh 

The MdCmt and MdCmtCh transforms described above rely on the trap- 
door property of the underlying identification scheme and achieve UUF rather 
than UF. The MdCh transform we describe here does not have these limi- 
tations. (It does not require the identification scheme to be trapdoor, and it 
directly achieves UF.) However, among the security notions for ID schemes that 
we defined, MdCh assumes the strongest one: CIMP-CC. 

The construction. Our MdCh (message-dependent challenge) transform 
associates to identification scheme ID and a seed length si G N the signature 
scheme DS = MdCh[ID,sl] whose algorithms are defined in Fig. 10. Signing 
picks the commitment directly rather than (as in our prior transforms) specify- 
ing it as the hash of the message. The challenge is derived as a randomized hash 
of the message, the randomization being captured by a seed s of length si. By 
H(-) we denote random oracle H(-, {0, l} ID cl ) with range {0, l} ID cl . 

Unforgeability. As we prove below (with tight reduction), the MdCh con- 
struction yields a UF secure signature scheme if the underlying identification 
scheme offers CIMP-CC security. 

Theorem 7. Let signature scheme DS = MdCh[ID,sl] be obtained from identi- 
fication scheme ID and seed length si G N as in Fig. 10. Let A be a UF adversary 
against DS making q^ queries to its H oracle and q s queries to its Sign oracle. 
Then from A we construct a CIMP-CC adversary V such that 

AdvQ f s (.4) < Adv^^) + + (8) 

Adversary V makes q s queries to Tr and one query to Ch and has running time 
about that of A. 

Proof (Theorem 7 ). Game Go of Fig. 11 includes the boxed code, while game Gi 
does not. Game Go is precisely the UF game of Fig. 2 with the algorithms of DS 


DS.Kg H 

(ivk, isk, itk) 4— $ ID. Kg 
vk <— ivk ; sk 4— isk 
Return ( vk, sk ) 

DS.Vf H (vk, m, a ) 
ivk <— vk ; (Y, s, z) a 
c «— H(m||s) 

Return ID.Vf(ivk, Y\\c\\z) 


DS.Sig H (vk, sk, m) 
ivk <— vk ; isk A- sk 
s {0, 1} S| 

(Y,y) <-$ID.Ct (ivk) 
c H(m||s) 
z ID.Rp(ivk, isk, c, y ) 
<7 <r- (Y,S,Z) 

Return a 


Fig. 10. The construction of signature scheme DS = MdCh[ID,sl] from identification 
scheme ID and seed length si. By H(-) we denote random oracle H(*, {0, l} ID cl ) with 
range {0, l} ID cl . 
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Game [Go], Gi 

Adversary V TR,Cn (ivk) 

(ivk, isk , itk) $ ID. Kg 

(m,a) A SlG! *’ B (ivk) 

(■ m,a ) ^A s ™’ H (ivk) 

(Y, s, z) a 

(Y, s,z) <- a 

c <— H(ra||s) 

c <— H(m||s) 

c' t- Ch (Y, c) // d = c 

Return ID.Vf (iv.k,Y \\c\\z) 

Return (1, z) 

Sign (ra) 

Sign (ra) 

s <— * {0, l} sl 

s «— * {0, 1} S| 

(Y,y) * ID.Ct(ivJc) 

Y||c||z<-* Tr() 

C 4 — $ {0,l}' D cl 

HT[m, s] c 

If HT[m, ,s]: 

a < - (Y, s, z ) 

bad true ; c <— HT[m, s ] 

Return a 

HT[m, s] 4 — c 
z <— ID.Rp(ivL, isk , c, y) 
a «- (Y,s,z) 

Return a 

H(x) 

77l||s <— X 

If not HT [m,s\: HT[ra,s] {0, l} ID cl 

Return HT[ra, s] 

U(x) 

m\\s x 


If not HT[m, s]: HT[m, s] <-* {0, l} ID d 

Return HT[m, s] 



Fig. 11. Games and adversary for proof of Theorem 7. 


plugged in. We assume the message m in the forgery (ra, a) returned by A was 
not queried to Sign. Games Go, Gi are identical until bad. By the Fundamental 
Lemma of Game Playing [10] we have 

Adv^s (A) = Pr[G 0 ] = Pr[Gi] + (Pr[G 0 ] - Pr[Gi]) < Pr[Gi] + Pr[Gi sets bad] 
< Pr[Gi] + — 

Adversary V of Fig. 11 executes A, responding to Sign and H queries of the 
latter via the shown procedures, which are subroutines in the code of V. 

Adversary V simulates for A the environment of game Gi. In the execution 
of game G[]l ) mp ~ cc (7 :> ) of Fig. 4, let B denote the event that (Y, c) E S, where Y, c 
is the argument to the single Ch query made by our V. Then 

Pr[Gi] < Adv^ mp_cc (P) + Pr[B] . 


To complete the proof, it suffices to show that 


Pr[B] < 


QhQs 

2iD.ci • 


We bound Pr[B] by the probability that c is a challenge in one of the transcripts. 
The message m in the forgery is assumed not one of those signed, so HT[m, s] was 
not set by Sign and is thus independent of the transcript challenges. There are at 
most q s transcript challenges and at most queries to H, so Pr[B] < qhq s / 2 ID cl . □ 
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DS.Kg H 

(ivk, isk, itk) 4 — $ ID. Kg 
vk 4— ivk ; sk 4 — isle 
Return ( vk, sk ) 

DS.Vf H (vk, m, cr) 
ivk 4— vk ; (Y, 2 ) E- cr 

c^- H(Y||m) 

Return ID.Vf(ivJc, Y||c||z) 


DS.Sig H (vk, sic, m) 
ivk 4 — vk ; isle E- sie 
(Y,2/) ID.Ct(ivie) 
c^- H(Y||m) 

2; E- ID.Rp(ivie, isk, c, y ) 

Return a 


Fig. 12. The construction of signature scheme DS = FS[ID] from identification 
scheme ID. By H(-) we denote random oracle H(-, {0, l} ID cl ) with range {0, l} ID cl . 


6.4 From CIMP-CU Identification to UF Signatures: FS 

The first proofs of UF security of FS-based signatures used a Forking Lemma 
and were quite complex [35]. More modular approaches were given in 00 [33] 
and AABN [1]. AABN reduce UF security of the signature scheme to IMP-PA 
security of the identification scheme. (The latter is established separately via the 
Reset Lemma of [6].) The reduction of AABN is not tight. 

Our framework allows a tight reduction of the UF security of FS-based sig- 
natures to the CIMP-CU security of the underlying identification scheme. The 
reason for this is simple, namely that CIMP-CU is the multi-impersonation ver- 
sion of IMP-PA. The proof is implicit in AABN [1]. We give a proof however for 
completeness and to illustrate how much simpler this proof is to prior ones. 

We note that this tighter reduction does not change overall tightness. That 
is, in AABN, P S i g ^Pid was not tight, while for us, it is, but the tightness of the 
overall P S i g ^P a i g reduction remains the same in both cases. 

The construction. The FS transform [16] associates to identification scheme 
ID the signature scheme DS = FS[ID] whose algorithms are defined in Fig. 12. 
Signing picks the commitment directly. The challenge is derived as a hash of 
the commitment and message. By H(-) we denote random oracle H(-, {0, l| ID cl ) 
with range {0,l} ID cl . 

Unforgeability. The following theorem says that the FS construction yields a 
UF secure signature scheme if the underlying ID scheme offers CIMP-CU security 
and the commitment (as generated by the prover) is uniformly distributed over 
a large space. The latter condition is true for typical identification schemes. The 
intuition of the proof is that signing queries are answered via transcripts and 
hash queries are mapped to challenge queries, this failing only if commitments 
collide. The proof of the following is in [7]. 

Theorem 8. Let signature scheme DS = FS[ID] be obtained from identifica- 
tion scheme ID as in Fig. 12. Let ID. CSS = min{ |ID.CS(ivk)| : (ivk, isk, itk) E 
[ID. Kg] }. Let A be a UF adversary against DS making qy queries to its H ora- 
cle and q s queries to its Sign oracle. Then from A we construct a CIMP-CU 
adversary V such that 
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Advjjs("/4) < Adv^ p - cu (P) + ga( ^,p ^ ss 1} - (9) 

Adversary V makes q s queries to Tr and qh + 1 queries to Ch and has running 
time about that of A. 


6.5 From CIMP-UC Identification to UF Signatures: Swap 

Micali and Reyzin [30] use the term “swap” for a specific construction of a sig- 
nature scheme that they give with a tight reduction to the hardness of factoring. 
Folklore, and hints in the literature [2], indicate that researchers understand 
the method is more general. But exactly how general was not understood or 
determined before, perhaps for lack of definitions. Our definition of trapdoor 
identification and the CIMP-XY framework allows us to fill this gap and give a 
characterization of the swap method and also better understand it. 

In this section we define a transform of trapdoor identification schemes to sig- 
nature schemes that we call Swap. We show that it yields UF secure signatures 
if the identification scheme is CIMP-UC secure. 

The construction. The Swap transform associates to trapdoor identification 
scheme ID the signature scheme DS = Swap [ID] whose algorithms are defined 
in Fig. 13. 

Recall that in Sect. 6.1 we gave the MdCmt transform that constructs UUF- 
secure signatures from CIMP-UC-secure identification. Further, in Sect. 5 we 
proposed two generic techniques that convert UUF signatures to signatures with 
full UF security. One of the latter, AR, achieves its goal by adding random- 
ness to signed messages as follows: for signing m, it picks a fresh random seed 
s and signs m\\s instead. The seed is included in the signature. Overall, the 
combination of MdCmt with AR yields tightly secure signatures of the form 
(c, ID.Rp(c, ID.Ct _1 (H(ra||s))), s). Swap effectively says that it is safe to choose c 
and s to be identical. Thus it can be viewed as an optimization of MdCmt+AR, 
giving up on modularity to achieve more compact UF secure signatures. 

We note however that our MdCmtCh transform coupled with our UUF-to- 
UF transform DR yields UF signatures that seem superior in every way: they 
are shorter (response plus a bit as opposed to response plus a challenge), the 
(tight) reduction is to the weaker CIMP-UU notion, and the efficiency is the 
same. Thus we would view Swap at this point as of mostly historical interest. 

Unforgeability. The following theorem says that the Swap construction yields 
a UF secure signature scheme if the underlying ID scheme offers CIMP-UC secu- 
rity and has sufficiently large challenge length. The proof of the following is in [7]. 

Theorem 9. Let signature scheme DS = Swap [ID] be obtained from trapdoor 
identification scheme ID as in Fig. 13. Let A be a UF adversary against DS. 
Suppose the number of queries that A makes to its H oracle is q^ and the num- 
ber of queries it makes to Sign is q s . Then from A we construct a CIMP-UC 
adversary V such that 
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DS.Kg H 

(ivk, isk , itk ) $ ID. Kg 

vk <— ivk ; sk <— ( isk , itic) 
Return ( vk, sk ) 

DS.Vf H (vk, ra, <r) 
ivk <— vk ; (c, 2 ) cr 
T <- H(m||c) 

Return ID.Vf (ivk, y ||c||«) 


DS.Sig H (vk, sk, m) 

ivk <— vie ; (isk, itk) e- sic 

c^${0,l} ID - cl 

y <- H(m||c) 

y <(— $ I D.Ct -1 (ivk, itk , y) 

2 «— I D.Rp (ivk, isle, c, y) 
cr e- (c, z) ; Return cr 


Fig. 13. The construction of signature scheme DS = Swap [ID] from a trapdoor iden- 
tification scheme ID. By H(-) we denote H(-, I D.CS (ivk)). 


Signature scheme DS 

Pid 

Bound on AdvQ f s (A) 

Sig. size 

Equations 

DR[MdCmt[ID]] 

CIMP-UC 

2e/(l — 2~ l ) 

k + l 

(4)>(5),(1) 

Swap [ID] 

CIMP-UC 

e + ( QhQs + q 2 s + 1) ' 2~ l 

k + l 

(10), (i) 

DR[MdCmtCh[ID]] 

CIMP-UU 

4e + 4(q h + q s ) • 2~ l 

k + l 

(4), (7), (2) 

FS [1 D] 

CIMP-CU 

(Qh + l)(\/f + 2 l ) + (2qhq s + qg)/2C 

k + c 

(9), (3) 


Fig. 14. UF signature schemes obtained from identification scheme ID. We 

show bounds on the uf advantage of an adversary A making qh queries to H and q s 
queries to Sign. Here e = AdvfjJ (X) is the kr advantage of an adversary T of roughly 
the same running time as A. By Z, k, c we denote the lengths of the challenge, response 
and commitment, respectively. By C we denote the size of the commitment space. By 
Pid we denote the notion of identification security used in the P s ig^Pid reduction. 


AdvS f s (.4) < Adv^ P ' uc (P) + {qh+ $£ + l . (10) 

Adversary V makes qn + q s + 1 queries to Tr and one query to Ch. Its running 
time is about that of A. 


6.6 From Identification to UF Signatures: Summary 

Figure 14 puts things together. We consider obtaining a UF (not just UUF) 
signature scheme DS from a given identification scheme ID via the various trans- 
forms in this paper. In the first three rows, the identification scheme is assumed 
to be trapdoor. Whenever a transform achieves (only) UUF, we apply DR on 
top to get UF. We give bounds on the uf advantage AdvQ f s (*4) of an adversary 
A making q^ queries to H and q s queries to Sign. By l = ID. cl we denote the 
challenge length of ID, and by C = ID. CSS the size of the commitment space. 
We show the full P S i g ^P a i g reduction, so that the bounds are in terms of the 
kr advantage e = Advfj5(T) of a kr-adversary X having about the same running 
time as A. The bounds are obtained by combining the various relevant theorems, 
referring to the indicated equations. We show the notion P i( j of identification 
security used as an intermediate point, namely P S i g — > P^ — > P a i g - Signature 
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size is shown as a function of challenge, response and commitment lengths. In 
summary, the bounds in the first three rows are tight, but the transform of the 
third row has the added advantage of shorter signatures and a linear (as opposed 
to quadratic) additive term in the bound. We do not show the MdCh transform 
from CIMP-CC because the latter is not achieved by Sigma protocols. We note 
that the bound for FS is the same as in [1]. (Our P S i g ^Pid reduction, unlike 
theirs, is tight, but there is no change in the tightness of the full P s i g ^P a i g 
reduction.) 
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Abstract. In this paper, we bridge the gap between structure- 
preserving signatures (SPSs) and fully structure-preserving signatures 
(FSPSs). In SPSs, all the messages, signatures, and verification keys 
consist only of group elements, while in FSPSs, even signing keys are 
required to be a collection of group elements. To achieve our goal, we 
introduce two new primitives called trapdoor signature and signature with 
auxiliary key , both of which can be derived from SPSs. By carefully com- 
bining both primitives, we obtain generic constructions of FSPSs from 
SPSs. Upon instantiating the above two primitives, we get many instan- 
tiations of FSPS with unilateral and bilateral message spaces. Different 
from previously proposed FSPSs, many of our instantiations also have 
the automorphic property , i.e., a signer can sign his own verification key. 
As by-product results, one of our instantiations has the shortest veri- 
fication key size, signature size, and lowest verification cost among all 
previous constructions based on standard assumptions, and one of them 
is the first FSPS scheme in the type I bilinear groups. 
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1 Introduction 

1.1 Background 

Structure-preserving signatures (SPSs). In [3], Abe et al. initiated the study 
of SPSs which denote pairing-based signatures where all the verification keys, 
messages, and signatures consist only of group elements and the verification algo- 
rithms only make use of pairing product equations (PPEs) to verify signatures. 

SPSs are very useful since they can be combined with other structure- 
preserving (SP) primitives, e.g., ElGamal encryption [19] and Groth-Sahai 
proofs [29], to obtain efficient cryptographic protocols such as blind signa- 
tures [3,23-25], group signatures [3,25,34], homomorphic signatures [33], del- 
egatable anonymous credentials [22], compact verifiable shuffles [17], network 
coding [6], oblivious transfer [14,37], tightly secure encryption [2,30], and 
e-cash [7]. Motivated by this, there have been a large deal of works focusing 
on SPSs (e.g., [1,3]) in the past few years, which provide us with various SPS 
schemes based on different assumptions and with high efficiency. 

Automorphic signatures. In [3], Abe et al. noted that for elaborate applications, 
the SP property of a signature scheme is not sufficient. In addition, an SPS 
scheme has to be able to sign its own verification keys, i.e., verification keys 
have to lie in the message space. They called such kind of SPS automorphic 
signature and gave an instantiation of it, and also provided a generic transfor- 
mation that converts automorphic signatures for messages of fixed length into 
ones for messages of arbitrary length. 

As argued in [3], since automorphic signatures enable constructions of certi- 
fication chains (i.e., sequences of verification keys linked by certificates from one 
key on the next one), they are useful in constructing anonymous proxy signa- 
tures and delegatable anonymous credentials. Abe et al. [3] also showed how to 
combine automorphic signatures with the Groth-Sahai proof system to construct 
a round-optimal blind signature scheme. 

Fully structure- preserving signatures (FSPSs). In [5], Abe et al. introduced 
FSPSs, where signing keys also consist only of group elements and the correctness 
of signing keys with respect to verification keys can be verified by PPEs. Since 
the fully structure-preserving (FSP) property enables efficient signing key extrac- 
tion, it could help us prevent rogue-key attacks in the public-key infrastruc- 
tures (PKIs) [36], make anonymous credentials UC-secure [15], achieve privacy 
in group and ring signatures [10,11,13] in the presence of adversarial keys, and 
extend delegatable anonymous credentials [8,18,22] with all-or-nothing trans- 
ferability [16], as noted in [5]. In this paper, we call an automorphic signature 
scheme that is FSP a fully automorphic signature (FAS) scheme. 

Abe et al. [5] gave two generic constructions by combining FSPSs unforgeable 
(UF) against extended random message attacks (xRMA) [1] with other primi- 
tives such as one-time SPSs, two-tier SPSs (also called partial one-time SPSs), 
and trapdoor commitment schemes. Although these constructions are novel and 
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neat, they suffer from three shortcomings due to the use of specific primitives, 
which make them less generic. 

1. As both constructions require a UF-xRMA secure FSPS scheme and one of 
them also requires a 7 -blinding trapdoor commitment scheme, the underlying 
assumptions and bilinear map of their instantiations are limited. Concretely 
speaking, all the signature schemes derived from their constructions have to 
be based on at least the SXDH and XDLIN assumptions and be in the type 
III bilinear group. 

2. For the same reason, the efficiency of their instantiations is also potentially 
limited by the underlying UF-xRMA secure FSPS scheme and the 7 -blinding 
trapdoor commitment scheme. For example, the verification keys and signa- 
tures of their most efficient FSPS scheme consist of more than lOn group 
elements in total if messages consist of n 2 group elements. 

3. Their instantiations are not automorphic. The reason is that verification keys 
of the UF-xRMA secure FSPS scheme (which are also verification keys of 
the resulting schemes) consist of elements in both source groups, while the 
resulting signature schemes can only sign messages consisting only of elements 
in one source group. 

Note that Abe et al. [5] also gave a variant of their constructions by combining 
a UF-xRMA secure signature scheme and a trapdoor commitment scheme with 
SPSs, which can be treated as a generic transformation from SPSs to FSPSs. If 
the instantiation of SPS is with a bilateral message space (i.e., messages consist 
of elements in both source groups), then the resulting signature scheme could 
be automorphic. However, as far as we know, besides the aforementioned short- 
comings, all the previously proposed SPS schemes with a bilateral message space 
require verification keys to consist of elements in both source groups (except for 
ones that sign messages of “DDH form” [26,27]), which result in very inefficient 
FSPS schemes, as noted in [5]. The verification keys and signatures (respectively, 
the verification algorithm) of the most efficient automorphic instantiation that 
can be derived from their generic construction consist of more than 12 n group 
elements in total (respectively, more than 3 n PPEs) if the messages consist of 
2 n 2 group elements. 

Following the work of Abe et al. [5], Groth [28] gave an elegant construction 
of FSPS, which has the shortest verification keys and signatures, and needs the 
fewest PPEs for verification. Although this FSPS scheme is the most efficient 
one as far as we know, it is only known to be secure in the generic group model 
and is not automorphic. 

Up until now, a lot of results are devoted to constructing efficient SPSs under 
different assumptions, while there are very few FSPS schemes. If we can find a 
generic method to transform existing SPSs into FSPSs or even FASs without 
directly using specific primitives, it will greatly alleviate the efforts to construct 
them from scratch. 
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1.2 Our Results 

Generic construction of FSPS. In this paper, we formalize two extensions to 
ordinary signatures called trapdoor signatures (TSs) and signatures with auxil- 
iary key (AKSs). We show that any well- formed 1 SPS scheme can be converted 
into a TS scheme satisfying the signing key structure-preserving (SKSP) prop- 
erty, in which signing keys consist only of group elements and the correctness 
with respect to verification keys can be verified by PPEs, while messages are not 
necessarily group elements. Furthermore, it is relatively straightforward to show 
that any SPS scheme with an algebraic key generation algorithm can be con- 
verted into a structure-preserving signature with auxiliary keys (SP-AKS). By 
combining SKSP-TS with SP-AKS, we obtain a generic construction of FSPS. 2 
Our construction implies that for any two SPS schemes, if verification keys of 
one lie in the message space of the other (which is well-formed), then basically, 
they can be used to construct an FSPS scheme, without using any other spe- 
cific primitives or additional assumptions. It also implies that most well-formed 
SPS schemes with a bilateral message space or unilateral verification key space 
(i.e., the verification keys consist only of elements in one source group) can be 
converted into an FSPS scheme. 

This generic construction is proved to be secure based on building blocks 
satisfying different security, which allows us to obtain various instantiations of 
FSPS based on different assumptions. 

Efficient instantiations of FSPSs. By extending the definition of AKSs to two- 
tier signatures with auxiliary keys (TT-AKSs) and substituting AKSs with TT- 
AKSs in the above generic construction, we obtain another generic construction, 
which enables us to obtain more efficient instantiations of FSPS. For instance, 
by using the TS scheme and TT-AKS scheme adapted from the SPS schemes 
proposed by Kiltz et al. [31,32], we obtain instantiations of FSPS with unilateral 
and bilateral message spaces. We give an efficiency comparison between our 
instantiations and the ones proposed in [5] in Tablet. 3 Note that like the FSPS 
scheme proposed in [28], a signing key in our instantiations consists of Q{n) group 
elements (concretely, 2n + 1 in [28] and 4n + 9 and Sn + 13 in our results), while 
that in “AKO+15” consists only of 4 elements. However, in many applications, the 


1 We refer the reader to Definition 10 for details of well- formed SPSs. As far as we 
know, all the existing SPS schemes are well-formed. 

2 As in [5], we assume the underlying SKSP-TS scheme and SP-AKS scheme share 
the common setup algorithm. 

3 The second instantiation in Table 1 is derived from the generic construction described 
in [5, Sect. 6.4], where the underlying SPS scheme is the one with bilateral message 
space in [31] (based on the SXDH assumption). In this instantiation, we have to add 
a group element denoting the sequence number to every message block. Furthermore, 
the underlying two-tier signature schemes of the first and third instantiations have 
the same efficiency, which makes sure that this comparison is fair. If we allow trusted 
setup besides the bilinear map generation, the sizes of common parameters \par\ in 
these four schemes are 6, 6, 1, and 2 respectively. 
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size of a signing key does not have to be “extremely short” since typically, a user 
generates only one proof for knowing a signing key (e.g., in PKIs and group/ring 
signatures), while proofs for knowing a signature or a verification key /signature 
pair are required to be generated for multiple times. 4 


Table 1 . Comparison between the most efficient instantiations of FSPS based on 
standard assumptions derived from the main construction in [5] and the most efficient 
ones derived from our constructions. Notation ( x,y ) denotes x elements in Gi and 
y elements in G 2 . We do not count the two generators in the description of bilinear 
groups when giving the parameters. 



Security 

Assumption 

M 

\pk\ + \par\ 

M 

t) PPE 

AKO+15 [5] 

Full 

SXDH, XDLIN 

(n 2 , 0) 

6n + 17 

4n + 11 

n + 5 

Full 

SXDH, XDLIN 

(n 2 ,r i 2 ) 

6n + 47 

13n + 30 

5n + 6 

Our results 

Full 

SXDH 

(n 2 , 0) 

2n + 7 

4n + 8 

n + 3 

Full 

SXDH 

(n 2 , n 2 ) 

4n + 10 

8n+ 12 

2n + 4 


Our FSPS schemes in Table 1 can also be based on the ^-matrix Diffie- 
Hellman (MDDH) assumptions [20] (see the full paper for the definition), 
while the parameters become (|m|, \pk\ + |par|, |cr| , JJPPE) = (n 2 , (2 nk + 2fc + 

3 + RE(T>k))k + RE(X>fc), (3k T 1)72 H- 4 -\- 3k RE(X)/ C ), kfi 2 k 1) and 
(|m|, \pk\ + \par\, |cr|, jjPPE) = (2 n 2 , (4nfc + 3fc + 3 + 2RE(P fe ))fc + 2RE(P)fc, 2(3fc + 
l)n + 5/c + 5 + 2RE(P/ c ), 2kn + 3k + l ), where RE (£>&) denotes the minimal number 
of group elements needed to present a matrix sampled from 74 • 

Since our constructions only require the underlying schemes to have prop- 
erties naturally satisfied by SPSs, further improvement on SPS schemes may 
contribute to the efficiency of FSPSs more via our constructions than the con- 
structions in [5]. 

FASs. Since we can convert any (well-formed) SPS scheme into an SKSP-TS 
scheme and an SP-AKS scheme, our generic constructions also derive many 
instantiations of FAS from various combinations (including the ones in Table 1). 
As long as verification keys of the underlying TS scheme consist of no more group 
elements than messages of the underlying AKS scheme in both source groups, 
the resulting scheme is usually fully automorphic. 

We can instantiate our first generic construction with the TS scheme and 
AKS scheme adapted from the SPS scheme proposed by Groth et al. [28] to 
obtain our most efficient FAS scheme, while the most efficient one from the 

4 The argument that the signing key size is not as important as verification/signature 
size does not spoil the motivation for FSPS. FSPS helps avoid extremely heavy key 
extraction, i.e., extracting a signing key bit by bit (see Introduction in [8]). However, 
this does not mean we have to make the extraction extremely light. Allowing checking 
signing keys by using PPEs and keeping the key size linear with message size are 
enough to achieve the goal. 
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Table 2. Comparison between the most efficient instantiation of FAS derived from 
the main construction in [5] and the most efficient one derived from our constructions. 
Both of them are secure in the generic group model. 



Security 

Assumption 

M 

\pk\ + \par\ 

M 

(t PPE 

AKO+15 [5] 

Full 

Generic 

(n 2 , n 2 ) 

6n + 23 

6n + 14 

3n + 6 

Our result 

Full 

Generic 

(n 2 ,0) 

2n + 1 

2n + 5 

n + 3 


generic construction in [5] can be obtained by letting the underlying SPS scheme 
be the one in [4] and the underlying one-time SPS scheme the one in [26]. For 
ease of understanding, we give an efficiency comparison in Table 2. 

FSPS (FAS) schemes in the symmetric (type I) bilinear map. We also instantiate 
our generic constructions with the SPS scheme and the tag-based SPS scheme 
proposed in [2] to obtain the first FSPS and FAS schemes in the type I bilinear 
map, the most efficient one of which achieves (|m|, \pk\ + \par\, |cr|, jjPPE) = 
(n 2 , 6n + 30, 6n + 12, 2 n + 7). 


1.3 High-Level Idea 

Our generic construction can be treated as an extension of the well-known EGM 
paradigm [21]. In this paradigm a signer uses two signature schemes and X 2 
to sign a message m. It first signs m by using the signing key sfe of ^2 and 
then signs the verfication key vk 2 of X 2 by using the signing key ski of This 
paradigm was used to obtain SPSs in [1] and a generic construction of FSPS 
in [5]. To make sure that the resulting signature scheme is an FSPS scheme, it is 
natural to require ski to consist only of group elements. This is the reason why 
Abe et al. [5] instantiated Xi with the xRMA secure signature scheme proposed 
in [1], which was the only proposed FSPS scheme until then. However, we observe 
that it is possible to instantiate Ui with all the existing SPS schemes, which also 
provides us with more options when selecting instantiations of X 2 to match Ei. 

Next, we explain how to choose Ei and Z 2 , and the high level idea of our 
construction. Roughly speaking, starting from an SPS scheme with a signing 
key x E Z p , we can always derive a signature scheme in which the signing key 
becomes a group element X = G x E G (where G denotes the generator of G). 
It is obvious that in this case a message Me G cannot be signed by using X 
since we are not able to compute M x from X and M. Supposing that M = G m , 
we can use X to sign m instead of M, i.e., compute X m instead of M x when 
generating a signature. Furthermore, since signatures generated in this way are 
the same as those generated by the real signing key, and the public key and 
verification algorithm remain the same, one can verify the signature by using M. 
We formalize such a signature scheme as a TS scheme. Although such a signature 
scheme is only “semi” -structure-preserving, we use it to sign the exponent v e Z p 
of a verification key (called auxiliary keys) of another SPS scheme and use the 
latter SPS scheme to sign a message M' E G'. This enables us to obtain an FSPS 
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scheme. We formalize the latter signature scheme which generates auxiliary keys 
besides verification/signing key pairs as an AKS scheme. 

To verify a signature, one only needs to know V = G v and M', without 
knowing v . Furthermore, the original signing key x (called trapdoor key) of the 
TS scheme is never used in the signing process but is necessary as the reduc- 
tion algorithm in the security proof signs verification keys without knowing the 
exponent. 

Our main contributions he in two aspects. First, we formalize the notions 
of TSs and AKSs in order to adapt the EGM paradigm to construct FSPSs. 
Second, we show that most of existing SPS schemes can be cast as our extended 
signatures, and consequently we can obtain a number of FSPSs and FASs based 
on existing SPSs. 

Perhaps interestingly, although most of the previously proposed SPS schemes 
with a unilateral message space are not automorphic (since their verification 
keys and messages usually consist of elements in different source groups), when 
some of them are converted into FSPSs using our method, the resulting schemes 
become automorphic. 5 

Paper organization. We recall several definitions in Sect. 2. Then we formalize 
TSs and AKSs and show how to instantiate them from any (well-formed) SPS 
scheme in Sects. 3 and 4 respectively, and give generic constructions of FSPSs 
based on them in Sect. 5. Finally, we show instantiations of our generic construc- 
tions in Sect. 6. 

2 Preliminaries 

2.1 Notations 

In this paper, we let negl be negligible functions, [n\ the set {l,...,n}, 
N the set of natural numbers, \X\ the number of elements in X (where 
X could be a space, a vector, or a matrix), and A the 1 x mn vector 
(an, a i2 , • • • a in , a 2i , a 22 , • • • a 2n , . . . , a mi , a m2 , . . . a mn ) where A denotes the rax 
n matrix (a^-) iG [ m ] ?J - G [ n ] . If A G Zp /c+1 ^ )xfe lies in the matrix distribution Uk, then 
we use A to denote the upper square matrix of A. Furthermore, a G Z™ denotes 
a column vector by default. 


2.2 Pairing Group 

In this paper, we let Q be an algorithm that takes as input 1 A and outputs 
gk = (p, Gi, G 2 , Gt, e, Gi, G 2 ) such that p is a prime satisfying p = <9(2 A ), 
(Gi,G 2 ,Gt) are descriptions of groups of order p, G i and G 2 generate Gi 

5 When messages and verification keys of the underlying TS scheme consist of ele- 
ments in G 2 and Gi respectively and those of the underlying AKS scheme consist of 
elements in Gi and G 2 respectively, verification keys and messages of the resulting 
FSPS scheme consist of elements only in Gi. 
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and G 2 respectively, and e : Gi x G 2 — > G t is an efficiently computable (non- 
degenerate) bilinear map. Following [28,31], we use the additive notation in [20] 
such as e((a + b)[x] i, [y\ 2 ) = a ■ e([x\i, [y\ 2 ) + b ■ e([z]i, [y\ 2 ) where [x]i and [y\ 2 
denote Gf and G| respectively, and e ( [.?:] i , [y\ 2 ) can be written as [xy\ j - . Fur- 
thermore, e([a]J , [6] 2 ) denotes X)" = i e([a*] i, [bi} 2 ) where [a]i = ([ai]i, . . . , [a„]i) T 
and [b] 2 = ([&i] 2 , • • ■ , [b n h) T , and e([A]J", [B] 2 ) denotes (e([aj] i, [bj]2))ie[n],je[n'\ 
where [A]i = ([oi]i, . . . , [a„]i) and [B] 2 = ([6i] 2 , • • • , [b n '] 2 )- 


2.3 Signatures 

Definition 1 (Signature). A signature scheme consists of four polynomial- 
time algorithms Setup, Gen, Sign, and Verify. Setup takes as input a security 
parameter 1 A and generates a public parameter par, which determines the mes- 
sage space M and the randomness space 1 Z for signing. Gen is a randomized 
algorithm that takes as input a public parameter par and outputs a verifica- 
tion/signing key pair ( pk , sk). Sign is a randomized algorithm that takes as input 
a signing key sk and a message m, and returns a signature a. Verify is a deter- 
ministic algorithm that takes as input a verification key pk, a message M , and 
a signature a, and returns 1 (accept) or 0 (reject). 

The correctness is satisfied if we have Verify (pk, m, Sign (sk, m\r )) = 1 for all 
A G N, par Setup(l A ), (pk, sk) Gen(par), m E A4, and re 1Z. 

In [3], Abe et al. firstly defined SPSs, in which verification keys, messages, 
and signatures consist only of group elements in Gi and G 2 , and signatures are 
verified by evaluating pairing product equations (PPEs), which are of the form 
JAj a ij e ([ x i]i: [yj] 2 ) = [0]t? where a^- is an integer constant for all i and j. 

Definition 2 (Structure-preserving signature (SPS)). A signature sch- 
eme is said to be structure-preserving over a bilinear group generator Q if we 
have (a) a public parameter includes a group description gk generated by Q, (b) 
verification keys consist of group elements in Gi and G 2 ; (c) messages consist of 
group elements in Gi and G 2 ; (d) signatures consist of group elements in Gi and 
G 2 , and (e) the verification algorithm consists only of evaluating membership in 
Gi and G 2 and relations described by PPEs. 

SPSs are versatile since they mix well with other pairing-based protocols. 
Especially, they are compatible with the Groth-Sahai proof system [29]. However, 
as argued by Abe et al. in [3], Groth-Sahai compatibility of a signature scheme 
is not sufficient for elaborate applications such as anonymous signatures and 
delegatable anonymous credentials, which require signatures on verification keys 
to obtain anonymized certification chains. Abe et al. [3] called an SPS scheme 
that is able to sign its own verification keys an automorphic signature scheme. 

Definition 3 (Automorphic signature). A signature scheme is said to be an 
automorphic signature scheme over a bilinear group generator Q if it is structure- 
preserving and its (padded) verification keys lie in the message space. 
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In [5], Abe et al. introduced FSPSs, which also require a signing key to 
be group elements in Gi and G 2 and the correctness of a signing key with 
respect to a verification key can be verified by PPEs. Such signatures allow 
efficient key extraction when combined with non-interactive proofs (e.g., the 
Groth-Sahai proofs), which may help prevent rogue- key attacks [36], build UC- 
secure privacy preserving protocols [15], strengthen privacy in group and ring 
signatures [10,11,13] in the presence of adversarial keys, and extend delegatable 
anonymous credential systems [8,18,22] with all-or-nothing transferability [16]. 

Definition 4 (Fully structure-preserving signature (FSPS)). A structure 
-preserving signature scheme (Setup, Gen, Sign, Verify) with the message space M 
and randomness space 7 Z for signing is said to be fully structure-preserving if 
we have (a) signing keys consist only of group elements in Gi and &2 ; and 
additionally , (b) there exists a polynomial-time deterministic algorithm VerifySK 
that takes as input a verification/ signing key pair and consists only of evaluating 
membership in Gi and G2 and relations described by PPEs, and it is required 
that for sufficiently large A E N, par Setup(l A ), the following holds: 

- VerifySK (pk,sk) = 1 if and only if Verify (pk, m, Sign (sfc, m; r)) = 1 holds for 

all m e M and r elZ. 

In this paper, we call an automorphic signature scheme which is also FSP a 
fully automorphic signature (FAS) scheme. 

Definition 5 (Fully automorphic signature (FAS)). An automorphic sig- 
nature scheme is said to be fully automorphic if it is also fully structure- 
preserving. 

Due to space limitation, we recall the UF-CMA, UF-RMA, UF-otCMA, and 
UF-otRMA security of a signature scheme in the full paper. 

3 Trapdoor Signatures 

3.1 Definition of Trapdoor Signatures 

In this section, we formalize the notion of 7 -trapdoor signature (j-TS) scheme , 
whose instantiations are used as building blocks to obtain FSPSs. Different from 
standard signatures, a TS scheme verifies the correctness of a signature a on a 
message m E M by taking as input (7(771) E M 7 ,a) where 7 : M 1 — > M 7 is an 
efficiently computable bijection. Furthermore, there exists a trapdoor key with 
which we can generate a signature on m if we have 7(777) but not m itself. 

Definition 6. ( 7 - Trapdoor signature ( 7 -TS)). A 7 -trapdoor signature 
scheme consists of five polynomial-time algorithms Setup, Gen, Sign, Verify, and 
TDSign. Setup takes as input a security parameter 1 A and generates a public 
parameter par, which determines the message space M. for the signing algo- 
rithm, the message space M 7 for the verification algorithm, and an efficiently 
computable bijection 7 : M 1 — >• A 4 7 . Gen is a randomized algorithm that takes 
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as input par, and outputs a verification/ signing key pair ( pk,sk ) and a trapdoor 
key tk. Sign is a randomized algorithm that takes as input a signing key sk and 
a message m G A4, and returns a signature a, where the randomness space is 
denoted by 7 Z. Verify is a deterministic algorithm that takes as input a verifica- 
tion key pk, a message M G AA 7 , and a signature a, and returns 1 (accept) or 0 
(reject). TDSign takes as input a trapdoor key tk and a message M G M 7 , and 
returns a signature a. The randomness space of TDSign is also 1 Z. 

The correctness is satisfied if for all A G N, par Setup(l A ) ; ((pk, sk),tk) <— 
Gen (par), and m G A4, we have (a) Verify (pk, ^(m), Sign (sk, m)) = 1, and (b) 
Sign (sk,m',r) = TDSign(£&, 7 ( 777 ); r) for all r G 7£. 

Key generation algorithm Tq q n . We use Tc en to denote an algorithm that runs 
Gen, which is the key generation algorithm of a TS scheme, in the following 
way. Taking as input a public parameter par, Tc en gives par to Gen and obtains 
an output ((pk, sk),tk). Then Tq qu outputs (pk,tk) as a verification/signing key 
pair. 

For a TS scheme £ = (Setup, Gen, Sign, Verify, TDSign), we denote (Setup, 
Tqq U , TDSign, Verify) by T^. According to the syntax of TS, it is not hard to see 
that Tjj forms a standard signature scheme whose message space is M 7 . 

Now we define SKSP-TSs, in which verification keys, signing keys, and sig- 
natures (but not necessarily messages) consist only of group elements, and the 
correctness of signing keys with respect to verifications keys can be verified by 
PPEs. 

Definition 7 (Signing key structure-preserving (SKSP)). A ^y-TS sch- 
eme £ = (Setup, Gen, Sign, Verify, TDSign) with message space M is said to 
be signing key structure-preserving over a bilinear group generator Q if we 
have (a) is an SPS scheme, (b) signing keys (rather than trapdoor keys) 
consist only of group elements in Gi and G 2 , and (c) £ satisfies the condi- 
tion (b) in Definition 4, where \/er\fy(pk,m,S\gn(sk,m;r)) = 1 is replaced with 
Verify (pk, y(m), Sign (sk, m; r)) = 1 . 

Note that different from FSPSs, messages are not required to be group elements 
in SKSP-TSs. 


3.2 Security of Trapdoor Signatures 

We now define the UF-CMA security of TSs. 

Definition 8 (UF-CMA of TSs). A 7- TS scheme (Setup, Gen, Sign, Verify, 
TDSign) is said to be unforgeable against chosen message attacks (UF-CMA) if 
for every probabilistic polynomial time (PPT) adversary A, we have 

Pr [par Setup(l A ), ((pk, sk), tk) Gen (par), (M* , a*) <— A Slgn0 ^'\par,pk) : 

M* ^ Q m A M* G M 7 A Verify (pk, M*, a*) = 1] < negl(X) 

where SignO(-) is the signing oracle that takes as input m G Ai, runs a <- - 
S\gr\(sk, m), adds 7(771) G M 7 to Qm, and returns a. 
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Unlike the UF-CMA security of standard signatures, a query m made by an 
adversary is in Ad, the signing oracle records 7(771) G Ad 7 , and the message M* 
output by the adversary is in A 4 7 . 

The UF-CMA security of TSs is similar to the F-unforgeability of standard 
signatures defined by Belenkiy et al. [ 9 ]. Moreover, Libert et al. [ 35 ] gave an 
instantiation of F-unforgeable signatures and combined it with a tagged one- 
time signature scheme proposed by Abe et al. [2] to obtain a very efficient SPS 
scheme. However, they neither provided generic constructions nor considered the 
FSP property. 

Now we show the relation between the UF-CMA security of (Setup, 
Gen, Sign, Verify, TDSign) and that of (Setup, TDSign, Verify) in Theorem 1. 
We refer the reader to the full paper for the proof. 

Theorem 1. For a 7 -TS scheme £ = (Setup, Gen, Sign, Verify, TDSign), ifTjj = 
(Setup, 7Gen, TDSign, Verify) is UF-CMA secure , then U is UF-CMA secure. 

Now we give the definitions of unforgeability against random message attacks 
(RMA), one-time chosen message attacks (otCMA), and one-time random mes- 
sage attacks (otRMA) of TSs. 

Definition 9 (UF-RMA, UF-otCMA, and UF-otRMA of TSs). The UF- 

RMA security of TSs is the same as the UF-CMA security of TSs except that 
to answer a signing query , SignO(-) randomly chooses m <— M. itself runs a <— 
Sign (s&, 777), adds 7(771) to Q m (initialized with $), and returns (777, cr). 

The UF-otCMA (respectively, UF-otRMA^) security is the same as the UF- 
CMA (respectively, UF-RMA) security of TSs, except that A is only allowed to 
make one query to the signing oracle SignO(-). 

3.3 Converting Structure-Preserving Signatures into Signing Key 
Structure-Preserving Trapdoor Signatures 

Before showing our conversion, we define a class of SPSs called well-formed 
SPSs. Roughly speaking, for a well-formed SPS scheme, it is required that the 
spaces of randomness and exponents of messages are super-polynomially large 
in the security parameter, and generating a signature element only involves the 
group operation, while the scalars of group elements are computed as arithmetic 
circuits of elements in the signing key and the randomness. 

Definition 10 (Well- formed SPS). For an SPS scheme U, let Mi x M2 x 

. . . x M n be the space of exponents (with [ 1 ] 1 and [ 1 ] 2 for bases) of elements in 
a message , 6 and Mi x 1 2 x . . . x M n / the randomness space (for signing), where 
77,77' G N. E is said to be well-formed if (a) for all i, M^M^ C Z p and |M$| and 


We do not count repeated message spaces, e.g., when messages are of the form 
([777] 1, [ra] 2) where m G Z p , we have n = 1 and Mi — Z p . 
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\Ri\ are super-polynomial in the security parameter, 7 and (b) generating a group 
element [Bfi where b G {1,2} in a signature only involves computing 

= (!) 

i 3 

where {[HJ^ denotes elements appearing in the public parameters, the message, 
and the signing key, {aij}ij denotes elements (in 7L V ) appearing in the signing 
key and the randomness for signing, and integer constants, and {cij}ij denotes 
integer constants. Here, elements in may represent the same variables, 

and the same argument is made for { * 8 

Note that there is no requirement on the distributions of the elements other 
than the space sizes in the above definition, and as far as we know, all the existing 
SPSs are well-formed. Now we show that any well-formed SPS scheme can be 
converted into an SKSP-TS scheme. 

Theorem 2. Any well-formed SPS scheme, the messages of which are supposed 
to be of the form ([M] i, [N] 2 ), can be converted into a 7 - SKSP-TS scheme for 
7 defined by^{M,N) = ([M]i, [7V] 2 ). 

Schwartz- Zippel Lemma. Now we introduce Schwartz- Zippel Lemma [38], based 
on which we will give the proof of Theorem 2, 

Lemma 1 ([38]). Let P G F[x\ be a non- zero polynomial of total degree d > 0 
over a field, S a finite subset of F, and r a randomness uniformly chosen from 
S. Then, we have 

Pr[P(r) =0] <d/\S\. 

This lemma indicates that a polynomial of degree d over 7L V has at most d roots. 

Proof (of Theorem 2). We divide the proof of Theorem 2 into two parts. In 
the first part, we show that any well-formed SPS scheme can be converted into 
a 7 -TS scheme satisfying the conditions (a) and (b) of the SKSP property in 
Definition 7. In the second part, we prove that the converted TS scheme also 
satisfies the condition (c). 

Part I. Let a group element in a signature be generated as Eq. ( 1 ). For all i such 
that {aij}j contains a set of variables in the signing key, denoted by {sij}j, we 
use c[- to denote the exponent of Sij in Eq. (1), and do the following conversion. 

7 It is not hard to see that an SPS scheme whose messages are of the form, e.g., 
([mi]i, [7712)2) where mi = m2 + 1 and mi, m2 G Z p , is not well-formed. However, 
such a scheme can be easily converted to a well-formed one by letting messages be 
of the form ([mi]i, [mi] 2) and compute [mi + 1)2 in signing and verification. 

8 For ease of understanding, we give an example here. Supposing that an ele- 

ment in a signature is generated as (7*1 si + riri)[f/]i + s^^Mji + [S] 1, 
where (7*1, 7*2), (si, S2, [S]i), [U] 1, and [M] 1 are respectively element(s) 
in the randomness, signing key, verification key, and message, then we 
express the formula as ( a ri a ( f)f)[A2\i + a^} 1 [^3] 1 + 

[Afii, where ([Ai]i, [A 2 ]i, [A3] 1, [A*]i, an, a i2 , 021, a 2 2, a 3 i) represents 
([U] i,[U]i, [M\ 1, [S]i, ri, si, 7*2, 7*1, S2) and (cn,c 12, C21, C22, C31) = ( 1 , 1 , 2 , 1 , — 1 ). 
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- If [Ailb is in the message, then we add [{Ylj s ^j 3 )]b 1° the signing key. 

- Otherwise (i.e., if [A^ is in the signing key or the verification key), then we 

add [dl j s ij)Ai\b to the signing key, 

For all other group elements in the signature, we execute the same conversions. 
Then we remove all elements in Z p , all repeated elements, and elements never 
used in signing procedures from the original signing key, and set the original 
signing key as the trapdoor key. 

By using the new signing key, we can generate a signature consisting of group 
elements in the forms of Eq. ( 1 ) when taking as input a message consisting of 
Mi, M 2 , . . . , N i , N 2 , . . . E which forms the signing algorithm for the resulting 
7-TS scheme. Furthermore, taking as input [Mi]i, [M2 ]i, . . . , [Ah] 2, [Ah] 2, • • • and 
the trapdoor key, we can generate the same signature if the randomness is the 
same, by using the original signing algorithm. As a result, we have obtained a 
7-TS scheme for 7 (M,N) = ([M]i, [N] 2 ). 

It is straightforward to see that in this 7-TS scheme, the verification keys, 
signing keys, and signatures consist only of group elements in Gi and G2 and 
the verification consists only of evaluating membership in Gi and G2 and rela- 
tions described by PPEs. This completes the first part of the proof. Here, the 
verification key size, signature size, and number of PPEs do not change during 
the conversion, while the signing key size changes depending on the concrete 
construction of the SPS scheme. 9 

Part II. Next we prove that for the above 7-TS scheme, there exists an algorithm 
that can check the correctness of signing keys with respect to verification keys 
by using only PPEs. 

Since a group element in the signature is computed as Eq. (1), and a group 
element in the message [M]i or [A/] 2 can be treated as M[l]i or N[l]2, a PPE 
in the verification algorithm can be written as 

E(n^) [ ^= [o] - (2) 

i 3 

where {xij}ij denotes elements in the randomness, exponents of the message, 
and integer constants, denotes integer constants, and {[Xi\ T }i denotes 

pairings between elements in the verification key and the signing key. Here, 
elements in {x^-}^- may represent the same variables, and the same argument is 
made for {[Xi\ T }i. 

We now show how to obtain PPEs that check the correctness of signing keys 
with respect to verification keys as follows. Let £ be the set of all the distinct 
variables in (not including constants). Then for any x G £, we rewrite 

Eq. ( 2 ) as 

E^Mt = [0]t, (3) 


In the worst case, the resulting signing key size is the total number of elements in 
all {[Ai] b }i. 


9 
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where {di}i denotes fixed polynomials and {[Y^t}* denotes elements in G t- 
Since the SPS scheme is well-formed, the left hand side of Eq. (3) can be treated 
as a polynomial in x by fixing all \Yi\t- We rewrite Eq. (3) as 

[Po]t + ^ 1 [P > i]t + • • • + x n [P n ]T = [0]t, (4) 

for some fixed polynomial n, where [Pu]t denotes the sum of coefficients of 
x k . According to the definition of well- formed SPSs, since the space of x is 
super-polynomial (in the security parameter) and n is a polynomial (in the 
security parameter), the number of possible values of x must be larger than 
n for sufficiently large security parameters. As a result, if Eq. (4) holds for all 
possible value of x, we have 

[Po\t = [0]t> [Pi\t = [0]t, • • • , [Pti]t = [0]tj (5) 

or the number of roots of Eq. (4) could be larger than n, which is against 
Schwartz- Zippel Lemma. On the other hand, it is obvious that if PPEs in (5) 
hold, Eq. (4) holds for any x. For each [Pi\t = 0, we cancel another variable 
in £ in the same way. Recursively, all the variables in PPEs in the verification 
algorithm can be cancelled, and we finally obtain a sequence of PPEs of the form 

Y c iP^-]r = [°]t, 

i 

where {c'}i denotes fixed integers, and {[X']t}z denotes pairings between ele- 
ments in the verification key and the signing key, and elements in may 

represent the same variables. Since such collection of PPEs hold if and only if 
PPEs in the verification algorithm holds for all possible randomness and mes- 
sages, we obtain an algorithm that takes as input verification/signing key pairs 
and check their correctness using this collection of PPEs. 10 

In conclusion, any well-formed SPS scheme can be converted into an SKSP- 
TS scheme, completing the proof of Theorem 2. □ 

Remark. It is not hard to see that the latter half of the proof can also be adopted 
to show that for a well-formed SPS scheme, if signing keys consist only of group 
elements, then it is an FSPS scheme. 


3.4 Instantiations of Trapdoor Signature 

UF-CMA secure TS scheme. Using the conversion described in the proof of The- 
orem 2, we can convert well- formed SPSs into SKSP-TSs. For ease of under- 
standing, we give an instantiation of y-TS A = (Setup, Gen, Sign, Verify, TDSign) 
in Fig. 1, which is converted from the SPS scheme (denoted by = (Setup, 


10 The number of PPEs we finally obtain is smaller than number of elements in {[X^t}* 
in PPEs of the form Eq. (2). 
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7 ^, TDSign, Verify)) proposed by Kiltz et al. [ 31 ]. Here, Tz is UF-CMA secure 
under the Uk ~ MDDH assumptions and 7 : Z™ 1— > G™ is defined by 7(27, . . . , x n ) = 
([xi]i, . . . , [x n ]i), where n denotes the number of group elements in a message. 

To generate a signature of 7 ^, g\ = [( 1 , m T )]iK + r T [Po + rPi]i is the only 
part that needs to be operated by using “Z p -elements” K G Zp n+1 ^ )x( ' /c+1 ^ ) of the 
signing key. Following our conversion, we replace K with [K]i in the signing key, 
and keep the original signing key as the trapdoor key. By using [K]i, we can 
compute g\ as (l,m T )[K]i +r T [Po + tPJi. Furthermore, we obtain PPEs that 
check the correctness of signing keys as follows. 

e(cri, [A] 2 ) = e([(l,ra T )]i, [C] 2 ) + e(cr 2 , [C 0 ] 2 ) + e(cr 3 , [Ci] 2 ), 

^e((l,m T )[K]i +r T [P 0 +rPi]i, [A] 2 ) = e([(l,m T )]i, [C] 2 ) + e(r T [B t ]i , [C 0 ] 2 ) 

+ e(r T [B T r]i, [Ci] 2 ), (Rewrite first equation in Verify) 

{ c((l, m T )[K]x + r T [ Poll, [A] 2 ) = e([(l, m T )] 1? [C] 2 ) + e(r T [B T ] l5 [C 0 ] 2 ), 

[e(r T [Pi]i, [A] 2 ) = e(r T [B T ]i, [Ci] 2 ), (Cancelling r) 

re((l,in T )[K] 1 JA] 2 ) = C ([(l,nl T )] 1 > [C] 2 ) l 

=* \ e([Po]i, [A] 2 ) = e([B T ] l5 [C 0 ] 2 ), (Cancelling f) 

[e([Pi]i, [A] 2 ) = e([B T ]i, [Ci] 2 ), 
fe([K] l 5 [A] 2 ) me([l] l 5 [C] 2 )), 

^ i e( [P 0] 1 , [A] 2 ) = e([B T ] 1? [C 0 ] 2 ), (Cancelling m) 

[e([Pi]i, [A] 2 ) = e([B T ]i, [Ci] 2 ). 

Then we rewrite the second equation e(<72, <74) = e(<j3, [ 1 ] 2 ) as e(r T [B T ]i, [r] 2 ) = 
e(r T [B T r]i, [ 1 ] 2 ). By cancelling r and r, we obtain e([B T ]i, [ 1 ] 2 ) = 

e([B T ]i, [ 1 ] 2 ) , which is trivial. 11 

Finally, we obtain the algorithm VerifySK checking correctness of signing keys 
with respect to verification keys via the above three PPEs (derived from =>). 

Theorem 3 . The instantiation described in Fig. 1 is a UF-CMA secure 7- 
SKSP-TS scheme under the IA]^-MDDH assumptions. 

The SKSP property of this instantiation is implied by Theorem 2 and the 
UF-CMA security is implied by Theorem 1. We refer the reader to the full paper 
for the proof of Theorem 3 . 

UF-otRMA secure TS scheme. In Fig. 2, we give another instantiation of TS 
which satisfies the UF-otRMA security under the ^-MDDH assumptions. This 
scheme is converted from the UF-otRMA secure SPS scheme in [ 31 ]. The proof 
of correctness is straightforward and the correctness of a signing key with respect 
to a verification key can be verified by VerifySK via e([K]i, [A] 2) = e( [1] 1 , [C] 2 ). 

Unlike the UF-CMA security proved in Theorem 1, the UF-otRMA security 
of U = (Setup, Gen, Sign, Verify, TDSign) is not automatically implied by the 
UF-otRMA security of Tjj = (Setup, Teen, TDSign, Verify). However, according 


11 


Note that for simplicity, we sometimes directly canceled vectors in the above con- 
version, instead of following the proof of Theorem 2 to cancel elements one by one. 
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Setup(l A ): 

par = ( p , Gi, G 2 , Gt, e, [ 1 ] 1 , [1)2) <— £/(l A ). 

For preliminary-fixed n G N, 
define M = Z” and Af 7 = G™ . 

Define 7 by 7(7711, . . . , m n ) = ([mi]i, . . . [m n ] 1). 
Return par. 


Gen (par): 

A, B G - Pfc, K 4 
C = KA G Z £ n4 
Co = KoA G Z 
Po = B t K 0 G 


4 n+ i)x (fc+ i), K 0 ,Ki 4— Zp fe+1)x(fe+1) . 


fc , Ci = KiA G 2 


jkx(k+ 1) p 


Pi = B Ki G 2 


p/c = ([C 0 ] 2 ,[Ci] 2 ,[C] 2 ,[A] 2 ), 
sk = (|~[Kji~|, [Po]i,[Pi]i,[B ]i), 
tk =| (K, [PolijPiJijB]!)!. 
Return ( pk , sfc) and tk. 


VerifySK (pk, sk): 

Return 1 if e([K]i, [A] 2 ) - e([l]i, [C] 2 ), 
e([Po]i,[A] 2 ) = e ([B T ]i,[C 0 ] 2 ), 
and e([Pi]i, [A] 2 ) = e([B T ]!, [Ci] 2 ). 
Return 0 otherwise. 


Sign (sk, in): 
r Zj, r a 


( 1 , m T )[K]i +r T [P 0 +rPi]i, 
cr 2 = f [B ]i, 0-3 = r T [B t t]i, 

04 m [r] 2 G G 2 . 

Return (cri, cr 2 , (T3, 0-4) G G^ x ^ +1 ^ ' 


' x G 2 . 


Verify(pA:, [m]i, a): 

Parse a = (cri, cr 2 , (73, cr 4 ), 

Return 1 if 

e(cri, [A] 2 ) = e([(l,m T )]i, [C] 2 ) + e(cr 2 , [C 0 ] 2 ) + e(a 3 , [Ci] 2 ) 
and e(cr 2 ,cr 4 ) — e(cr 3 , [1] 2 ). 

Return 0 otherwise. 


TDSign(t£;, [m]i): 
r 4 — Zp , t 4 — Zp . 


a 1 = [(l,m T )]iK +f T [P 0 + rPi]i 


[B 1 ]i, o - 3 = r T [B t t]i, 
o- 4 = [r] 2 G G 2 . 

Return (cri, er 2 , (73, cr 4 ) G Gj x ^ fc ~ 1 ’ 1 ^ x Gi X ^ fe+1 ^ x Gj x ^ fc+1 ^ x G 2 . 


Fig. 1 . A UF-CMA secure 7 -TS scheme adapted from [31, Sect. 4.2]. The boxes indicate 
the main differences from the original scheme in [31]. 


to [31], the proof of the UF-otRMA security of Tjj remains valid even when 
an adversary sees the exponents of the messages from the signing oracle, which 
implies the UF-otRMA security of U. We refer the reader to [31] for details of 
the proof. 



Fig. 2. A UF-otRMA secure 7 -SKSP-TS scheme adapted from [31, Sect. 5.2]. The boxes 
indicate the main differences from the original scheme in [31]. 


4 (Two-tier) Signatures with Auxiliary Key(s) 

In this section, we introduce AKSs which are used as building blocks to achieve 
our generic construction of FSPS. In Sect. 4.1, we give the definition of AKSs, 
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define their properties, and give an instantiation of AKS. In Sect. 4 . 2 , we extend 
AKS to TT-AKS and give an instantiation of TT-AKS. 

4.1 Signature with Auxiliary Key 

Definition. Roughly speaking, a 7- AKS scheme is a signature scheme in which the 
key generation algorithm additionally generates auxiliary keys, and the verifica- 
tion key space and the auxiliary key space have a special (but natural) structure 
related with 7. 

Definition 11 (7-signature with auxiliary key (7-AKS)). A signature 
scheme D = (Setup, Gen, Sign, Verify) with verification key space P 1 is said to 
be a 7 -AKS scheme for an efficiently computable bijection 7 : V 1— > V 1 if in 
addition to the verification/ signing key pair ( pk,sk ), Gen also outputs an auxil- 
iary key ak £ V such that pk = 7 (ak). 

Security. The UF-(ot)CMA security and UF-(ot)RMA security of 7-AKSs are 
exactly the same as those of standard signatures except that Gen addtionally 
generates ak. 

Key generation algorithm Uc e n . Similarly to Tc en defined in Sect. 3 . 1 , we use Uc en 
to denote an algorithm that runs Gen, which is the key generation algorithm of 
a 7-AKS scheme, in the following way. 

Taking as input a public parameter par, Uc en gives par to Gen and obtains 
an output ((pk, sk), ak). Then Uc e n outputs (pk, sk) as a verification/signing key 
pair, without outputting ak. We use Ujj to denote (Setup, Uc en , Sign, Verify) when 
K = (Setup, Gen, Sign, Verify). 

Just like SPSs, we consider 7-AKSs with the SP property. 

Definition 12 (7-SP-AKS). A 7 -AKS scheme K is said to be a 7-SP-AKS 
scheme ifUjj is an SPS scheme. 

Converting SPSs into SP-AKSs. It is straightforward to see that any SPS scheme 
with an algebraic key generation algorithm, public keys of which are supposed 
to be of the form ([u\i, [^2), can be converted into a 7-SP-AKS scheme, where 
7 is defined by 7 (u,v) = ( [FT] 1 , [r^), since we can force the setup of any SPS to 
output no common parameter except for the bilinear map description and let 
the key generation algorithm additionally output (ha, F2). 

We now define the random auxiliary key property for AKSs. 

Definition 13 (Random auxiliary key property). A 7 -AKS scheme 
(Setup, Gen, Sign, Verify) with an auxiliary key space V is said to satisfy the ran- 
dom auxiliary key property if there exists an additional algorithm AKGen such 
that AKGen takes as input par and an auxiliary key ak, and outputs a verifi- 
cation/signing key pair ( pk,sk ) where j(ak) = pk. Furthermore, for any PPT 
adversary A and all A E N, we have 

| Pr [par <- Setup(l A ) : A Gen °(par) = 1]- 

Pr [par <- Setup(l A ) : A AKGen °(par) = 1]| < negl{ A), 
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where GenO runs (( pk,sk),ak ) <— Gen (par), and returns (pk, sk,ak), and 
AKGenO uniformly chooses ak from V, runs ( pk,sk ) <— AKGen (par,ak), and 
returns ( pk , sk , ak) . 

Instantiation of AKS. Now we give an instantiation of AKS satisfying UF- 
otCMA security under the %-MDDH assumptions (see the full paper) in Fig. 3. 
This signature scheme is actually the same as the UF-otCMA secure signature 
scheme in [31] except that Gen additionally generates exponents of a verifica- 
tion key as an auxiliary key. For this instantiation, the bijection 7 is defined by 
7 (X) = [X] 2 G G^ n+1)x/c x for n which denotes the length of a message. 

We refer the reader to [31] for the proof of the UF-otCMA security of this 
instantiation. 


Setup(l A ): 

par = 0,Gi,G 2 ,G T ,e, [l]i, [1] 2 ) V- Q( 1 A ). 

For preliminary-fixed n E N, define M. = Z p , A4 7 = G™ , 

V = Z ( p n+1)xk x Z { p k+1)xk , and Vx = G^ n+1)xfc x G^ fc+1)xfe . 
Define 7 by y(X) = [X] 2 E G < T +1 ^ xk x G 2 fc+1 ^ xfc . 

Return par. 

AKGen (par, ak): 

Parse ak = (C, A). 

Let A= {!)’ 

k <- Z£+\ K = (C - ka T ) A“\ K = (K, k). 
pk = ([C] 2 , [A] 2 ), sk = K ,ak = (C, A). 
Return (pk, sk) and ak. 

Gen (par): 

A <- Z 4 , K <- z£ n+1)x(fc+1) , C = KA e Z { p n+1)xk . 
pk = ([C] 2 , [A] 2 ) , sk = K, and ak = (C, A). 

Return (pk, sk) and ak. 

Sign (sk, [m]i): 

a = [(l,ro T )] 1 K S Gj x(li+1) . 

Verify (pk, [m]i, a): 

Return 1 if e(cr, [A] 2 ) = e([(l,m T )]i, [C] 2 ). 
Return 0 otherwise. 


Fig. 3. A UF-otCMA secure 7 -SP-AKS scheme adapted from [31, Sect. 3]. 


Theorem 4. The instantiation described in Fig. 3 satisfies the random auxiliary 
key property. 

This proof follows from the fact that when the distribution of C is uniform, the 
distribution of K = (C — ka T ) A is uniform as well. We give the proof of 
Theorem 4 in the full paper due to page limitation. 


4.2 Two-Tier Signature with Auxiliary Keys 

Definition. Besides AKSs, we also give the definition of (y p , 7 s )-TT-AKSs, which 
is the same as that of two-tier signatures [1,12,32] except that the key gener- 
ation algorithms additionally generate primary /secondary auxiliary keys. The 
primary /secondary verification key space and the primary /secondary auxiliary 
key space have a special (but natural) structure related with 7 P / 7 S . Combining 
SP-TT-AKSs with SKSP-TSs enables us to obtain more efficient instantiations 
of FSPS and FAS. 
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Definition 14 (( 7 P , 7 s )-TT-AKS). A ( 7^,7 s )-TT-AKS scheme consists office 
polynomial-time algorithms Setup, PGen, SGen, TTSign, and TTVerify. Setup is 
a randomized algorithm that takes as input l x , and outputs a public parameter 
par , which determines the message space AA, the primary /secondary verifica- 
tion key spaces V 1 /S 1 , the primary /secondary auxiliary key spaces V/S , and 
the efficiently computable bijections 7 P : V 1 — » V 1 and 7 s : S <S 7 . PGen is 
a randomized algorithm that takes as input par, and outputs a primary verifi- 
cation/signing key pair ( Ppk , Psk ) where Ppk E V 1 and a primary auxiliary 
key Pak E V . SGen is a randomized algorithm that takes as input a primary 
verification/ signing key pair (Ppk, Psk ) and a primary auxiliary key Pak, and 
outputs a secondary verification/ signing key pair ( opk , osk) where opk E <S 7 and 
a secondary auxiliary key oak E S. TTSign is a randomized algorithm that takes 
as input a primary signing key Psk, a secondary signing key osk, and a mes- 
sage m, and returns a signature a. TTVerify is a deterministic algorithm that 
takes as input a primary verification key Ppk, a secondary verification key opk, 
a message m, and a signature a, and returns 1 (accept) or 0 (reject). 

The correctness is satisfied if for all X E N, par <— Setup 
(1 A ), ((Ppk, Psk), Pak) <— PGen(par), and ((opk, osk), oak) <— SGen (Ppk, Psk, 
Pak), we have (a) TT\/erify(Ppk,opk,m,TTS\gn(Psk,osk,m)) = 1 for all mes- 
sages m E AA, and (b) r ) p (Pak) = Ppk and 'ys(oak) = opk. 

Unlike the definition of standard two-tier signatures, SGen takes as input 
(Ppk, Psk, Pak) (instead of (Ppk, Psk)) in the above definition. However, the 
interface of SGen is not essentially changed since Pak can be treated as part of Psk. 

Security. Now we give the definition of unforgeability against two-tier chosen 
message attacks (UF-TT-CMA). 

Definition 15 (UF-TT-CMA). A TT-AKS scheme (PGen, SGen, TTSign, 
TTVerify) is said to be unforgeable against two-tier chosen message attacks if 
for any PPT adversary A, we have 

Pr [par Setup(l x ), ((Ppk, Psk), Pak) ■«— PGen(par), 

(■ *) ^ TTSi g n °(-)(p pfc ) . 

(i* , m) E T Q m A m* / m A TTVerify (Ppk, opki* ,m*,cr*) = 1] < negl(X), 

where TTSignO(-) is the signing oracle that takes a message m E AA as input, 
runs i = i + 1 (initialized with 0), samples (opki, osk/ <— SGen (Ppk, Psk, Pak), 
and computes a TTSign (Psk,oski,m). Then it adds (i,m) to T Q m (initial- 
ized with 0 ) and returns (opki, a). 

Next we define the SP property of TT-AKS as follows. 

Definition 16 (Structure-preserving TT-AKS (SP-TT-AKS)). A TT- 

AKS scheme is said to be structure-preserving over a bilinear group generator 
Q if we have (a) a public parameter includes a group description gk generated 
by Q , (b) primary and secondary verification keys consist of group elements in 
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Gi and G 2 , (c) messages consist of group elements in Gi and G 2 , and (d) the 
verification algorithm consists only of evaluating membership in Gi and G2 and 
relations described by PPEs. 

Converting SP two-tier signatures into SP-TT-AKSs. Like SP-AKSs, an SP 
two-tier signature scheme, primary and secondary verification keys of which 
are supposed to be of the form ([u] 1, [{ 7 ] 2) and ( [u r ] 1 , [v'^) respectively, can be 
converted into a (y p , 7 s )-SP-TT-AKS scheme, where 7^ and are defined as 
7 p (u,v) = (P]i,[£] 2 ) and 7 s (u',v') = ([u f ] 1, [fT^) respectively, as long as the 
key generation algorithms are algebraic and primary signing keys consist only of 
elements in Z p . 12 

We define the random primary and secondary auxiliary key properties of 
TT-AKSs as follows. 

Definition 17 (Random primary /secondary auxiliary key properties). 

A ( / y p , r y s )-TT-AKS scheme (Setup, PGen, SGen, TTSign, TTVerify) is said to sat- 
isfy the random primary auxiliary key property if there exists an additional 
polynomial-time algorithm AKPGen that takes as input par and a primary aux- 
iliary key Pak, and outputs a primary verification/ signing key pair ( Ppk , Psk) 
where 7 p (Pak) = Ppk. Furthermore, for any PPT adversary A and all X G N, 
we have 

| Pr [par Setup(l A ) : A PGen ° (par) — 1] — 

Pr [par Setup(l A ) : A AKPGen ° (par) = 1] | < negl( A), 

where PGenO runs ((Ppk, Psk), Pak) <— PGen (par) and returns ((Ppk, Psk), 
Pak), and AKPGenO uniformly chooses Pak from the primary auxiliary key 
space V , runs (Ppk, Psk) AKPGen (par, Pak), and returns ((Ppk, Psk), Pak). 

Furthermore, it is said to satisfy the random secondary auxiliary key property 
if there exists another polynomial-time algorithm AKSGen that takes as input a 
primary verification/ signing key pair (Ppk, Psk), a primary auxiliary key Pak, 
and a secondary auxiliary key oak, and outputs a secondary verification /signing 
key pair (opk,osk) where 7 s (oak) = opk. Furthermore, for any PPT adversary 
A and all X E N, we have 

| Pr [par <— Setup(l A ) : A SGen °^\par) = 1] — 

Pr [par Setup(l A ) : A AKSGenG<< '\par) = 1] | < negl(X), 

Here, on input a polynomial n = n(X), SGenO(-) runs ((Ppk, Psk), Pak) 
PGen(par) and ((opki,oski),oaki) <— SGen (Ppk, Psk, Pak) for i = 
1 , ... ,n, and returns (Ppk, Psk, Pak, {( opki , oski, oaki)}^ =1 ). On input a poly- 
nomial n = n(X), AKSGenO(-) runs ((Ppk, Psk), Pak) <— PGen (par), 
uniformly chooses oaki from the secondary auxiliary key space S, runs 
(opki, osk/ AKSGen (Ppk, Psk, Pak, oaki) f or i = 1 ,...,n, and returns 
(Ppk, Psk, Pak, {(opki, oski, ° a ^i)}i=i)- 

12 If a primary signing key consists of group elements, PGen may have trouble in out- 
putting secondary auxiliary keys. However, this can be easily solved by forcing PGen 
to output the exponents of those group elements as part of a primary signing key. 
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Instantiation of ( 7^,7 s )-SP-TT-AKS. Now we give an instantiation of ( 7 P , 7 S )- 
SP-TT-AKS satisfying UF-TT-CMA security under the ^-MDDH assumptions. 
This signature scheme is the same as the SP two-tier signature scheme in [32] 
except that PGen and SGen additionally generate the auxiliary keys, and SGen 
addtionally takes as input the primary auxiliary key. For this instantiation, the 
bijections (7^,7 s ) are defined by 7 P (X) = [X] 2 G x G^ +1 ^ xk anc l ^ s {x) = 

[ 5 ] 2 G Gl xk respectively for some fixed integer n which denotes the length of a 
message. 


Setup(l A ): 

pCLT = ( Pi Gi, G 2 , G7 1 , 65 [ 1 ] 1 , [ 1 ] 2 ) 4 — £ 7 (P). 

For preliminary-fixed n G N, 
define M. = Z p , At 7 = G™ , 

V = Z£ xfc x Z ( p k+1)xk , P 7 = G™ xfc x G? +1)x/c , 
5 = Z l xk , and <S 7 = G* xfc . 

Define lp by 7p (X) = [X] 2 G G£ xfe x G? +1)xfc 

and 7 S by 7 s (x) = [x] 2 G Gj xfc . 

Return par. 

AKPGen (par, Pak): 

Parse Pak = (C', A). 

LetA =(a A 4 

k' <— Z£, K' = (C' - Pa T )A 1 G Z™ xk , 

K' = (K G Z p x(fc+1) . 

Ppk - ([C'] 2 , [A] 2 ), Psk m K', Pak = (C', A). 

Return (Ppk, Psk) and PaA;. 

AKSGen(Pp/c, Psfc, PaA, oafc): 

Parse Ppk = ([C'] 2 , [A] 2 )), Ps& = K', Pak = (C',A), 
and oak = c. 

Let A= k^Zp, k' T = (c-ka r )A~\ k T = ( k ,T ,k ). 

opk = [0)2, osk = k, oak = c. 

Return (opk, osk) and oak. 

PGen (par): 

A <— U k , K' <- Z p x(fc+1) , C' = K'A G Z£ xfc . 
Ppk = ([C'] 2 , [A] 2 )), Psk = K', Pak = (C', A). 
Return ( Ppk , Psk ) and Pak. 

TTS\gn(Psk, osk , [rn\i): 

K = (k,K ,T ) T . 

Return a — [(l,m T )]iK G G} x ^ fc+1 \ 

SGen (Ppk, Psk , Pak): 
k <- Z k+1 , c = k T A G Zj xfc . 
opA; = [c] 2 , os/c = fc, oa/c = c. 

Return (opA;, os A:) and oa/c. 

TTVerify (Ppk, opk, [rh] 1, cr): 

[C] 2 = ([ciT, [C']J) T . 

Return 1 if e(a, [A] 2 ) = e([(l,m T )]i, [C] 2 ). 

Return 0 otherwise. 


Fig. 4. A UF-TT-CMA secure (y p , 7 s )-SP-TT-AKS scheme adapted from [32, 
Sect. 6.1]. 


Theorem 5. The instantiation described in Fig. 4 satisfies the random primary 
and secondary auxiliary key properties. 

This proof follows from the fact that when the distributions of C' and c are 
uniform, the distribution of Kf = (C ; — ka T ) A and k! = (c — ka T ) A are 
uniform as well. We give the proof of Theorem 5 in the full paper due to page 
limitation. 

5 Generic Constructions of Fully Structure-Preserving 
Signatures (and Fully Automorphic Signatures) 

In this section, we give generic constructions of FSPSs and FASs from SKSP-TSs 
and (TT-)AKSs. Such constructions can be derived from SPSs that are based on 
various assumptions and with different efficiency performance. In Sects. 5.1, 5.2, 
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and 5 . 3 , we give three generic constructions of UF-CMA secure FSPS schemes 
respectively. The first two constructions are based on SKSP-TSs and SP-AKSs, 
and the third one is based on SKSP-TSs and SP-TT-AKSs. 


5.1 Generic Construction Sig x : Trapdoor Signature + Signature 
with Auxiliary Key 

We give a generic construction of FSPSs (and FASs) based on a y-SKSP-TS 
scheme and a y'-SP-AKS scheme, where 7 and 7' satisfy a suitable compatibility 
that we explain shortly. 

Let E t = (Setup, Gen, Sign, Verify, TDSign, VerifySK) be a 7-SKSP-TS scheme 
with message spaces Ad and Ad 7 , and E s = (Setup, Gen 7 , Sign', Verify ' ) 13 a 7'- 
SP-AKS scheme with verification key space Ad 7 , auxiliary key space Ad, and 
message space Ad', and we have Y(x) = j(x). Then the generic construction of 
FSPS denoted by Sig x = (Setup, Gen, Sign, Verify, VerifySK) with message space 
Ad 7 is described as in Fig. 5 . 


Setup(l A ): 

Run par Setup(l A ). 

Determine the message spaces Ad and Af 7 for E t . 
Define 7 : Af 1— »• At 7 . 

Determine the message space AT, 
verification key space A 4 7 , 
and auxiliary key space A 4 for E s . 

Define 7' : Ad Ad 7 where Y(x) = ^(x). 

Return par. 

Sign (sk, M): 

((pk ' , sk'), ak') Gen'(par). 

(j 1 Sign (sk, ak'). 

a 2 — pk' . 

<J3 Sign '(s/e', M). 

Return a = (<Ji, (J2, ^3). 

Gen (par): 

((pk, sk),tk) Gen(par). 

Return ( pk,sk ). 

Verify (pk, M, a): 

Parse a = (cri, 02, <73) and <J2 = pk' . 
Return 1 if Verify (pk, <72, <ti) = 1 
and Verify' (pk' , M, <73) = 1 . 

Return 0 otherwise. 

VerifySK(pfc, sk): 

Return 1 if VerifySK(p£;, sk) = 1 . 

Return 0 otherwise. 


Fig. 5. Generic construction Sigp TS + AKS (UF-otCMA). 


Next we give a theorem for this generic construction. 

Theorem 6. If E t is a UF-CMA secure SKSP-TS scheme, and E s a UF- 
otCMA secure SP-AKS scheme, then Sig x = (Setup, Gen, Sign, Verify, VerifySK) 
is a UF-CMA secure FSPS scheme. 

Proof sketch. The proof of Theorem 6 follows from the fact that if there exists a 
PPT adversary A that outputs a successful forgery (a * , , 03), where was n °t 

queried before (respectively, was queried before) , with non-negligible probability, 


13 


As in [ 5 ], we assume that F t and E s share the common setup algorithm Setup. 
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then we can construct a PPT adversary B\ (respectively, B 2 ) that breaks the 
UF-CMA security of U t (respectively, the UF-otCMA security of U s ). Note that 
to answer a query from A, B 2 may have to use the signing key of E t to sign an 
auxiliary key ak' of U s , while it only learns the corresponding verification key 
pk' from the challenger. In this case, it signs pk' by using the trapdoor key of E t 
instead. According to the correctness of a TS scheme, A cannot distinguish such 
a signature with an honestly generated one, which means that B 2 can perfectly 
simulate the signing oracle of A. We refer the reader to the full paper for the 
proof. 

UF-RMA secure TSs + UF-otCMA secure AKSs. Now we give another theorem 
showing that for the generic construction in Fig. 5, the security of the TS scheme 
can be weakened to the UF-RMA security if the AKS scheme satisfies the random 
auxiliary key property. 

Theorem 7. If U t is a UF-RMA secure SKSP-TS scheme, and F s a UF- 
otCMA secure SP-AKS scheme satisfying the random auxiliary key property, 
then Sig x = (Setup, Gen, Sign, Verify, VerifySK) is a UF-CMA secure FSPS 
scheme. 

Proof sketch. The proof sketch of Theorem 7 is the same as that of Theorem 6 
except that B\ is against the UF-RMA security of F t instead of the UF-CMA 
security. To answer a query from A, B\ makes a query to the signing oracle of U t 
to obtain a randomly chosen auxiliary key ak' and the corresponding signature 
a\. Then B\ runs the additional algorithm AKGen (defined in Definition 13) 
on input ( par,ak' ) to generate a verification/signing key pair ( pk',sk' ), which 
is indistinguishable from an honestly generated one according to the random 
auxiliary key property. Then it lets pk' be a 2 and use sk' to sign the message. 
We refer the reader to the full paper for the proof of Theorem 7. 

Instantiations of Sig x . By combining the UF-CMA (respectively, UF-otRMA) 
secure TS scheme in Fig. 1 (respectively, Fig. 2) with the UF-otCMA secure AKS 
scheme in Fig. 3 (where Gi and G 2 are swapped), we obtain an FSPS scheme 
satisfying UF-CMA (respectively, UF-otCMA) security. We refer the reader to 
the full paper for the resulting signature schemes. 

Furthermore, by converting other previously proposed SPSs into SKSP-TSs 
and SP-AKSs, we obtain various FSPSs. We list some of them in Table 3 in 
Sect. 6. 

5.2 Variation of Sig x : Trapdoor Signature + Signature with 
Auxiliary Key (UF-CMA) 

Now we give a variation of the generic construction in Fig. 6 by letting U s be 
a UF-CMA secure SP-AKS scheme and sign n message blocks with one signing 
key. Each block is signed with an element indicating its number. This change 
reduces the signature and verification key sizes from Q{n 2 ) to fi(n) when signing 
n 2 group elements. 
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Let U t = (Setup, Gen, Sign, Verify, TDSign, VerifySK) be a 7 -SKSP-TS scheme 
with message spaces M and M 7 , and U s = (Setup, Gen', Sign 7 , Verify 7 ) 14 a 
7 -SP-AKS scheme with verification key space M 7 , auxiliary key space M, 
and message space M! x Mi, where Mj is the space for elements indi- 
cating numbers of blocks. Then a generic construction of FSPS denoted by 
Sig* = (Setup, Gen, Sign, Verify, VerifySK) with message space M ln , where n is 
some fixed integer, is described as in Fig. 6 . 


Setup(l A ): 

Run par 4— Setup(l A ). 

Determine the message spaces M. and M. 1 for Ut- 
Determine the message space Ai' x Aii, 
verification key space Ai 7 , 
and auxiliary key space Ai for S s . 

Define 7 : A4 M. 1 . 

Return par. 

Sign (sk, M): 

Parse M = (Mi, . . . , M„) G M' n . 

((pk ' , sk'),ak') Gen'(par). 

0 1 <— Sig n(sfc, ak'). <72 = pk' . 
a 3 i <- Sign '(sk', (. M i} /(z ))) 
where I(i) G M.i for i = 1, . . . ,n. 

&3 = (031, • • • , CT3n)- 

Return a = (cri, <J 2 , < 73 )- 

Gen (par): 

({pk,sk),tk) <— Gen (par). 

Return ( pk,sh ). 

Verify (pk, M, < 7 ): 

Parse M = (Mi, . . . , M n ) G M' n 
and a = (a 1 , a 2 , cr 3 ) . 

Return 1 if Verify (pk, cr 2 , cri) = 1 
and Verify' (pk' , (M*, /(z)), < 73 *) = 1 for all i. 
Return 0 otherwise. 

VerifySK (p/c, sk): 

Return 1 if VerifySK (pk, sk) = 1. 

Return 0 otherwise. 


Fig. 6. Generic construction Sig *: TS + AKS (UF-CMA). 


For this generic construction, the following two theorems hold. 

Theorem 8. If U t i s a UF-CMA secure SKSP-TS scheme, and U s a UF-CMA 
secure SP-AKS scheme, then Sig* = (Setup, Gen, Sign, Verify, VerifySK) is a UF- 
CMA secure FSPS scheme. 

Theorem 9. If U t is a UF-RMA secure SKSP-TS scheme, and U s a UF-CMA 
secure SP-AKS scheme satisfying the random auxiliary key property, then Sig* = 
(Setup, Gen, Sign, Verify, VerifySK) is a UF-CMA secure FSPS scheme. 

We omit the proofs of Theorems 8 and 9 since they are similar to the proofs 
of Theorems 6 and 7, respectively. We list several instantiations of Sig* in Table 3 
in Sect. 6 . Most of them achieve better efficiency than instantiations obtained 
from Sig 1 , and are automorphic. 


5.3 Generic Construction Sig 2 : Trapdoor Signature + Two-Tier 
Signature with Auxiliary Keys 

In this section, we give another generic construction of FSPS which provides us 
with FSPSs and FASs based on standard assumptions that have shorter verifi- 
cation keys and signatures. 
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Let U t = (Setup, Gen, Sign, Verify, TDSign, VerifySK) be a 7 -TS scheme 
with message spaces M p x A4™ and M 1P x A4™ s , E s = (Setup, PGen, 
SGen, TTSign, TTVerify) 15 a ( 7 P , 7 s )-TT-AKS with primary /secondary verifi- 
cation key spaces M. 1P / M. 1S , auxiliary key spaces M. p /M.s, and message 
space Ad', where n is some fixed integer and ( 7 ^( 27 ), 75 (^ 2 ), • ••, ls{%n + 0 ) = 
7 ( 27 , %2 •••, x n +i)- A generic construction of FSPS denoted by Sig 2 = 
(Setup, Gen, Sign, Verify, VerifySK) with message space M.' n is as described as 
in Fig. 7. 


Setup(l A ): 

Sign (sk, M ): 

Run par <— Setup(l A ). 

Parse M = (Mi,...,M n ) G At'”. 

Determine the message spaces At p x At” 

((Ppk, Psk), Pak) <— PGen(par). 

and At 7P x At” s for E t . 

(( opki , oski), oaki ) <— SGen (Ppk, Psk , Pak) 

Define 7 : M p x At” i->- At 7P x At” s - 

for i = 1, . . . , n. 

Determine the message spaces At'”, 

(Ti •<— Sign (sk, (Pak, oak \, . . . , oak n )). 

primary verification key space At 7P , 

(72 = ( Ppk , opki , . . . , opk n ) . 

secondary verification key space A 4 7S , 

a 3i <— TTSign (Psk, oski , M») for i = 1 , . . . , n. 

primary auxiliary key space At p , 

(7 3 = (( 731 , • ■ • , ( 7 3 n) • 

and secondary auxiliary key space At s for E s . 

Return cr = (a\, 07, (73). 

Define : At p 1 — > At 7P and : At s 1 — > At 7S 
where 

( / y P (x 1 ),^ s (x 2 ), . . . , 7 s(£ n+ i)) = 7(07,2:2 • • • , 07 i+i). 

Verify (pk, M, a): 

Return public parameter par. 

Parse M = (Mi , . . . , M n ) £ At'” 
and cr = (<j\, (72, (73). 

Gen (par): 

((pk, sk),tk) «— Gen(par). 

Return 1 

Return ( pk,sk ). 

if Verify (p/c, (72, ( 7 i) = 1 

VerifySK(p/c, sk): 

and TTVerify (Ppk, opki, Mi, cr3i) = 1 for all i. 

Return 1 if VerifySK(pfc, sk) = 1 . 

Return 0 otherwise. 

Return 0 otherwise. 



Fig. 7. Generic construction Sig 2 : TS + TT-AKS. 


For this generic construction, the following two theorems hold. 

Theorem 10. If E t is a UF-CMA secure SKSP-TS scheme, and E s a UF-TT- 
CMA secure SP-TT-AKS scheme, then Sig 2 = (Setup, Gen, Sign, Verify, VerifySK) 
is a UF-CMA secure FSPS scheme. 

Theorem 11. If E t is a UF-RMA secure SKSP-TS scheme, and E s a UF-TT- 
CMA secure SP-TT-AKS scheme satisfying the random primary and secondary 
auxiliary key properties, then Sig 2 = (Setup, Gen, Sign, Verify, VerifySK) is a UF- 
CMA secure FSPS scheme. 

The proofs of Theorems 10 and 11 are similar to the proofs of Theorems 6 
and 7, respectively. We give them in the full paper. 

Instantiations of Sig 2 . By combining the UF-CMA (respectively, UF-otRMA) 
secure TS scheme in Fig. 1 (respectively, Fig. 2) with the UF-TT-CMA secure 
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AKS scheme in Fig. 4 (where Gi and G 2 are swapped), we obtain an FSPS 
scheme satisfying UF-CMA (respectively, UF-otCMA) security. We refer the 
reader to the full paper for the resulting signature schemes. Furthermore, we list 
several instantiations of Sig 2 in Table 3, Sect. 6. 

6 Instantiations 

In this section, we give several instantiations derived from our generic construc- 
tions, which are summarized in Table 3. For notational convenience, we denote 
these schemes as (A), (B), (C), (D), (E), (F), (G), (H), (I) (see the first col- 
umn of Table 3) respectively. Many of these instantiations are FAS schemes. 16 
It is not hard to see that typically, when signing n 2 group elements, Sig x needs 
0(n 2 ) verification/signature key elements and 0(1) PPEs, 17 while Sig { and Sig 2 
need 0(n) verification/signature key elements and PPEs. 

Besides the UF-CMA secure FSPS schemes in Table 3, we give several UF- 
otCMA instantiations derived from our generic constructions, which have rela- 
tively better efficiency. We refer the reader to the full paper for details. 

In Sects. 6.1, 6.2, and 6.3, we give remarks on the instantiations of Sig x , SigJ , 
and Sig 2 , respectively. Due to page limitation, we refer the reader to the full 
paper for signing key sizes and numbers of pairings required in verification. 

6.1 Sig-L : SKSP-TS + SP-AKS 

We give parameters of three instantiations for Sig l5 which are (A) , (B) , and (C) . 
Especially, (B) is an FSPS scheme in the type I bilinear map and (C) is an FSPS 
scheme in the generic group model. 

The verification key size \pk\ of (C) is (ni,0) < (nf, 0), which makes it 
automorphic, while its efficiency (considering public parameter size, signature 
size, and verification cost) is very close to (G) (i.e., the FSPS scheme in [28]). 
As far as we know, (C) is the most efficient FAS scheme by now. Note that if 
we follow the definition of basic signatures in [3] , which allows no trusted setup 
except for bilinear group generation, then (C) is not automorphic, and the most 
efficient FAS scheme becomes (F), in Table 3. 

6.2 Sig*: SKSP-TS + SP-AKS (UF-CMA) 

We give parameters of two instantiations for SigJ , which are (D) and (E), while 
(E) is in the type I bilinear map. Both of them are automorphic. 

It is obvious that most instantiations derived from Sig x have verification key 
and signature sizes linear in the message size, which makes them less efficient 

16 It is not hard to see that FAS schemes in Table 3 may lose the automorphic property 
when n 1 (or 77-2 or n) is an extremely small number. Furthermore, when k (which 
is independent with the message size) is a large number, the message size has to be 
made reasonably large to keep the automorphic property. 

17 There may be exceptions, e.g., (C) in Table 3 . 
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Table 3. Previously proposed FSPSs and FSPSs derived from our work. “Const.” 
is short for “Construction” and “Auto.” is short for “Automorphic”. We use “(A): 
KPW15 [31] (CMA) + KPW15 [31] (otCMA)” to denote that the underlying TS (respec- 
tively, AKS) scheme of (A) is adapted from the UF-CMA secure (respectively, UF- 
otCMA secure) SPS scheme in [31]. We use the same argument for others except that 
the three FSPSs in the top denote the ones proposed in [5,28]. Especially, “ADK+13 [2] 
(TT(TOS))” denotes the tagged one-time signature scheme in [2]. Notation (x,y) 
denotes x elements in Gi and y elements in G 2 . As noted in Introduction, we do 
not count the two generators in the bilinear groups in the parameters. 



Const. 

Auto. 

Assumption 

Parameter 

ft Group element (PPE) 

AKO+15 [5] 

Generic 
construction 1 

X 

SXDH 

XDLIN 

|m| 

\pk\ + \par | 

M 

u PPE 

(ni, 0) 

(nf + 5 ,nl + 11) 

(7, 3n? + 7) 

2n? + 7 

AKO+15 [5] 

Generic 
construction 2 

X 

SXDH 

XDLIN 

H 

| pk\ + \par\ 
cr 

tl PPE 

( n i , o) 

(6m + 13,4) 

(2m + 4, 2m + 7) 
m + 5 

Grol5 [28] 

FSPS scheme 

X 

Generic 

\ m \ 

| pk\ + \par | 

<7 

# PPE 

(nf, 0) 

(2m - 1,1) 

(m + l,m) 

Til + 1 

(A): KPW15 [31] (CMA) 

Sigi 

X 

T» fc -MDDH 

|m| 

| pk\ + \par | 

(nf, 0) 

[(nlk + 3k + 3 + RE (V k ))k + RE(V k ), o) 

+ KPW15 [31] (otCMA) 



(Gi , G 2 ) 

CT 

ft PPE 

^ k + 2, (ni + 4)/c + 3 + RE(2?fc)^ 

3 A: T 1 

(B): ADK+13 [2] (CMA) 

+ ADK+13 [2] (CMA) 

Sig» 

X 

2-Lin 
(Gi = G 2 ) 

H 

| pk\ + \par | 

<7 

tJ PPE 

n z 

An 2 + 60 

2 n 2 + 48 

14 

(C): Grol5 [28] (CMA) 
+ Grol5 [28] (CMA) 

Sigi 

V 

Generic 

\m\ 

| pk\ + \par\ 
|cr| 

ft PPE 

W.o) 

(2m,l) 

(n\ + 2, ni -f- 3) 
n\ + 3 

(D): KPW15 [31] (CMA) 

Sigi 

V 

2VMDDH 

\m\ 

| pk\ + \par | 

(ni, 0) 

((m k + 2k 2 + 6k + 3+ RE(V k ))k + RE(V k ), o) 

+ KPW15 [31] (CMA) 



(Gi,G 2 ) 

cr 

}} PPE 

^3n\k T 3n\ T 1, (ni -(- 2 k T 7 )/c T n\ T 3 T RE(7?fc)^ 
(2k + l)(m T 1) 

(E): ADK+13 [2] (CMA) 

+ ADK+13 [2] (CMA) 

Sigi 

a/ 

2-Lin 

(Gi = G 2 ) 

|m| 

| pk\ + par| 
cr 

JJ PPE 

4n + 64 

16n + 36 

7 (n + 1) 

(F): KPW15 [31] (CMA) 

Sig 2 

V 

7VMDDH 

\m\ 

\pk\ + \par\ 

(nf, 0) 

((2m k + 2k + 3+ RE (V k ))k + RE(V k ), o) 

+ KPW15 [32] (TT) 



(Gi , G 2 ) 

cr 

ft PPE 

{(k + l)rn + 1, 2 mk + 3k + 3 + RE(X> fc )) 
kni + 2k + 1 





|m| 

| pk\ + \par | 

(ni,n'i) 

((2niA + 3k + 3 + RE (V k ))k + RE(V k ), 

(G): KPW15 [31] (CMA) 

Sig 2 

V 



(2n 2 k + RE(V k ))k + RE(X> fc )) 

(bilateral) 



2VMDDH 

cr 

((/c + l)m + 2n 2 k + k + 2 + RE(X^jt), 

+ KPW15 [32] (TT) 



(Gi , G 2 ) 

ft PPE 

(k + 1)?t. 2 + 2n\k + Ak + 3 + RE(Xlfc)^ 
k(ni + n 2 ) + 3k + 1 

(H): ADK+13 [2] (CMA) 

+ ADK+13 [2] (TT(TOS)) 

Sig 2 

V 

2-Lin 
(Gi = G 2 ) 

\m\ 

| pk\ + par| 
cr 

H PPE 

n z 

6 n + 30 

6n + 12 

2n + 7 

(I) ACD+12 [1] (CMA) 

+ ACD+12 [1] (TT) 

Sig 2 

X 

SXDH 

XDLIN 

M 

| pk\ + |par| 
cr 

(J PPE 

(ni, 0) 

(2m + 14, 7) 

(2m + 4, 2m + 8) 
m + 4 
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and not automorphic (since verification keys have larger size than messages). 
However, as shown in Table 3, as a variation of Sig l5 Sig* allows us to obtain 
FSPSs with shorter signatures and verification keys if the underlying SP-AKS 
scheme is UF-CMA secure. This fact shows that many existing SPSs imply the 
existence of a corresponding efficient FSPS scheme since any well-formed SPS 
scheme (respectively, SPS scheme with an algebraic key generation algorithm) 
can be converted into an SKSP-TS (respectively, SP-AKS) scheme. 


6.3 Sig 2 : SKSP-TS + SP-TT-AKS 

We give parameters of four instantiations for Sig 2 , which are (F), (G), (H), and 
(I) , while (H) is in the type I bilinear map. The only one that is not automorphic 
among them is (I). Here, (G) is achieved by using a UF-CMA secure SKSP-TS 
scheme to sign auxiliary keys of two SP-TT-AKS schemes with verification keys 
consisting of elements in Gi and G 2 respectively, and (H) is achieved by using 
a SKSP-TS scheme to sign auxiliary keys of the tag-based one-time signature 
scheme in [2]. Tag based one-time signatures can be treated as a special case 
of two-tier signatures where secondary signing keys are the same as secondary 
verification keys. 

For k = 1 (SXDH), we have (|m|, | pk + par |, |cr|, ftPPEs) = (n\ , 277, 1 + 7, 4ni + 
8,ni + 3) in (F), while the most efficient instantiation given in [5] achieves 
(|m|, \pk\ + \par\j |cr|, ftPPEs) = ( 77 -f, 677,1 + 17, 4tt-i + 11, 77-1 + 5) and is not auto- 
morphic. Furthermore, by sacrificing efficiency, (F) can be based on weaker 
assumptions. 

(G) achieves (|m|, \pk\ + \par\, |cr|, jjPPEs) = (n\, 2n± + 2n2 + 10, 477-1 + 4tt- 2 + 
12,ni +77-2+4) for k = 1 (SDXH), which has the shortest verification key size, 
signature size, and lowest cost in verification among all FSPS and FAS schemes 
with a bilateral message space based on standard assumptions by now, as far as 
we know. 

(H) is the most efficient FSPS and FAS scheme in the type I bilinear map, 
as far as we know. 
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Abstract. Homomorphic authenticators (HAs) enable a client to 
authenticate a large collection of data elements mi, * . . , m t and outsource 
them, along with the corresponding authenticators, to an untrusted 
server. At any later point, the server can generate a short authenticator 
vouching for the correctness of the output y of a function / computed on 
the outsourced data, i.e., y — /(mi, . . . , mt). Recently researchers have 
focused on HAs as a solution, with minimal communication and interac- 
tion, to the problem of delegating computation on outsourced data. The 
notion of HAs studied so far, however, only supports executions (and 
proofs of correctness) of computations over data authenticated by a sin- 
gle user. Motivated by realistic scenarios (ubiquitous computing, sensor 
networks, etc.) in which large datasets include data provided by multiple 
users, we study the concept of multi-key homomorphic authenticators. In 
a nutshell, multi-key HAs are like HAs with the extra feature of allowing 
the holder of public evaluation keys to compute on data authenticated 
under different secret keys. In this paper, we introduce and formally 
define multi- key HAs. Secondly, we propose a construction of a multi- key 
homomorphic signature based on standard lattices and supporting the 
evaluation of circuits of bounded polynomial depth. Thirdly, we provide 
a construction of multi-key homomorphic MACs based only on pseudo- 
random functions and supporting the evaluation of low-degree arithmetic 
circuits. Albeit being less expressive and only secretly verifiable, the lat- 
ter construction presents interesting efficiency properties. 


1 Introduction 

The technological innovations offered by modern IT systems are changing the 
way digital data is collected, stored, processed and consumed. As an example, 
think of an application where data is collected by some organizations (e.g., hos- 
pitals), stored and processed on remote servers (e.g., the Cloud) and finally 
consumed by other users (e.g., medical researchers) on other devices. On one 
hand, this computing paradigm is very attractive, particularly as data can be 
shared and exchanged by multiple users. On the other hand, it is evident that 
in such scenarios one may be concerned about security: while the users that col- 
lect and consume the data may trust each other (up to some extent), trusting 
the Cloud can be problematic for various reasons. More specifically, two main 
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security concerns to be addressed are those about the privacy and authenticity 
of the data stored and processed in untrusted environments. 

While it is widely known that privacy can be solved in such a setting using, 
e.g., homomorphic encryption [27], in this work we focus on the orthogonal 
problem of providing authenticity of data during computation. Towards this 
goal, our contribution is on advancing the study of homomorphic authenticators 
(HAs), a cryptographic primitive that has been the subject of recent work [9,26, 
30,32]. 


Homomorphic Authenticators. Using an homomorphic authenticator (HA) 
scheme a user Alice can authenticate a collection of data items mi, . . . , m t using 
her secret key, and send the authenticated data to an untrusted server. The server 
can execute a program V on the authenticated data and use a public evaluation 
key to generate a value vouching for the correctness of y = V(mi , . . . , m t ). 
Finally, a user Bob who is given the tuple (P, y, &v,y) and Alice’s verification key 
can use the authenticator to verify the authenticity of y as output of the program 
V executed on data authenticated by Alice. In other words, Bob can check that 
the server did not tamper with the computation’s result. Alice’s verification key 
can be either secret or public. In the former case, we refer to the primitive as 
homomorphic MACs [11,26], while in the latter we refer to it as homomorphic 
signatures [9]. One of the attractive features of HAs is that the authenticator 
c T'p^y is succinct , i.e., much shorter than T”s input size. This means that the 
server can execute a program on a huge amount of data and convince Bob of 
its correctness by sending him only a short piece of information. As discussed 
in previous work (e.g., [5,26,30]), HAs provide a nice solution, with minimal 
communication and interaction, to the problem of delegating computations on 
outsourced data, and thus can be preferable to verifiable computation (more 
details on this comparison appear in Sect. 1.2). 


Our Contribution: Multi-key Homomorphic Authenticators. Up to 

now, the notion of HAs has inherently been single- key, i.e., homomorphic com- 
putations are allowed only on data authenticated using the same secret key. This 
characteristic is obviously a limitation and prevents HA schemes from suiting 
scenarios where the data is provided (and authenticated) by multiple users. Con- 
sider the previously mentioned example of healthcare institutions which need to 
compute on data collected by several hospitals or even some remote-monitored 
patients. Similarly, it is often required to compute statistics for time-series data 
collected from multiple users e.g., to monitor usage data in smart metering, clin- 
ical research or to monitor the safety of buildings. Another application scenario 
is in distributed networks of sensors. Imagine for instance a network of sensors 
where each sensor is in charge of collecting data about air pollution in a certain 
area of a city, it sends its data to a Cloud server, and then a central control unit 
asks the Cloud to compute on the data collected by the sensors (e.g., to obtain 
the average value of air pollution in a large area). 
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A trivial solution to address the problem of computing on data authenticated 
by multiple users is to use homomorphic authenticators in such a way that all 
data providers share the same secret authentication key. The desired functional- 
ity is obviously achieved since data would be authenticated using a single secret 
key. This approach however has several drawbacks. The first one is that users 
need to coordinate in order to agree on such a key. The second one is that in 
such a setting there would be no technical/legal way to differentiate between 
users (e.g., to make each user accountable for his/her duties) as any user can 
impersonate all the other ones. The third and more relevant reason is that shar- 
ing the same key exposes the overall system to way higher risks of attacks and 
makes disaster recovery more difficult: if a single user is compromised the whole 
system is compromised too, and everything has to be reinitialized from scratch. 

In contrast, this paper provides an innovative solution through the notion of 
multi-key homomorphic authenticators (multi- key HAs). This primitive guaran- 
tees that the corruption of one user affects the data of that user only, but does 
not endanger the authenticity of computations among the other (un-corrupted) 
users of the system. Moreover, the proposed system is dynamic, in the sense that 
compromised users can be assigned new keys and be easily reintegrated. 


1.1 An Overview of Our Results 

Our contribution is mainly threefold. First of all, we elaborate a suitable defini- 
tion of multi-key HAs. Second, we propose the first construction of a multi-key 
homomorphic signature (i.e., with public verifiability) which is based on stan- 
dard lattices and supports the evaluation of circuits of bounded polynomial 
depth. Third, we present a multi- key homomorphic MAC that is based only on 
pseudorandom functions and supports the evaluation of low-degree arithmetic 
circuits. In spite of being less expressive and only secretly verifiable, this last 
construction is way more efficient than the signature scheme. In what follows, 
we elaborate more on our results. 

Multi-Key Homomorphic Authenticators: What are they? At a high 
level, multi-key HAs are like HAs with the additional property that one can exe- 
cute a program V on data authenticated using different secret keys. In multi- key 
HAs, Bob verifies using the verification keys of all users that provided inputs to 
V. These features make multi-key HAs a perfect candidate for applications where 
multiple users gather and outsource data. Referring to our previous examples, 
using multi-key HAs each sensor can authenticate and outsource to the Cloud the 
data it collects; the Cloud can compute statistics on the authenticated data and 
provide the central control unit with the result along with a certificate vouching 
for its correctness. 

An important aspect of our definition is a mechanism that allows the verifier 
to keep track of the users that authenticated the inputs of P, i.e., to know 
which user contributed to each input wire of V. To formalize this mechanism, 
we build on the model of labeled data and programs of Gennaro and Wichs 
[26] (we refer the reader to Sect. 3 for details). In terms of security, multi- key 
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HAs allow the adversary to corrupt users (i.e. , to learn their secret keys); yet 
this knowledge should not help the adversary in tampering with the results of 
programs which involve inputs of honest (i.e., uncorrupted) users only. Our model 
allows to handle compromised users in a similar way to what occurs with classical 
digital signatures: a compromised user could be banned by means of a certificate 
revocation, and could easily be re-integrated via a new key pair. 1 Thinking of 
the sensor network application, if a sensor in the field gets compromised, the 
data provided by other sensors remains secure, and a new sensor can be easily 
introduced in the system with new credentials. 

Finally, we require multi- key homomorphic authenticators to be succinct in 
the sense that the size of authenticators is bounded by some fixed polynomial 
in (A,n,log£), where A is the security parameter, n is the number of users con- 
tributing to the computation and t is the total number of inputs of V. Although 
such dependence on n may look undesirable, we stress that it is still meaningful 
in many application scenarios where n is much smaller than t. For instance, in 
the application scenario of healthcare institutions a few hospitals can provide a 
large amount of data from patients. 

A Multi-Key Homomorphic Signature for All Circuits. After setting 
the definition of multi-key homomorphic authenticators, we proceed to construct 
multi- key HA schemes. Our first contribution is a multi- key homomorphic sig- 
nature that supports the evaluation of boolean circuits of depth bounded by a 
fixed polynomial in the security parameter. The scheme is proven secure based 
on the small integer solution (SIS) problem over standard lattices [36], and toler- 
ates adversaries that corrupt users non-adaptively. 2 Our technique is inspired by 
the ones developed by Gorbunov, Vaikuntanathan and Wichs [30] to construct 
a (single-key) homomorphic signature. Our key contribution is on providing a 
new representation of the signatures that enables to homomorphically compute 
over them even if they were generated using different keys. Furthermore, our 
scheme enjoys an additional property, not fully satisfied by [30]: every user can 
authenticate separately every data item nii of a collection mi , . . .m t , and the 
correctness of computations is guaranteed even when computing on not-yet-full 
datasets. Although it is possible to modify the scheme in [30] for signing data 
items separately, the security would only work against adversaries that query the 
whole dataset. In contrast, we prove our scheme to be secure under a stronger 
security definition where the adversary can adaptively query the various data 
items, and it can try to cheat by pretending to possess signatures on data items 
that it never queried (so-called Type 3 forgeries). We highlight that the scheme 
in [30] is not secure under the stronger definition (with Type 3 forgeries) used in 
this paper, and we had to introduce new techniques to deal with this scenario. 
This new property is particularly interesting as it enables users to authenticate 
and outsource data items in a streaming fashion, without ever having to store 

1 Here we mean that this process does not add more complications than the ones 
already existing for classical digital signatures (e.g., relying on PKI mechanisms). 

2 Precisely, our “core” scheme is secure against adversaries that make non-adaptive 
signing queries; this is upgraded to adaptive security via general transformations. 
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the whole dataset. This is useful in applications where the dataset size can be 
very large or not fixed a priori. 

A Multi-Key Homomorphic MAC for Low-Degree Circuits. Our sec- 
ond construction is a multi-key homomorphic MAC that supports the evaluation 
of arithmetic circuits whose degree d is at most polynomial in the security para- 
meter, and whose inputs come from a small number n of users. For results of such 
computations the corresponding authenticators have at most size s = ( n J d )- 3 
Notably, the authenticator’s size is completely independent of the total number 
of inputs of the arithmetic circuit. Compared to our multi- key homomorphic 
signature, this construction is only secretly verifiable (i.e., Bob has to know the 
secret verification keys of all users involved in the computation) and supports 
a class of computations that is less expressive; also its succinctness is asymp- 
totically worse. In spite of these drawbacks, our multi- key homomorphic MAC 
achieves interesting features. From the theoretical point of view, it is based on 
very simple cryptographic tools: a family of pseudorandom functions. Thus, the 
security relies only on one-way functions. On the practical side, it is particularly 
efficient: generating a MAC requires only one pseudo-random function evaluation 
and a couple of field operations; homomorphic computations boil down to addi- 
tions and multiplications over a multi- variate polynomial ring F p [Xj_, . . . , X n \. 

1.2 Related Work 

Homomorphic MACs and Signatures. Homomorphic authenticators have 
received a lot of attention in previous work focusing either on homomorphic sig- 
natures (publicly verifiable) or on homomorphic MACs (private verification with 
a secret key). The notion of homomorphic signatures was originally proposed by 
Johnson et al. [32]. The first schemes that appeared in the literature were homo- 
morphic only for linear functions [8,13-15,23] and found important applications 
in network coding and proofs of retrievability. Boneh and Freeman [9] were the 
first to construct homomorphic signatures that can evaluate more than linear 
functions over signed data. Their scheme could evaluate bounded-degree poly- 
nomials and its security was based on the hardness of the SIS problem in ideal 
lattices in the random oracle model. A few years later, Catalano et al. [16] pro- 
posed an alternative homomorphic signature scheme for bounded-degree poly- 
nomials. Their solution is based on multi-linear maps and bypasses the need 
for random oracles. More interestingly, the work by Catalano et al. [16] con- 
tains the first mechanism to verify signatures faster than the running time of 
the verified function. Recently, Gorbunov et al. [30] have proposed the first (lev- 
eled) fully homomorphic signature scheme that can evaluate arbitrary circuits 
of bounded polynomial depth over signed data. Some important advances have 
been also achieved in the area of homomorphic MACs. Gennaro and Wichs [26] 
have proposed a fully homomorphic MAC based on fully homomorphic encryp- 
tion. However, their scheme is not secure in the presence of verification queries. 
More efficient schemes have been proposed later [5,11,12] that are secure in the 

3 Note that s can be bounded by poly(n ) for constant d, or by poly(d) for constant n. 
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presence of verification queries and are more efficient at the price of supporting 
only restricted homomorphisms. Finally, we note that Agrawal et al. [1] consid- 
ered a notion of multi-key signatures for network coding, and proposed a solution 
which works for linear functions only. Compared to this work, our contribution 
shows a full-fledged framework for multi- key homomorphic authenticators, and 
provides solutions that address a more expressive class of computations. 


Verifiable Computation. Achieving correctness of outsourced computations 
is also the aim of verifiable delegation of computation (VC) [6,18,20,25,29,37]. 
In this setting, a client wants to delegate the computation of a function / on 
input x to an untrusted cloud-server. If the server replies with y , the client’s 
goal is to verify the correctness of y = f{x) spending less resources than those 
needed to execute /. As mentioned in previous work (e.g., [26,30]) a crucial 
difference between verifiable computation and homomorphic authenticators is 
that in VC the verifier has to know the input of the computation - which can be 
huge - whereas in HAs one can verify by only knowing the function / and the 
result y. Moreover, although some results of verifiable computation could be re- 
interpreted to solve scenarios similar to the ones addressed by HAs, results based 
on VC would still present several limitations. For instance, using homomorphic 
authenticators the server can prove correctness of y — f(x) with a single message, 
without needing any special encoding of / from the delegator. Second, HAs come 
naturally with a composition property which means that the outputs of some 
computations on authenticated data (which is already authenticated) can be 
fed as input for follow-up computations. This feature is of particular interest 
to parallelize and or distribute computations (e.g., MapReduce). Emulating this 
composition within VC systems is possible by means of certain non-interactive 
proof systems [7] but leads to complex statements and less natural realizations. 
A last advantage is that by using HAs, clients can authenticate various (small) 
pieces of data independently and without storing previously outsourced data. 
In contrast, most VC systems require clients to encode the whole input in ‘one 
shot’, and often such encoding can be used in a single computation only. 


Multi-client Verifiable Computation. Another line of work, closely related 
to ours is that on multi-client verifiable computation [17,31]. This primitive, 
introduced by Choi et al. [17], aims to extend VC to the setting where inputs 
are provided by multiple users, and one of these users wants to verify the result’s 
correctness. Choi et al. [17] proposed a definition and a multi-client VC scheme 
which generalizes that of Gennaro et al. [25]. The solution in [17], however, does 
not consider malicious or colluding clients. This setting was addressed by Gordon 
et al. in [31], where they provide a scheme with stronger security guarantees 
against a malicious server or an arbitrary set of malicious colluding clients. 

It is interesting to notice that in the definition of multi-client VC all the 
clients but the one who verifies can encode inputs independently of the function 
to be later executed on them. One may thus think that the special case in 
which the verifier provides no input yields a solution similar to the one achieved 
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by multi-key HAs. However, a closer look at the definitions and the existing 
constructions of multi-client VC reveals three main differences. (1) In multi- 
client VC, in order to prove the correctness of an execution of a function /, the 
server has to wait a message from the verifier which includes some encoding of 
/. This is not necessary in multi- key HAs where the server can directly prove 
the correctness of / on previously authenticated data with a single message and 
without any function’s encoding. (2) The communication between the server 
and the verifier is at least linear in the total number of inputs of /: this can be 
prohibitive in the case of computations on very large inputs (think of TBytes of 
data). In contrast, with multi- key HAs the communication between the server 
and the verifier is proportional only to the number of users, and depends only 
logarithmically on the total number of inputs. (3) In multi-client VC an encoding 
of one input can be used in a single computation. Thus, if a user wants to first 
upload data on the server to later execute many functions on it, then the user 
has to provide as many encodings as the number of functions to be executed. 
In contrast, multi- key HAs allow one to encode (i.e., authenticate) every input 
only once and to use it for proving correctness of computations an unbounded 
number of times. 

2 Preliminaries 

We collect here the notation and basic definitions used throughout the paper. 


Notation. The Greek letter A is reserved for the security parameter of the 
schemes. A function e(A) is said to be negligible in A (denoted as e(A) = negl(A)) 
if e(A) = 0(A -C ) for every constant c > 0. When a function can be expressed 
as a polynomial we often write it as polyf). For any n E N, we refer to [n\ as 
[n\ := {1 ,..., n}. Moreover, given a set <S, the notation s S stays for the 
process of sampling s uniformly at random from S. 

Definition 1 (Statistical Distance). Let X^Y denote two random variables 
with support V, y respectively; the statistical distance between X and Y is defined 
as SD (X,Y) := §(£ ue * uy I Pr[X = u]-Pr[Y = u] |). IfSTt(X,Y) = negl(A), 

we say that X and Y are statistically close and we write IwV. 


Definition 2 (Entropy [19]). The min- entropy of a random variable X is 
defined as H oc (X) := — log( max^ Pr[V = x]). The (average-) conditional min- 
entropy of a random variable X conditioned on a correlated variable Y is defined 


as Hoo(V | Y) := — log( E max x Pr[V = x \ Y = y\ ). The optimal proba- 
\y^Y L J J 

bility of an unbounded adversary guessing X when given a correlated value Y is 

2 -Hoo(x\ Y) m 


Lemma 1 ([19]). Let X,Y be arbitrarily random variables where the support 
of Y lies in y. Then H^X \ Y) > H^V) - log(| ^ |). 
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3 Multi-key Homomorphic Authenticators 

In this section, we present our new notion of Multi-Key Homomorphic Authen- 
ticators (multi- key HAs). Intuitively, multi- key HAs extend the existing notions 
of homomorphic signatures [9] and homomorphic MACs [26] in such a way that 
one can homomorphically compute a program V over data authenticated using 
different secret keys. For the sake of verification, in multi- key HAs the verifier 
needs to know the verification keys of all users that provided inputs to V . Our 
definitions are meant to be general enough to be easily adapted to both the 
case in which verification keys are public and the one where verification keys are 
secret. In the former case, we call the primitive multi-key homomorphic signa- 
tures whereas in the latter case we call it multi-key homomorphic MACs. 

As already observed in previous work about HAs, it is important that an 
authenticator crp ^ does not authenticate a value y out of context, but only as the 
output of a program V executed on previously authenticated data. To formalize 
this notion, we build on the model of labeled data and programs of Gennaro and 
Wichs [26]. The idea of this model is that every data item is authenticated under 
a unique label £. For example, in scenarios where the data is outsourced, such 
labels can be thought of as a way to index/identify the remotely stored data. A 
labeled program P, on the other hand, consists of a circuit / where every input 
wire i has a label £{. Going back to the outsourcing example, a labeled program 
is a way to specify on what portion of the outsourced data one should execute a 
circuit /. More formally, the notion of labeled programs of [26] is recalled below. 

Labeled Programs [26]. A labeled program V is a tuple (/, G, • • • , Gi), such 
that / : A4 n —> AA is a function of n variables (e.g., a circuit) and £i G {0, 1}* 
is a label for the i-th input of /. Labeled programs can be composed as follows: 
given Pi, . . . , Vt and a function g : — ► Af, the composed program V * is the 

one obtained by evaluating g on the outputs of V \ , . . . ,Pt, and it is denoted 
as P* = #(Pi, . . . , P t ). The labeled inputs of P* are all the distinct labeled 
inputs of Pi,...P t (all the inputs with the same label are grouped together and 
considered as a unique input of P*). Let fid - Ad ^ M be the identity function 
and £ G {0, 1}* be any label. We refer to Tg = ( fid ,£ ) as the identity program 
with label £. Note that a program P = (/, G, • • • An) can be expressed as the 
composition of n identity programs P = f(Tg 1 , . . . ,Tg n ). 

Using labeled programs to identify users. In our notion of multi-key homo- 
morphic authenticators, one wishes to verify the outputs of computations exe- 
cuted on data authenticated under different keys. A meaningful definition of 
multi-key HAs thus requires that the authenticators are not out of context also 
with respect to the set of keys that contributed to the computation. To address 
this issue, we assume that every user has an identity id in some identity space 
ID, and that the user’s keys are associated to id by means of any suitable mech- 
anism (e.g., PKI). Next, in order to distinguish among data of different users 
and to identify to which input wires a certain user contributed, we assume that 
the label space contains the set ID. Namely, in our model a data item is assigned 
a label £ := (id,r), where id is a user’s identity, and r is a tag; this essentially 
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identifies uniquely a data item of user id with index r. For compatibility with 
previous notions of homomorphic authenticators, we assume that data items 
can be grouped in datasets, and one can compute only on data within the same 
dataset. In our definitions, a dataset is identified by an arbitrary string A. 4 

Definition 3 (Multi- key Homomorphic Authenticator). A multi-key 
homomorphic authenticator scheme MKHAut consists of a tuple of PPT 
algorithms (Setup, KeyGen, Auth, Eva I, Veq) satisfying the following properties: 
authentication correctness, evaluation correctness, succinctness and security. 
The five algorithms work as follows: 

Setup(l A ). The setup algorithm takes as input the security parameter A and out- 
puts some public parameters pp. These parameters include (at least) descrip- 
tions of a tag space T, an identity space ID, the message space A4 and a 
set of admissible functions T . Given T and ID, the label space of the scheme 
is defined as their cartesian product C := ID x T. For a labeled program 
V = (/, £i 7 . . . , If) with labels ti := (id^r*) G C , we use id £ V as com- 
pact notation for id G {idi, . . . , \d t }. The pp are input to all the following 
algorithms , even when not specified. 

KeyGen (pp). The key generation algorithm takes as input the public parameters 
and outputs a triple of keys (sk, ek,vk), where sk is a secret authentication 
key , ek is a public evaluation key and vk is a verification key which could be 
either public or private . 5 

Auth(sk, A, I, m). The authentication algorithm takes as input an authentication 
key sk, a dataset identifier A , a label I = (id,r) for the message m, and it 
outputs an authenticator a. 

Eva I (/, {(cq, EKSi)}^ e [ t ]). The evaluation algorithm takes as input a t -input func- 
tion f : Mf — > M., and a set {(cq, EKS^) [ t ] where each (Ji is an authen- 
ticator and each EKS^ is a set of evaluation keys. 6 
Ver(7 :> , A, {vkidjideP? cr )* The verification algorithm takes as input a labeled 
program V = (/, £ 1 , . . . , If), a dataset identifier A , the set of verification 
keys {vkidjideP corresponding to those identities id involved in the program 
V , a message m and an authenticator a. It outputs 0 ( reject ) or 1 (accept). 

Authentication Correctness. Intuitively, a Multi-Key Homomorphic Aut- 
enticator has authentication correctness if the output of Auth(sk, A, I, m) veri- 
fies correctly for m as the output of the identity program Tn over the dataset 

4 Although considering the dataset notion complicates the definition, it also provides 
some benefits, as we illustrate later in the constructions. For instance, when veri- 
fying for the same program V over different datasets, one can perform some pre- 
computation that makes further verifications cheap. 

5 As mentioned earlier, the generated triple (sk, ek, vk) will be associated to an iden- 
tity id G ID. When this connection becomes explicit, we will refer to (sk,ek,vk) as 
(skjd, ek id , vk id ). 

6 The motivation behind the evaluation-keys set EKS* is that, if a \ authenticates 
the output of a labeled program 7 A, then EKS i = (ekidjideRi should be the set of 
evaluation keys corresponding to identities involved in the computation of Vi. 
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A. More formally, a scheme MKHAut satisfies authentication correctness if for 
all public parameters pp^Setup(l A ), any key triple (sk, ek,vk) <— KeyGen(pp), 
any label £ = (id,r) E C and any authenticator a Auth(sk, A, £, m), we have 
Ver(2^, A, vk, m, a) outputs 1 with all but negligible probability. 

Evaluation Correctness. Intuitively, this property says that running the 
evaluation algorithm on signatures (or, . . . , a t ) such that each cq verifies for 
up as the output of a labeled program Vi over the dataset A, it produces 
a signature a which verifies for /(mi,...,m t ) as the output of the com- 
posed program f(V\, . . . ,Vt) over the dataset A. More formally, let us fix 
the public parameters pp^Setup(l A ), a set of key triples { (skjd , ekjd , vkid)} idG i5 
for some ID C ID, a dataset A, a function g : A4 t — > M, and any 
set of program/message/authentica-tor triples {(Vi, mi, ai)} ie ^ such that 
Ver(7 D i, A, {vk id } idG -p. , up, cq) = 1 for all i E [t\. Let m* = < 7 ( 1711 , . . . , m t ), V * = 
g(V V t ), and cr* = Eval(#, {(cr^, EKS;)}^]) where EKS* = {ek id } ideP .. 
Then, \/er(V* , A, {vki d }i de p* , m*, a*) = 1 holds with all but negligible proba- 
bility. 

Succinctness. A multi-key HA is said to be succinct if the size of every 
authenticator depends only logarithmically on the size of a dataset. However, 
we allow authenticators to depend on the number of keys involved in the com- 
putation. More formally, let pp^Setup(l A ), V = (/, i\, . . . ,£ t ) with C = (i d^r^), 
{(sk id , ek id , vk id ) <- KeyGen(pp)} ideP , and cq <- Auth(sk idi , A, £ u rrq) for all 
i E [t]. A multi- key HA is said to be succinct if there exists a fixed poly- 
nomial p such that \cr\ = p(\,n, logt) where a = Eval(g, { (cr^ , ekj d .)} iG [ t ]) and 
n = | {id E V}\. 

Remark 1. Succinctness is one of the crucial properties that make multi- key HAs 
an interesting primitive. Without succinctness, a trivial multi- key HA construc- 
tion is the one where Eva I outputs the concatenation of all the signatures (and 
messages) given in input, and the verifier simply checks each message-signature 
pair and recomputes the function by himself. Our definition of succinctness, 
where signatures can grow linearly with the number of keys but logarithmically 
in the total number of inputs, is also non-trivial, especially when considering set- 
tings where there are many more inputs than keys (in which case, the above triv- 
ial construction would not work) . Another property that can make homomorphic 
signatures an interesting primitive is privacy — context- hiding — as considered in 
prior work. Intuitively, context-hiding guarantees that signatures do not reveal 
information on the original inputs. While we leave the study of context-hiding 
for multi-key HAs for future work, we note that a trivial construction that is 
context- hiding but not succinct can be easily obtained with the additional help 
of non-interactive zero-knowledge proofs of knowledge: the idea is to extend the 
trivial construction above by requiring the evaluator to generate a NIZK proof of 
knowledge of valid input messages and signatures that yield the public output. 
In this sense, we believe that succinctness is the most non-trivial property to 
achieve in homomorphic signatures, and this is what we focus on in this work. 
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Security. Intuitively, our security model for multi-key HAs guarantees that 
an adversary, without knowledge of the secret keys, can only produce authenti- 
cators that were either received from a legitimate user, or verify correctly on the 
results of computations executed on the data authenticated by legitimate users. 
Moreover, we also give to the adversary the possibility of corrupting users. In 
this case, it must not be able to cheat on the outputs of programs that get inputs 
from uncorrupted users only. In other words, our security definition guarantees 
that the corruption of one user affects the data of that user only, but does not 
endanger the integrity of computations among the other (un-corrupted) users 
of the system. We point out that preventing cheating on programs that involve 
inputs of corrupted users is inherently impossible in multi-key HAs, at least if 
general functions are considered. For instance, consider an adversary who picks 
the function (x\ + x 2 mod p) where x\ is supposed to be provided by user 
Alice. If the adversary corrupts Alice, it can use her secret key to inject any 
input authenticated on her behalf and thus bias the output of the function at 
its will. 

The formalization of the intuitions illustrated above is more involved. For 
a scheme MKHAut we define security via the following experiment between a 
challenger C and an adversary A (HomUF-CMA^yMKHAut(^)) : 

Setup. C runs Setup(l A ) to obtain the public parameters pp that are sent to A. 
Authentication Queries. A can adaptively submit queries of the form 
(A,£, m), where A is a dataset identifier, £ = (id,r) is a label in ID x T 
and m G Ad are messages of his choice. C answers as follows: 

- If (A,£, m) is the first query for the dataset A, C initializes an empty list 
La = 0 and proceeds as follows. 

-If (A,£, m) is the first query with identity id, C generates keys 
(skjd, e kjd, v kjd) KeyGen(pp) (that are implicitly assigned to identity id), 

gives ekjd to A and proceeds as follows. 

- If (A,£, m) is such that (£, m) ^ C computes a 1 A- Auth(skjd, A, £, m) 
(note that C has already generated keys for the identity id), returns cf^ to A , 
and updates the list La La U (£, m). 

- If (A,£, m) is such that (£,-) G La (which means that the adversary had 
already made a query (A,£, m') for some message m'), then C ignores the 
query. 

Verification Queries. A is also given access to a verification oracle. Namely, 
the adversary can submit a query (V, A, m, cr), and C replies with the output 
of \/er(V, A, {vk id } ide -p, m, a). 

Corruption. The adversary has access to a corruption oracle. At the beginning 
of the game, the challenger initialises an empty list L corr = 0 of corrupted 
identities; during the game, A can adaptively query identities id G ID. If 
id ^ T CO rr, then C replies with the triple (skjd, ekjd, vkjd) (that is generated 
using KeyGen if not done before) and updates the list L corr <— L con U id. If 
id G L corn then C replies with the triple (skjd, ekjd, vkjd) assigned to id before. 
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Forgery. In the end, A outputs a tuple (V*, A*, m*, cr*). The experiment outputs 
1 if the tuple returned by A is a forgery (defined below), and 0 otherwise. 

Definition 4 (Forgery). Consider an execution of HomUF-CMA^MKHAut(A) 

where (V* , A*, m*, cr*) is the tuple returned by the adversary in the end 
of the experiment, with V * = (/*, i \, . . . , £*). This is a forgery if 
Ver(7 :> *, Z\*, {vkidjideP*? m *5 a *) = 1; f or a M id E V * we have that id ^ L corr 
(i.e., no identity involved in V* is corrupted), and either one of the following 
properties is satisfied: 

Type 1: L A * has not been initialized during the game (i.e., the dataset A* was 
never queried). 

Type 2: For alii E [t\, 3(£*,np) E L A *, but m* ± /*(mi, , m t ) (i.e., m* 

is not the correct output of V * when executed over previously authenticated 
messages). 

Type 3 : There exists a label £* such that (£*,-) £ L A * (i.e., A never made a 
query with label £*). 

We say that a HA scheme MKHAut is secure if for every PPT adversary A, its 
advantage Ad v MK^ut™ A ( A ) = P r [HomUF-CMA^ )M KHAut(A) = 1] is negligible. 

Remark 2 (Comparison with previous security definitions) . Our security notion 
can be seen as the multi-key version of the one proposed by Gennaro and Wichs 
in [26] (in their model our Type 3 forgeries are called ‘Type V as they do not 
consider multiple datasets). We point out that even in the special case of a 
single key, our security definition is stronger than the ones used in previous 
work [9,16,23,30] (with the only exception of [26]). The main difference lies in 
our definition of Type 3 forgeries. The intuitive idea of this kind of forgeries 
is that an adversary who did not receive an authenticated input labeled by a 
certain t* cannot produce a valid authenticator for the output of a computation 
which has C among its inputs. In [9,30] these forgeries were not considered at 
all, as the adversary is assumed to query the dataset always in full. Other works 
[11,16,23] consider a weaker Type 3 notion, which deals with the concept of 
“well defined programs” , where the input wire labeled by the missing label i * is 
required to “contribute” to the computation (i.e., it must change its outcome). 
The issue with such a Type 3 definition is that it may not be efficient to test if an 
input contributes to a function, especially if the admissible functions are general 
circuits. In contrast our definition above is simpler and efficiently testable since 
it simply considers a Type 3 forgery one where the labeled program V * involves 
an un-queried input. 


Multi- key Homomorphic Signatures. As previously mentioned, our defini- 
tions are general enough to be easily adapted to either case in which verification 
is secret or public. The only difference is whether the adversary is allowed to see 
the verification keys in the security experiment. When the verification is public, 
we call the primitive multi-key homomorphic signatures. More formally: 
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Definition 5 (Multi- key Homomorphic Signatures). A multi-key homo- 
morphic signature is a multi-key homomorphic authenticator in which verifica- 
tion keys are also given to the adversary in the security experiment. 

Note that making verification keys public also allows to slightly simplify the secu- 
rity experiment by removing the verification oracle (the adversary can run the 
verification by itself). In the sequel, when referring to multi- key homomorphic 
signatures we adapt our notation to the typical one of digital signatures, namely 
we denote Auth(sk, A, £, m) as Sign(sk, A, £, m), and call its outputs signatures. 


Non- adaptive Corruption Queries. In our work, we consider a relaxation 
of the security definition in which the adversaries ask for corruptions in a non- 
adaptive way. More precisely, we say that an adversary A makes non- adaptive 
corruption queries if for every identity id asked to the corruption oracle, id was 
not queried earlier in the game to the authentication oracle or the verification 
oracle. For this class of adversaries, it is easy to see that corruption queries 
are essentially of no help as the adversary can generate keys on its own. More 
precisely, the following proposition holds (see the full version [22] for the proof). 

Proposition 1 . MKHAut is secure against adversaries that do not make cor- 
ruption queries if and only if MKHAut is secure against adversaries that make 
non-adaptive corruption queries. 


Weakly- Adaptive Secure Multi-key HAs. In our work, we also consider a 
weaker notion of security for multi-key HAs in which the adversary has to declare 
all the queried messages at the beginning of the experiment. More precisely, we 
consider a notion in which the adversary declares only the messages and the 
respective tags that will be queried, for every dataset and identity, without, 
however, needing to specify the names of the datasets or of the identities. In 
a sense, the adversary A is adaptive on identities and dataset names, but not 
on tags and messages. The definition is inspired by the one, for the single-key 
setting, of Catalano et al. [16]. 

To define the notion of weakly- adaptive security for multi- key HAs, we intro- 
duce here a new experiment Weak-HomUF-CMA^y MKHAut? which is a variation of 
experiment HomUF-CMA^MKHAut (Definition 3) as described below. 

Definition 6 (Weakly- Secure Multi-key Homomorphic Authentica- 
tors). In the security experiment Weak-HomllF-CMAy^ MKHAut? before the setup 
phase , the adversary A sends to the challenger C a collection of sets of tags 
%,k ^ T fori E [Qid] and k E [Qa\, where Qid and Qa are, respectively , the total 
numbers of distinct identities and datasets that will be queried during the game. 
Associated to every set% A also sends a set of messages k . Basically 

the adversary declares, prior to key generation, all the messages and tags that 
it will query later on; however A is not required to specify identity and dataset 
names. Next, the adversary receives the public parameters from C and can start 
the query-phase. Verification queries are handled as in HomUF-CMA^MKHAut- 
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For authentication queries , A can adaptively submit pairs (id, A) to C. The chal- 
lenger then replies with a set of authenticators {cr r } rG T i)fc ; where indices i,k are 
such that id is the i-th queried identity , and A is the k-th queried dataset. 

An analogous security definition of weakly-secure multi-key homomorphic sig- 
natures is trivially obtained by removing a verification oracle. 

In the full version of this paper, we present two generic transformations that 
turn weakly secure multi-key homomorphic authenticator schemes into adaptive 
secure ones. Our first transformation holds in the standard model and works 
for schemes in which the tag space T has polynomial size, while the second one 
avoids this limitation on the size of T but holds in the random oracle model. 

4 Our Multi-key Fully Homomorphic Signature 

In this section, we present our construction of a multi-key homomorphic sig- 
nature scheme that supports the evaluation of arbitrary circuits of bounded 
polynomial depth. The scheme is based on the SIS problem on standard lat- 
tices, a background of which is provided in the next section. Precisely, in Sect. 4.2 
we present a scheme that is weakly-secure and supports a single dataset. Later, 
in Sect. 4.3 we discuss how to extend the scheme to handle multiple datasets, 
whereas the support of adaptive security can be obtained via the applications of 
our transformations as shown in [22]. 

4.1 Lattices and Small Integer Solution Problem 

We recall here notation and some basic results about lattices that are useful to 
describe our homomorphic signature construction. 

For any positive integer q we denote by 7L q the ring of integers modulo q. Ele- 
ments in 7L q are represented as integers in the range (— |, |]. The absolute value 
of any x G 7L q (denoted with \x\) is defined by taking the modulus q representa- 
tive of x in (— |, |], i.e., take y = x mod q and then set \x\ = \y\ G [0, |]. Vectors 
and matrices are denoted in bold. For any vector u := (iq, . . . ,u n ) G Z™, its infin- 
ity norm is HuH^ := max iG [ n ] |tq|, and similarly for a matrix A := [oqj] G Z™ xm 
we write ||A||oo := max ie[n ] )iG[m ] \a id \. 


The Small Integer Solution Problem (SIS). For integer parameters n,m,q 
and /?, the SIS (n, ra, g, /?) problem provides to an adversary A a uniformly ran- 
dom matrix A G Z™ xm , and requires A to find a vector uGZJ such that u^O, 
1 1 u 1 1 oo < /3, and A u = 0. More formally, 

Definition 7 (SIS [36]). Let A G N be the security parameter. For values n = 
n(A), m = m( A), q = g(A), = /3(A), defined as functions of A, the SIS(n, m, g, /?) 

hardness assumption holds if for any PPT adversary A we have 


Pr 


A • u = 0 A u^O A 1 1 u 1 1 oo < (3 : A 


, $ n/nxm 


u 


M(l\ A) < negl(A). 
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For standard lattices, the SIS problem is known to be as hard as solving certain 
worst-case instances of lattice problems [2,33,35,36], and is also implied by the 
hardness of learning with error (we refer any interested reader to the cited papers 
for the technical details about the parameters). 

In our paper, we assume that for any /3 = 2 poly ( A ) there are some n = poly (A), 
q = 2 poly ( A ), with q > [3, such that for all m = poly(A) the SIS(n, m, g, /3) hardness 
assumption holds. This parameters choice assures that hardness of worst-case 
lattice problems holds with sub-exponential approximation factors. 


Trapdoors for Lattices. The SIS problem is hard to solve for a random 
matrix A. However, there is a way to sample a random A together with a 
trapdoor such that SIS becomes easy to solve for that A, given the trapdoor. 
Additionally, it has been shown that there exist “special” (non random) matrices 
G for which SIS is easy to solve as well. The following lemma summarizes the 
above known results (similar to a lemma in [10]): 

Lemma 2 ([3,4,28,34]). There exist efficient algorithms TrapGen, SamPre, 

Sam such that the following holds: given integers n > 1, q > 2, there exist some 
m* = 777-* (n, q) = 0(n log g), /3 sam = /3 sam (n,q) = 0(ny/\og q) such that for all 
m > m* and all k (polynomial in n) we have: 

1. Sam(l m , l fe , g) — ► U samples a matrix U G Z 1 f xk such that ||U||oo < /3 sarn 
(with probability 1 ). 

2. For (A, td) <- TrapGen(l n , l m , q), A' ^ 7L nxrn , U <- Sam(l m ,l k ,q), V := 
AU, V' <^-Zq Xk , U' <— SamPre(A, V', td), we have the following statistical 
indistinguishability (negligible inn) 

A s « A' and (A,td,U, V) (A,td,U', V') 

and U' <— SamPre(A, V', td) always satisfies AU' = V' and [| U' 1 1 oo < fi sam . 

3. Given n, m, q as above, there is an efficiently and deterministically computable 
matrix G G Z^ xm and a deterministic polynomial-time algorithm G -1 that 
on input V G Z™ xk (for any integer k) outputs R = G -1 (V) such that 
Rg {0,l} mx/e and GR = V. 


4.2 Our Multi-key Homomorphic Signature for Single Dataset 

In this section, we present our multi-key homomorphic signature that supports 
the evaluation of boolean circuits of bounded polynomial depth. Our construc- 
tion is inspired by the (single-key) one of Gorbunov et al. [30], with the fun- 
damental difference that in our case we enable computations over data signed 
using different secret keys. Moreover, our scheme is secure against Type 3 forg- 
eries. We achieve this via a new technique which consists into adding to every 
signature a component that specifically protects against this type of forgeries. 
We prove the scheme to be weakly-secure under the SIS hardness assumption. 
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Parameters. Before describing the scheme, we discuss how to set the various 
parameters involved. Let A be the security parameter, and let d = d( A) = poly(A) 
be the bound on the depth of the circuits supported by our scheme. We define 
the set of parameters used in our scheme Par = {n, m, g, /3s is? Anax, Anit} in terms 
of A,d and of the parameters required by the trapdoor algorithm in Lemma 2: 
T'ft'AAam, where m* = m*(n,q) := O(nlogg) and Aam •= 0(ny/\ogq). More 
precisely, we set: /3 max := 2 a ’( logA ) d ; /? S is ■= 2" (log A) /3 max ; n = poly(A); q = 
C!A(2 poly ( A ) ) > Ps\5 is a prime (as small as possible) so that the S\S(n,m' , q, P$\s) 
assumption holds for all m! = poly(A); m = max{m*, n log q + o;(log(A))} = 
poly (A) and, finally, Anit := Aam = poly (A). 


Construction. The PPT algorithms (Setup, KeyGen, Sign, Eval, Ver) which 

define our construction of Multi-key Homomorphic Signatures work as follows: 

Setup(l A ). The setup algorithm takes as input the security parameter A and 
generates the public parameters pp which include: the bound on the circuit 
depth d (which defines the class T of functions supported by the scheme, 
i.e., boolean circuits of depth d), the set Par = {n, m, g, Ais, Anax, Anit}? the 
set U = { U G : HUlU < Anax}, the set V = {V G 

descriptions of the message space M = {0,1}, the tag space T = [T], and 
the identity space ID = [C], for integers T, C G N. In this construction, the 
tag space is of polynomial size, i.e., T = poly (A) while the identity space 
is essentially unbounded, i.e., we set C = 2 A . Also recall that T and ID 
immediately define the label space C = ID x T. The final output is pp = 
{d, Par, W, V, Ad, T, ID}. We assume that these public parameters pp are input 
of all subsequent algorithms, and often omit them from the input explicitly. 

KeyGen (pp). The key generation algorithm takes as input the public parame- 
ters pp and generates a key-triple (sk, ek,vk) defined as follows. First, it 
samples T random matrices Vi,...,Vj V. Second, it runs (A,td) <— 
TrapGen(l n , l m ,g) to generate a matrix A G Z^ xm along with its trapdoor 
td. Then, it outputs sk = (td, A, Vi, . . . , Vj), ek = A, vk = (A, Vi, . . . , Vj). 
Note that it is possible to associate the key-triple to an identity id G ID, when 
we need to stress this explicitly we write (sky, ekjd, vky). We also observe that 
the key generation process can be seen as the combination of two independent 
sub-algorithms 7 KeyGen 1 and KeyGen 2 , where {Vi,...Vj} <— KeyGerq(pp) 
and (A, td) <— KeyGen 2 (pp). 

Sign(sk, A m). The signing algorithm takes as input a secret key sk, a label £ = 
(id,r) for the message m and it outputs a signature a := (m, z, I, Uy, Zy) 
where I = {id}, Uy is generated as Uy SamPre(A, V^ — mG,td) (using the 
algorithm SamPre from Lemma 2), z = m and Zy = Uy . The two latter terms 
are responsible for protection against Type 3 forgeries. Although they are 
redundant for fresh signatures, their value will become different from (m, Uy) 

7 This splitting will be used to extend our multi-key homomorphic signature scheme 
from supporting a single dataset to support multiple datasets. This extension holds 
in the standard model and is described in Sect. 4.3. 
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during homomorphic operations, as we clarify later on. More generally, in our 
construction signatures are of the form a := (m,z, I, {Ujdjidei? {Zidjidei) with 
I C ID and Ujd, Zjd G U, V id G I. 

Eva I (/, {(05, EKSi) [ t ] ) . The evaluation algorithm takes as input a t-input func- 
tion / : Ai t — > A4, and a set of pairs {(0^, EKS^)}^ e [ t ] where each 0^ is a 
signature and each EKS^ is a set of evaluation keys. In our description below 
we treat / as an arithmetic circuit over Z q consisting of addition and multipli- 
cation gates. 8 Therefore, we only describe how to evaluate homomorphically a 
fan-in-2 addition (resp. multiplication) gate as well as a unary multiplication- 
by-constant gate. 

Let g be a fan-in-2 gate with left input cr\_ := (itil, Z|_, l|_, U|_, Z|_) and right 
input 0-r := (rriR, zr, Ir, Ur, Zr). To generate the signature a := (m, z, I, U, Z) 
on the gate’s output one proceeds as follows. First set I = II U Ir. Second, 
“expand” U[_ := {U 1 ^ 1 }idei L as: 


f T id _ / 0 if id i l L 
L \ U} d if id G l L 


Vid e I . 


where 0 denotes an ( m x m)- matrix with all zero entries. Basically, we extend 
the set to be indexed over all identities in I = l|_ U Ir by inserting zero 
matrices for identities in I \ l|_. The analogous expansion process is applied 
to U R := {Up} ide i L , Zl := {Z L ld }idei R and Z R := {Z^} ide i R , denoting the 
expanded sets {URjidei, }idei and {^Rjidei respectively. 

Next, depending on whether g is an addition or multiplication gate one pro- 
ceeds as follows. 

Addition gate. If g is additive, compute m = mi_ + rriR, z = zl+zr, 
u = {U id } ide i := {U|_ d + Ug} id6 , and Z = {Z id } ide , := {Z id + Z^} ide ,. 

If we refer to (3\_ and /3 r as ||U L ||oo := max{||UL d ||oo : id G II} and ||U R ||oo *“ 
max{||Up||oo : id G Ir} respectively, then for any fan-in-2 addition gate it 
holds /? := HUlloo = P\_ + /3r. The same noise growth applies to Z. 

Multiplication gate. If g is multiplicative, compute m = mi_ • rriR, z = 
z L + Zr, define V L = ]T ide , L A id U id + m L G, set 

U = {U id } ide i := {m R U id + Ur • G" 1 ^)}^, 

and Z = {Z; d }i de i := {Z^ 1 + Zp 1 } j de i . 

Letting f3\_ and /3r as defined before, then for any fan-in-2 multiplication gate 
it holds /3 := IJUHoo = | mR |/3 l Tm/^R, while the noise growth of Z is the same 
as in the addition gate. 

Multiplication by constant gate. Let g be a unary gate representing 
a multiplication by a constant a G Z g , and let its single input signature 

8 We point out that considering / as an arithmetic circuit over Z q is enough to describe 
any boolean circuits consisting of NAN D gates as NAND(mi,m2) = 1 — mi • m2 holds 
for mi, m2 G {0, 1}. 


516 


D. Fiore et al. 


be ctr := (itir, zr, Ir, Ur, Zr). The output a := (m, z, I, U, Z) is obtained by 
setting m = a • itir £ Z g , z = zr, I = Ir, Z = Zr, and U = {U ld }idei where, 
for all id £ I, U ld = a • Up or, alternatively, U ld = Up • G _1 (a • G). In the 
first case, the noise parameter becomes /3 := HUHoo = \a\/3\_ (thus a needs to 
be small ), whereas in the second case it holds f3 := HUHoo < mfl i_, which is 
independent of a’s size. 

Ver(P, {vkjdjjde'P? m, a). The verification algorithm takes as input a labeled pro- 
gram V = (/, £ i, . . . , £ n ), the set of the verification keys {vkidjideP of users 
involved in the program V, a message m and a signature a = (m,z, l,U, Z). 
It then performs three main checks and outputs 0 if at least one check fails, 
otherwise it returns 1. 

Firstly, it checks if the list of identities declared in a corresponds to the ones 
in the labels of V: 


I = {id : id £ V} (1) 

Secondly, from the circuit / (again seen as an arithmetic circuit) and the 
values contained in the verification keys, it computes two 

values V* and V + proceeding gate by gate as follows. Given as left and right 
input matrices Vl, Vp (resp. V^, Vp), at every addition gate one computes 
V* = + Vp (resp. V + = V^~ + Vp); at every multiplication gate one 

computes V* = V^G -1 Vl (resp. V + = ). Every gate representing 

a multiplication by a constant a £ Z g , on input (resp. V^) outputs 
V* = a-V^ (resp. V + = Vr ). Note that the computation of V + is essentially 
the computation of a linear function V + = J2 i=1 7i • V^, for some coefficients 
7 i that depend on the structure of the circuit /. 

Thirdly, the verification algorithm parses U = {Ujd }idei an d Z = {Zjd }idei 
and checks: 


liuiu < /? max 

and ||Z||oo — /^max 

(2) 

5> id U id + m • G 

= V* 

(3) 

idei 



'y ^ A id Z id + z • G 

= V+ 

(4) 


idel 


Finally, it is worth noting that the computation of the matrices V* and 
V + can be precomputed (or performed offline), prior to seeing the actual 
signature a. In the multiple dataset extension of Sect. 4.3 this precomputation 
becomes particularly beneficial as the same V* , V + can be re-used every time 
one wants to verify for the same labeled program V (i.e., one can verify faster, 
in an amortized sense, than that of running /). 

In the following paragraphs we analyse the correctness, succinctness and the 
security of the proposed construction. In the following paragraphs, we analyse 
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succinctness and security of the proposed construction; for what regards correct- 
ness we just give an intuition and refer the interested reader to the full version 
of this paper available in [22]. 

Noise Growth and Succinctness. First we analyse the noise growth of the 
components U, Z in the signatures of our MKHSig construction. In particular 
we need to show that when starting from “fresh” signatures, in which the noise 
is bounded by /3mit> and we apply an admissible circuit, then one ends up with 
signatures in which the noise is within the allowable amount /3 max . 

An analysis similar to the one of Gorbunov et al. [30] is applicable also to our 
construction whenever the admissible functions are boolean circuits of depth d 
composed only of NAND gates. 

Let us first consider the case of the U component of the signatures. At every 
NAND gate, if HUlIIocHUrHoo < /?, the noise of the resulting U is at most 
(m + 1)13. Therefore, if the circuit has depth d, the noise of the matrix U at the 
end of the evaluation is bounded by HUHoo < Anit • (m + l) d < 2 °( log x ^ d < Anax- 
For what regards the computation performed over the matrices Z, we observe 
that we perform only additions (or identity functions) over them. This means 
that at every gate of any /, the noise in the Z component at most doubles. Given 
that we consider depth-d circuits we have that HZ^ < Anit • 2 d < 2°( logA ) +<i < 
Anax- Finally, by inspection one can see that the size of every signature cr on a 
computation’s output involving n users is at most (1 + 2 d + n\ + 2n/3 max ) that 
is 0(n • p( A)) for some fixed polynomial p(-). 

Authentication Correctness. This is rather simple and follows from the 
noise growth property mentioned above and by observing that equation A ic ]Ujd + 
mG = Vi = V* holds by construction. 

Evaluation Correctness. Evaluation correctness follows from two main 
facts: the noise growth mentioned earlier, and the preservation of the invariant 
J2\de\ AidUjd + mG = V*. At every gate, it is easy to see that the expansion of 
U still preserves the invariant for both left and right inputs. For additive gates, 
assuming validity of the inputs, i.e., Vl = XAei L A idU[_ d + m L G (and similarly Vr) 
and by construction of Ujd = U'l+Ur , one obtains Z)idei L ui R AidUid+(m L +m R )G = 
Vl + Vr = V*. For what regards multiplicative gates, by construction of every 
U id we obtain £ id ei A idU id + mG := £ id , ^(mpUi? + U^G^(Vl)) + (m L m R )G. 
Grouping by m R and applying the definition of Vl, the equation can be rewritten 
as m R VL+(^idei ^ id ^r) G -1 (Vl). If now we write m R V l as m R GG _1 (VL) and we 

group by G _1 ( v l), we get [(Eidei R A idU R ^) + m R Gj G _1 ( v l) = V*, where the last 
equation follows from the definitions of V R and V*. Correctness of computations 
over the matrices Z is quite analogous. 


Security. The following theorem states the security of the scheme MKHSig. 

Theorem 1 . If the SIS(n, m-Q\d,q, /3s\s) hardness assumption holds , MKHSig = 
(Setup, KeyGen, Sign, Eval, Ver) is a multi-key homomorphic signature weakly- 
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adaptive secure against adversaries that make signing queries involving at most 
Q\d different identities and that make non-adaptive corruption queries. 

Proof. Note that we can deal with corruptions via our generic result of 
Proposition 1. Therefore it is sufficient to prove the security against adversaries 
that make no corruptions. Moreover, since this scheme works for a single dataset 
note that Type 1 forgeries cannot occur. 

For the proof let us recall how the weakly- adaptive security experiment 
(Definition 6 ) works for our multi-key homomorphic signature scheme MKHSig. 
This is a game between an adversary A and a challenger C that has four main 
phases: 

( 1 ) A declares an integer Q representing the number of different identities that 
it will ask in the signing queries. Moreover, for every i e [Q\ A sends to C a 
set % C T := {ti, . . . ,tj} and a set of pairs {(m T , t)} tG 7 ;. 

( 2 ) C runs Setup(l A ) to obtain the public parameters and sends them to A. 

(3) A adaptively queries identities idi, , \6q. When C receives the query id* 

it generates a key-triple (skj d ., ekj c j i , vkj d .) by running KeyGen(pp), and for 
all labels t = (id *,r) such that r G % it runs — Sign (skjd^ , m r ). Then C 
sends to A: the public keys vkj d . := (Aj di , (V^} rG r) and ekj d . := (Aj d .), and 
the signatures {cr^} rG 7 y 

(4) The adversary produces a forgery consisting of a labeled program V * = 
(/*,lf , . . . At ) where /* G T, f* : Mf — > M, a message m* and a signature 
cr*. 

A wins the non-adaptive security game if Ver(P*, {vkj d }j de p* , m*, cr*) = 1 
and one of the following conditions holds: 

Type 2 Forgery: there exist messages m^* , . . . , m^* s.t. m* 7 ^ /*( m^* , . . . , m^*) 
(i.e., m* is not the correct output of V * when executed over previously signed 
messages) . 

Type 3 Forgery: there exists at least one label i * = (id*,r*) that was not 
queried by A. 

Consider a variation of the above game obtained modifying phase (3) as follows: 
(3') C picks an instance A G Z™ xm of the SIS(n, m', g, /3s\s) problem for m! = 
m • Q = poly (A), and parse A := (Aj dl | . . . |Aj dq ) GZJ xm as the concatenation 
of Q different blocks ofnxm matrices. 

Next, when C receives the i-th query id* from A, it does the following: 

- it samples a matrix Uj di5T such that ||Uj d . jT || < A nit; 

- for all l := (id*,r) with r G 7^, C computes = Aj d .Uj di?r + rn r • G; 

- for all t := (id*,r) with r ^ 7^, C computes = Aj d .Uj d . 5T + • G, where 

- C sends to A the public keys vk idi := (A idi , {V^} rG r) and ek idi := (A id .), 
along with signatures {a l T } re ri where := (m r , m r , I := {id*}, U idi5r , U idijT ). 
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Clearly, if A is a uniformly random matrix so is each block {Aid^ }«e[Q] • 

Due to point (2) of Lemma 2, since (Ajd-Ujd^r) is statistically indistinguish- 
able from a random matrix, all the matrices generated in (3') are statis- 
tically close to the ones generated in (3). Thus, the two games are statisti- 
cally indistinguishable. At this point we show that for every PPT adversary A 
which produces a forgery in the modified game we can construct a PPT algo- 
rithm B that solves the SIS(n, m • Q, g, /3s is) problem. B receives an SIS instance 
A := (Ajdi | • • • |Ajd Q ) E Z™ xrn Q and simulates the modified game to A by acting 
exactly as the challenger C described above. Then, once A outputs its forgery, 
according to the forgery’s type, B proceeds as described below. 

Type 2 Forgeries. Let (V* := (/*,£[, . . . ,^), m*,cr* := (m*,z*,l*,U*,Z*)) 
be a Type 2 forgery produced by A in the modified game. Moreover let 
a = (m,z, l,U, Z) be the signature obtained by honestly applying Eval to 
the signatures corresponding to labels that were given to A. Parse 

U := {Ujd}idei an d notice that by the correctness of the scheme we have that 
m = /*(n Vf,..., m*.), I = {id : id e V*}, and E ide i A id U id + m • G = V*. 
Moreover, by definition of Type 2 forgery recall that m* ^ /*(itr* , . . . , itr*) and 
that the tuple satisfies verification. In particular, satisfaction of check (1) implies 
that 1 = 1*, while check (3) means Xddei* Aid"U* d _|_ m * . Q — V*. Combining the 
two equations above we obtain Xlidei AjdUjd = m • G, where m = m — m*^0 
and, for all id E I, Ujd = U* d — Ujd E U such that ||Ujd||oo < Anax- Notice that 
there must exist at least one id E I for which U id ^ 0. 

. /M 

Moreover, for all id € (idi , . . . , idg} \ I, define Uj d = 0 and set U = I 6 

VW 

Z mQxm_ Theil) we have AU = rh • G. 

Next B samples r ^ (0, sets s = Ar E Z™, and computes r' = 

G _1 (m _1 • s), so that r' E {0, l} m and m • Gr' = s. Finally, B outputs 
u = Ur' — r E Z™® . We conclude the proof by claiming that the vector u 
returned by B is a solution of the SIS problem for the matrix A. To see this 
observe that 


A(Ur' - r) = (AU)r' - Ar = rfi • G • G^nT 1 • s) - s = 0 . 

and 1 1 u 1 1 oo < (2 m + l)/3 max < Ps\s- 

It remains to show that u/0. We show that this is the case (i.e., Ur' / r) 
with overwhelming probability by using an entropy argument (the same argu- 
ment used in [30]). In particular, this holds for any (worst case) choice of 
A, U, m, and only based on the random choice of r {0, l} m< ^ id . The intu- 
ition is that, even if r' = G -1 (sm -1 ) depends on s = Ar, s is too small to 
reveal much information about the random r. More precisely, we have that 
Hoo(r | r') > Hoo(r | Ar) because r' is chosen deterministically based on 
s = Ar. Due to the Lemma 1, we have that H oc (r | Ar) > Hoo(r) - log(|«S|), 
where S is the space of all possible s. Since s E Z™, \S\ = q n , and then 
log(|<S|) = log(g n ) = log((2 log9 ) n ) = nlog((2 los9 )) = nlogq. Regarding Hoo(r), 
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since H oc (X) := — log( max^ Pr[X = a:]), we have H 0 O (r) = — log(2 m< 2) = 
mQ > m. Then, H oc (r | r') > H oc (r) - log(<S) > m — nlogq = a; (log A). 
Since we know that for random variables X, Y the optimal probability of an 
unbounded adversary guessing X given the correlated value Y is 2~ Uo °( x \ Y \ 
then Pr[r = Ur'] < 2- H ~( r l r ') < 2“ w ( lo s A ) = negl(A). 

Type 3 Forgery. Let ( V * := (/*,P[, . . . ,^£), m*,cr* := (m*,z*,l*,U*,Z*)) be 
a Type 3 forgery produced by A in the modified game such that there exists 
(at least) one label £* = (id *,r*) such that id* = id^ but r* ^ %} 9 Actually, 
without loss of generality we can assume that there is exactly one of such labels; 
if this is not the case, one could indeed redefine another adversary that makes 
more queries until it misses only this one. Note that for such a tag r* ^ B 
simulated Vjd i5 r* = AUjd ijr * + bi jT *G for a randomly chosen bit 5^ r * ^-{0, 1}, 
that is perfectly hidden from A. 

By definition of Type 3 forgery, the tuple passes verification, and in particular 
check (4) £ ide ,. A id Z* +z* G = V+ = £-=i 7 i • V £* where the right hand side 
of the equation holds by construction of the verification algorithm. Moreover, 
let a = (m,z, l,U, Z) be the signature obtained by honestly applying Eval to 
the signatures corresponding to labels £*, . . . , £*; in particular for the specific, 
missing, label £* B uses the values Ujd T *, T * used to simulate Vjd T *. Parsing 
z := {Z id } ideh notice that by correctness it holds I = {id : id E V*} and 
£ ide i A id Z id +z-G = V+ where z = 7i • Now, the observation 

is that every 7 $ < 2 d < q , i.e., 7 i 7 ^ 0 mod q. Since bi :T * is random and perfectly 
hidden to A we have that with probability 1/2 it holds z / z* . 

Thus, if z / z*, B combines the equalities on V + to come up with an equation 
Xddei AjdZjd = z G where z = z — z* / 0 mod q and, for all id E I, Z^ = 
Z* — Z id E U such that ||Z id ||oo < &ax- 

Finally, using the same technique as in the case of Type 2 forgeries, B can 
compute a vector u that is a solution of SIS with overwhelming probability, i.e., 
Au = 0. Therefore, we have proven that if an adversary A can break the MKHSig 
scheme with non negligible probability, then C can use such an A to break the 
SIS assumption for A with non negligible probability as well. 


A Variant with Unbounded Tag Space in the Random Oracle Model. 

In this section, we show that the construction of multi-key homomorphic signa- 
tures of Sect. 4.2 can be easily modified in order to have short public keys and to 
support an unbounded tag space T = {0, 1}*. Note that once arbitrary tags are 
allowed, the scheme also allows to handle multiple datasets for free. In fact, one 
can always extend tags to include the dataset name, i.e., simply redefine each tag 
r as consisting of two substrings r = (Z\, r') where A is the dataset name and 
t' the actual tag. The idea of modifying the scheme to support an unbounded 
tag space is simple and was also suggested in [30] for their construction. Instead 

9 It is easy to see that the case in which id* is new would imply the generation of a new 
Aid*, which would make the verification equations hold with negligible probability 
(over the random choice of Aid*). 
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of sampling matrices {Vjd,i, . . . Vjd,T} in KeyGen, one can just choose a random 
string rid {0, 1} A and define every Vjd, r •= H(rjd, r) where H : {0, 1}* —> V is a 
hash function chosen in Setup (modeled as a random oracle in the proof). In all 
the remaining algorithms, every time one needs Vjd, r , this is obtained using H. 

For this modified scheme, we also provide an idea of how the security proof 
of Theorem 1 has to be modified to account for these changes. The main change 
is the simulation of hash queries, which is done as follows. 

Before phase (1), where A declares its queries, B simply answers every query 
H(r, r) with a randomly chosen V V. Afterwards, once A has declared all 
its queries, B chooses , . . . , r\^ Q {0, 1} A and programs the random ora- 
cle so that, for all r G 7^, H(rjd i ,r) = Vjd-, r where Vjd ijT is the same matrix 
generated in the phase (3) of the modified game. On the other hand, for all 
r ^ H(rid i ,r) = Vjd ijT where Vid i;r = AjdUjd ijT + ^ )T G for a randomly cho- 
sen Uid i5 r A-U. All other queries H(r, r) where r ^ r-^ . ,Vi £ [Q] are answered 
with random V ^-V. With this simulation, it is not hard to see that, from M’s 
forgery B can extract a solution for SIS (except for some negligible probability 
that A guesses one of r\ d- before seeing it). 

4.3 From a Single Dataset to Multiple Datasets 

In this section, we present a generic transformation to convert a single-dataset 
MKHSig scheme into a scheme that supports multiple datasets. The intuition 
behind this transformation is similar to the one employed in [30] and implicitly 
used in [13, 16] , except that here we have to use additional techniques to deal with 
the multi-key setting. We combine a standard signature scheme NH.Sig (non- 
homomorphic) with a single dataset multi-key homomorphic signature scheme 
MKHSig 7 . The idea is that for every new dataset A, every user generates fresh 
keys of the multi- key homomorphic scheme MKHSig 7 and then uses the standard 
signature scheme NH.Sig to sign the dataset identifier A together with the gen- 
erated public key. More precisely, in our transformation we assume to start with 
(single-dataset) multi-key homomorphic signature schemes in which the key gen- 
eration algorithm can be split into two independent algorithms: KeyGen x that 
outputs some public parameters related to the identity id, and KeyGen 2 which 
outputs the actual keys. Differently than [30], in our scheme the signer does not 
need to sign the whole dataset at once, nor has to fix a bound N on the dataset 
size (unless such a bound is already contained in MKHSig 7 ). 

In more details, let NH.Sig = (NH. KeyGen, NH. Sign, NH.Ver) be a stan- 
dard (non-homomorphic) signature scheme, and let MKHSig 7 = (Setup 7 , 
KeyGen 7 , Sign 7 , Eval 7 ,Ver 7 ) be a single-dataset multi-key homomorphic signature 
scheme. We construct a multi-dataset multi- key homomorphic signature scheme 
MKHSig = (Setup, KeyGen, Sign, Eval, Ver) as follows. 

Setup(l A ). The setup algorithm samples parameters of the single-dataset multi- 
key homomorphic signature scheme, pp' <— Setup 7 (1 A ), together with a 
description of a PRF F : K x {0, 1}* — > {0, 1} P , and outputs pp = (pp ; , F). 
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KeyGen(pp). The key generation algorithm runs NH.KeyGen to get (pk id H , sk id H ), 
a pair of keys for the standard signature scheme. In addition, it runs KeyGen 1 
to generate user-specific public parameters pp id , and chooses a seed Kj d for 
the PRF F. The final output is the vector (skj d , ekj d , vkj d ): where skj d = 
(sk-T, K id ), ek id = (pp id ) and vk id = (pk^ H , pp id ). 

Sign (ski d , A, t, m). The signing algorithm proceeds as follows. First it 
samples the keys of the single-dataset multi-key homomorphic signa- 
ture scheme by feeding randomness F^. d (A) to KeyGen 2 , i.e., it runs 
KeyGen 2 (pp; F^ ]d (A)) to obtain the keys (sk^, ek^, vk ^). 10 The algorithm 
then runs cr'^Sign^sk^, m), and uses the non-homomorphic scheme to 
sign the concatenation of the public key vk^ and the dataset identifier A, i.e., 
a \d NH.Sign(sk id H , vk^ | A), The output is the tuple cr := (I = {id}, cr', par^) 
where par^ = {(ekj^, vkj^, cr-j )}. Note that the use of the PRF allows every 
signer (having the same Kj d ) to generate the same keys of the scheme MKHSig 7 
on the same dataset A. 

Eval(/, {(cq, EKSi)}^ G [t]). For each i E [t], the algorithm parses every signature 
as fij := (li,CT-,par A i ) with par Ai = {eky ,vk^ , cr i ^> ide i i , and sets EKS' = 

{ek-^jideii- It computes a' Eval 7 (/, |cr', EKS^}^ e [ t ] ) , defines I = U^ = 1 I i and 

par^ = U^ = 1 par zA i . The final output is cr = (I , cr', par^). 

Ver(P, A, {vkj d }j de p, m, cr). The verification algorithm begins by parsing the ver- 
ification keys as vkj d := (pk id H ,pp id ) for each id E I, and also the signature 
as cr = (I, cr', par^) with par^ = {(ek^, vk^, cr j ^)} ide |. Then, it proceeds with 
two main steps. First, for each id E I, it verifies the standard signature cr^ on 
the public key of the single-dataset multi-key homomorphic scheme and the 
given dataset, i.e., it checks whether N H. Ver( pk id H , vk^| Z\, cr^) = 1, V id E I. 
If at least one of the previous equations is not satisfied, the algorithm returns 
0, otherwise it proceeds to the second check and returns the output of 
Ver '(V, {pp id , vky } ide ?>, m, cr'). 


Authentication Correctness. Correctness of the scheme substantially fol- 
lows from the correctness of the regular signature scheme NH.Sig, the single- 
dataset multi-hey homomorphic scheme MKHSig 7 and the PRF F. 

Evaluation Correctness. Evaluation correctness follows directly from the 
correctness of the evaluation algorithm Eval 7 of the single-dataset MKHSig 
scheme, the correctness of NH.Sig and of the PRF. 

Security. Intuitively, the security of the scheme follows from two main obser- 
vations. First, no adversary is able to fake the keys of the single-dataset multi- key 
homomorphic signature scheme, due to the security of the standard signature 
scheme and the property of pseudo-random functions. Secondly, no adversary can 
tamper with the results of Eval for a specific dataset as this would correspond 
to breaking the security of the single-dataset MKHSig 7 scheme. 


10 Here we assume that a p-bits string is sufficient, otherwise it can always be stretched 
using a PRG. 
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Theorem 2. If F is a secure pseudo-random function, NH.Sig is an unforgeable 
signature scheme and MKHSig 7 is a secure single- dataset multi-key homomorphic 
signature scheme, then the MKHSig scheme for multiple datasets described in 
Sect, f.3 is secure against adversaries that make static corruptions of keys and 
produce forgeries as in Definition 4- 

The full proof of Theorem 2 is given in [22] . 

5 Our Multi-key Homomorphic MAC from OWFs 

In this section, we describe our construction of a multi-key homomorphic authen- 
ticator with private verification keys and supporting the evaluation of low-degree 
arithmetic circuits. More precisely, for a computation represented by an arith- 
metic circuit of degree d and involving inputs from n distinct identities, the final 
authenticator has size ( n J d ), that is bounded by poly(n ) (for constant d) or by 
poly(d) (for constant n). Essentially, the authenticators of our scheme grow with 
the degree of the circuit and the number of distinct users involved in the com- 
putation, whereas their size remains independent of the total number of inputs 
/ users. This property is particularly desirable in contexts that involve a small 
set of users each of which contributes with several inputs. 

Although our multi-key homomorphic MAC supports less expressive com- 
putations than our homomorphic signatures of Sect. 4, the scheme comes with 
two main benefits. First, it is based on a simple, general assumption: it relies 
on pseudo-random functions and thus is secure only assuming existence of one- 
way functions (OWF). Second, the scheme is very intuitive and efficient: fresh 
MACs essentially consist only of two F p field elements (where p is a prime of 
A bits) and an identity identifier; after evaluation, the authenticators consist of 
{ U ~d d ) elements in ¥ p , and homomorphic operations are simply additions and 
multiplications in the multi- variate polynomial ring ¥ p [Xi , . . . , X n \. 

We describe the five algorithms of our scheme MKHMac below. We note 
that our solution is presented for single data set only. However, since it admits 
labels that are arbitrarily long strings it is straight-forward to extend the scheme 
for handling multiple data sets: simply redefine each tag r as consisting of two 
substrings r = (Z\, r') where A is the dataset name and r' the actual tag. 

Setup(l A ). The setup algorithm generates a A-bit prime p and let the message 
space be Ad := ¥ p . The set of identities is ID = [C] for some integer bound 
C G N, while the tag space consists of arbitrary binary strings, i.e., T = 
{0, 1}*. The set T of admissible functions is made up of all arithmetic circuits 
whose degree d is bounded by some polynomial in the security parameter. 
The setup algorithm outputs the public parameters pp which include the 
descriptions of Ad, ID, T, T as in Sect. 3, as well as the description of a PRF 
family F : 1C x{0,l}*— with seed space 1C. The public parameters define 
also the authenticator space. Each authenticator a consists of a pair (l,y) 
where I C ID and y is in the C-variate polynomial ring ¥ p [Xi , . . . , Xq\. More 
precisely, if C is set up as a very large number (e.g., C = 2 A ) the polynomials 
y can still live in some smaller sub-rings of ¥ P [X \, . . . , Xq\. 
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KeyGen(pp). The key generation algorithm picks a random r a PRF seed 

K and outputs (sk, ek, vk) where sk = vk = (x, K ) and ek is void. 

Auth(sk, £, m). In order to authenticate the message m with label £ = (id,r) G 
ID x T, the authentication algorithm produces an authenticator a = (l,y) 
where I C ID and y G F p [X\ d ] C F p [Xi, . . . ,Xq\. The set I is simply {id}. The 
polynomial y is a degree-1 polynomial in the variable X id such that y(0) = m 
and y(xjd) = F(K\&,£). Note that the coefficients of y(Wd) = yo + y\^X\^ G 
F p [Xjd] can be efficiently computed with the knowledge of x\d by setting 
yo = m and y id = . Moreover, y can be compactly represented by 

only giving the coefficients 2/0 5 2/id £ F p . 

Eval(/, {&k}ke[t])- Given a t-input arithmetic circuit / : F^ — » F p , and the t 
authenticators {<Jk P= (h,Yk)}k, the evaluation algorithm outputs a = (l,y) 
obtained in the following way. First, it determines all the identities involved 
in the computation by setting I = U^, =1 l/ C . Then every polynomial y^ is 
“expanded” into a polynomial y^, defined on the variables X\ d correspond- 
ing to all the identities in I. This is done using the canonical embedding 
F p [X\ d : id G I k\ F p [Xjd : id G I]. It is worth noticing that the 

terms of that depend on variables in I \ I& have coefficient 0. Next, let 
/ : F p [X\ d : id G l] t — > F p [X\ d : id G I] be the arithmetic circuit corresponding 
to the given /, i.e., / is the same as / except that additions (resp. multi- 
plications) in F p are replaced by additions (resp. multiplications) over the 
polynomial ring F p [Xjd : id G I]. Finally, y is obtained as y = /(yi, . . . , y *). 

Ver(7 :> , {vkidjideP? rn,cr). Let V = (/, G, • • • , &t) be a labeled program where / is 
a degree-d arithmetic circuit and every label is of the form £k = (id^, r^). Let 
a = (l,y) where I = {idi, . . . , id n } with id^ ^ \6j for i ^ j. The verification 
algorithm outputs 1 (accept) if and only if the authenticator satisfies the 
following three checks. Otherwise it outputs 0 (reject). 


{ i d i , . . . , id n } = {id : id G V} % (5) 

y(0, . . . , 0) = m , (6) 

yfad! , • • ■ , ®id n ) = f{F{K i dl ,G),..., F(K idt ,£ t )). (7) 

In the remainder of the section, we discuss the efficiency and succinctness of our 
MKHMac and prove the correctness of our scheme We conclude with the security 
analysis of the proposed MKHMac scheme. 

Succinctness. Let us consider the case of an authenticator a which was 
obtained after running Eva I on a circuit of degree d and taking inputs from 
n distinct identities. Note that every a consists of two elements: a set I C [C] 
and a polynomial y G F p [X-~ d : id G I]. 

For the set I, it is easy to see that 1 1 1 = n and I can be represented with n log C 
bits. The other part of the authenticator, y, is instead an n - variate polynomial in 
F p [X -~ di , . . . , X-~ dn ] of degree d. Since the circuit degree is d, the maximum number 
of coefficients of y is ( n J d ). More precisely, the total size of y depends on the 
particular representation of the multi-variate polynomial y which is chosen for 
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implementation. In [22] we discuss some possible representations (further details 
can also be found in [38]). For example, when employing the sparse representation 
of polynomials, the size of y is bounded by 0(nt\ogd ) where t is the number 
of non-zero coefficients in y (note that in the worst case, a polynomial y G 
F p [X -~ 6i , . . . , X-~ dn \ of degree d has at most t = ( n + d ) non-zero coefficients). Thus, 
setting log C « logp « A, we have that the size in bits of the authenticator a is 
\a\ < An + A( n ^ d ). Ignoring the security parameter, we have that \a\ = poly(n) 
when d is constant, or \a\ = poly(d) when n is constant. 

Efficiency of Eva I. In what follows, we discuss the cost of computing additions 
and multiplications over authenticators in our MKHMac scheme. Let = 
(|W,yW), for i = 1,2 be two authenticators and consider the operation cr = 
Eval(g, a^) where g is a fan-in-2 addition or multiplication gate. In both 
cases the set I of identities of a = (I, y) is obtained as the union I = K 1 ) U K 2 ) 
that can be computed in time O(n), where n = |l|, assuming the sets 
are ordered. Regarding the computation of y from y^ 1 ^ and y^ 2 \ one has to first 
embed each y \ into the ring F p [A^ : id G I], and then evaluate addition (resp. 
multiplication) over ¥ p [X-~ 6 : id G I]. Again, the costs of these operations depend 
on the adopted representation [24,38]. 

Using the sparse representation of polynomials, expanding a y having t non- 
zero coefficients into an n- variate polynomial y requires time at most 0(tri). To 
give an idea, such expansion indeed consists simply into inserting zeros in the 
correct positions of the exponent vectors of every non-zero monomial term of y. 
On the other hand, the complexity of operations (additions and multiplications) 
on polynomials using the sparse representation is usually estimated in terms of 
the number of monomial comparisons. The cost of such comparisons depends on 
the specific monomial ordering chosen, but is usually 0(n log d), where n is the 
total number of variables and d is the maximum degree. Given two polynomials 
in sparse representation having t\ and 1 2 non-zero terms respectively, addition 
costs about 0 {tit 2 ) monomial comparisons (if the monomial terms are stored 
in sorted order the cost of addition drops to 0(ti + £ 2 )), while multiplication 
requires to add (merge) £2 intermediate products of t\ terms each, and can be 
performed with 0{t\t2\ogt2) monomial comparisons [24]. 

Correctness. Authentication Correctness. By construction, each fresh 
authenticator a = (l,y) of a message m labeled by i := (id,r) is of the form 
I = {id} and y(Xjd) := yo + V\dX\d = m + X-^. Thus the set I satisfies 

Eq. (5) since {id : id G = {id}. The two last verification checks (6) and (7) 
are automatically granted for the identity program Xu because y(0) = yo = m 
and y(xid) = m + F(g ^~ m a;id = F(K ld J). 

Evaluation Correctness. The correctness of the Eva I algorithm essentially 
comes from the structure of the multi-variate polynomial ring. We provide the 
detailed proof in the full version of the paper [22] . 

Security. In what follows we prove the security of our scheme against adver- 
saries that make static corruptions, and produce forgeries according to the fol- 
lowing restrictions. 
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Definition 8 (Weak Forgery). Consider an execution of the experiment 
described in Sect. 3, HomUF-CMA^MKHAut(A) where (V*,A*, m*,cr*) is the tuple 
returned by the adversary at the end of the experiment, with P* = (/*, £*, 

A* a dataset identifier, m* G M and cr* an authenticator. First, we say that the 
labeled program V * is well-defined on a list L if either one of the following two 
cases occurs: 

1. There exists i G [t\ such that (£*,•) L (i.e., A never made a query with 
label £*), and f*{{wj}(£ j , mj )eL U { m j}(e jr )^L) outputs the same value for all 
possible choices of m j G M.; 

2. L contains the tuples mi), m t ) , for some messages 

Then we say that {V* , A* , m*,cr*) is a weak forgery if \/er(fP * , A* , 
{vkidjideP* 5 m *> &*) = 1 an d either one of the following conditions is satisfied: 

Type 1: L A * was not initialized during the game (i.e., A* was never queried). 
Type 2: P* is well-defined on L A * but m* ^ U {0}^.^*) 

(i.e., m* is not the correct output ofV* when executed over previously authen- 
ticated messages). 

Type 3: V * is not well-defined on L A * . 

Although Definition 8 is weaker than our Definition 4, we stress that the above 
definition still protects the verifier from adversaries that try to cheat on the 
output of a computation. In more details, the difference between Definition 8 
and Definition 4 is the following: if /* has an input wire that has never been 
authenticated during the game (a Type 3 forgery in Definition 4), but /* is 
constant with respect to such input wire, then the above definition does not 
consider it a forgery. The intuitive reason why such a relaxed definition still 
makes sense is that “irrelevant” inputs would not help in any case the adversary 
to cheat on the output of /*. Definition 8 is essentially the multi- key version of 
the forgery definition used in previous (single- key) homomorphic MAC works, 
e.g., [11]. As discussed in [23] testing whether a program is well-defined may 
not be doable in polynomial time in the most general case (i.e., every class of 
functions). However, in [12] it is shown how this can be done efficiently via a 
probabilistic test in the case of arithmetic circuits of degree d over a finite field 
of order p such that d/p < 1/2. Finally, we notice that for our MKHMac Type 1 
forgeries cannot occur as the scheme described here supports only one dataset. 11 

Theorem 3. If F is a pseudo-random function then the multi-key homomor- 
phic MAC described in Sect. 5 is secure against adversaries that make static 
corruptions of keys and produce forgeries as in Definition 8. 

Note that we can deal with corruptions via our generic result of Proposition 1. 
Therefore, it is sufficient to prove the security against adversaries that make no 

11 As noted at the beginning of the section the extension to multiple datasets is straight- 
forward given that tags are arbitrary strings. When such extension is applied it is 
easy to see that Type 1 forgeries are Type 3 ones in the underlying scheme. 
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corruptions. The proof is done via a chain of games following this (intuitive) path. 
First, we rule out adversaries that make Type 3 forgeries. Intuitively, this can be 
done as the adversary has never seen one of the inputs of the computation, and in 
particular an input which can change the result. Second, we replace every PRF 
instance with a truly random function. Note that at this point the security of the 
scheme is information theoretic. Third, we change the way to answer verification 
queries that are candidates to be Type 2 forgeries. Finally, we observe that in 
this last game the adversary gains no information on the secret keys Xi and thus 
has negligible probability of making a Type 2 forgery. Due to space restrictions, 
the detailed and formal proofs appear in only in the full version [22]. 

6 Conclusions 

In this paper, we introduced the concept of multi-key homomorphic authenti- 
cators, a cryptographic primitive that enables an untrusted third party to exe- 
cute a function / on data authenticated using different secret keys in order to 
obtain a value certifying the correctness of /’ s result, which can be checked with 
knowledge of corresponding verification keys. In addition to providing suitable 
definitions, we also propose two constructions: one which is publicly verifiable 
and supports general boolean circuits, and a second one that is secretly verifiable 
and supports low-degree arithmetic circuits. Although our work does not address 
directly the problem of privacy, extensions of our results along this direction are 
possible, and we leave the details to future investigation. A first extension is 
defining a notion of context-hiding for multi- key HAs. Similarly to the single key 
setting, this property should guarantee that authenticators do not reveal non- 
trivial information about the computation’s inputs. The second extension has 
to do with preventing the Cloud from learning the data over which it computes. 
In this case, we note that multi-key HAs can be executed on top of homomor- 
phic encryption following an approach similar to that suggested in [21]. Finally, 
an interesting problem left open by our work is to find multi-key HA schemes 
where authenticators have size independent of the number of users involved in 
the computation. 
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Abstract. Multi-input functional encryption (MIFE) was introduced 
by Goldwasser et al. (EUROCRYPT 2014) as a compelling extension of 
functional encryption. In MIFE, a receiver is able to compute a joint func- 
tion of multiple, independently encrypted plaintexts. Goldwasser et al. 
(EUROCRYPT 2014) show various applications of MIFE to running 
SQL queries over encrypted databases, computing over encrypted data 
streams, etc. 

The previous constructions of MIFE due to Goldwasser et al. (EURO- 
CRYPT 2014) based on indistinguishability obfuscation had a major 
shortcoming: it could only support encrypting an a priori bounded num- 
ber of message. Once that bound is exceeded, security is no longer 
guaranteed to hold. In addition, it could only support selective- security, 
meaning that the challenge messages and the set of “corrupted” encryp- 
tion keys had to be declared by the adversary up-front. 

In this work, we show how to remove these restrictions by relying 
instead on sub- exponentially secure indistinguishability obfuscation. This 
is done by carefully adapting an alternative MIFE scheme of Goldwasser 
et al. that previously overcame these shortcomings (except for selective 
security wrt. the set of “corrupted” encryption keys) by relying instead on 
differing- inputs obfuscation, which is now seen as an implausible assump- 
tion. Our techniques are rather generic, and we hope they are useful in 
converting other constructions using differing-inputs obfuscation to ones 
using sub-exponent ially secure indistinguishability obfuscation instead. 
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1 Introduction 

In traditional encryption, a receiver in possession of a ciphertext either has a 
corresponding decryption key for it, in which case it can recover the underlying 
message, or else it can get no information about the underlying message. Func- 
tional encryption (FE) [10,21,26,32] is a vast new paradigm for encryption in 
which the decryption keys are associated to functions , whereby a receiver in pos- 
session of a ciphertext and a decryption key for a particular function can recover 
that function of the underlying message. Intuitively, security requires that it 
learns nothing else. Due to both theoretical appeal and practical importance, 
FE has gained tremendous attention in recent years. 

In particular, this work concerns a compelling extension of FE called multi- 
input functional encryption (MIFE), introduced by Goldwasser et al [25]. In 
MIFE, decryption operates on multiple ciphertexts , such that a receiver with 
some decryption key is able to recover the associated function applied to all of 
the underlying plaintexts (z.e., the underlying plaintexts are all arguments to 
the associated function). MIFE enables an number of important applications 
not handled by standard (single-input) FE. On the theoretical side, MIFE has 
interesting applications to non-interactive secure multiparty computation [7] . On 
the practical side, we reproduce the following example from [25]. 

Running SQL queries over encrypted data: Suppose we have an encrypted 
database. A natural goal in this scenario would be to allow a party Alice to 
perform a certain class of general SQL queries over this database. If we use 
ordinary functional encryption, Alice would need to obtain a separate secret key 
for every possible valid SQL query, a potentially exponentially large set. Multi- 
input functional encryption allows us to address this problem in a flexible way. 
We highlight two aspects of how Multi-Input Functional Encryption can apply 
to this example: 

- Let / be the function where f(q,x) first checks if q is a valid SQL query from 
the allowed class, and if so /(g, x) is the output of the query q on the database 
x. Now, if we give the decryption key corresponding to / and the encryption 
key ek\ (corresponding to the first input of the function /) to Alice, then Alice 
can choose a valid query q and encrypt it under her encryption key EK\ to 
obtain ciphertext c\. Then she could use her decryption key on ciphertexts c\ 
and C 2 , where C 2 is the encrypted database, to obtain the results of the SQL 
query. 

- Furthermore, if our application demanded that multiple users add or manip- 
ulate different entries in the database, the most natural way to build such a 
database would be to have different ciphertexts for each entry in the database. 
In this case, for a database of size n, we could let / be an (n + l)-ary function 
where f(q,x i, . . . ,x n ) is the result of a (valid) SQL query q on the database 
(xi,...,x n ). 

Goldwasser et al. [25] discuss various other application of MIFE to non- 
interactive differentially private data release, delegation of computation, and, 
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computing over encrypted streams, etc. We refer the reader to [25] for a more 
complete treatment. Besides motivating the notion, Goldwasser et al. [25] gave 
various flavors of definitions for MIFE and its security, as well as constructions 
based on different forms of program obfuscation. First of all, we note a basic 
observation about MIFE: in the public-key setting, functions for which one can 
hope to have any security at all are limited. In particular, a dishonest decryptor 
in possession of public key PP, a secret key SK f for (say) a binary function 
/, and ciphertext CT encrypting message m, can try to learn m by repeatedly 
choosing some m' and learning /(m, m'), namely by encrypting m! under PP 
to get CT ; and decrypting C, C under SK f. This means one can only hope for 
a very weak notion of security in such a case. As a result, in this work we 
focus on a more general setting where the functions have say a fixed arity n 
and there are encryption keys EKi, . . . , EK n corresponding to each index (z.e., 
EK* is used to encrypt a message which can then be used as an i-th argument 
in any function via decryption with the appropriate key). Only some subset of 
these keys (or maybe none of them) are known to the adversary. Note that this 
subsumes both the public key and the secret key setting (in which a much more 
meaningful notion of security maybe possible). In this setting, [25] presented an 
MIFE scheme based on indistinguishability obfuscation (iO) [6,21]. 

Bounded-message security: The construction of Goldwasser et al. [25] based 
on iO has a severe shortcoming namely that it could only support security for an 
encryption of an a priori bounded number of messages 1 . This bound is required 
to be fixed at the time of system setup and, if exceeded, would result in the 
guarantee of semantic security not holding any longer. In other words, the num- 
ber of challenge messages chosen by the adversary in the security game needed 
to be a priori bounded. The size of the public parameters in [25] grows linearly 
with the number of challenge messages. 

Now we go back to the previous example of running SQL queries over 
encrypted databases where each entry in the database is encrypted individu- 
ally. This bound would mean that the number of entries in the database would 
be bounded at the time of the system setup. Also, the number of updates to the 
database would be bounded as well. Similar restrictions would apply in other 
applications of MIFE: e.g., while computing over encrypted data streams, the 
number of data streams would have to be a priori bounded, etc. In addition, the 
construction of Goldwasser et al. [25] could only support Selective- security: The 
challenge messages and the set of “corrupted” encryption keys needed by the 
adversary is given out at the beginning of the experiment. 2 

Let us informally refer to an MIFE construction that does not have these 
shortcomings as unbounded-message secure or simply fully-secure. In addition 

1 We note that, since we do not work in the public- key setting, there is no generic 
implication of single-message to multi-message security. 

2 Corruption of encryption keys EKi,...,EK n is an aspect of MIFE security not 
present for single-input FE; note that in [25], some subset of these keys could not 
be requested adaptively by the adversary - they were to be chosen even before the 
setup was done. 
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to the main construction based on iO, Goldwasser et al. [25] also showed a 
construction of adaptively-secure MIFE (except wrt. the subset of encryption 
keys given to the adversary, so we still do not call it fully-secure) that relies on a 
stronger form of obfuscation called differing-inputs obfuscation ( diO ) [1,6, 12]. 3 
Roughly, diO says that for any two circuits Co and C\ for which it is hard to 
find an input on which their outputs differ, it should be hard to distinguish their 
obfuscations, and moreover given such a distinguisher one can extract such a 
differing input. Unfortunately, due to recent negative results [22], diO is now 
viewed as an implausible assumption. The main question we are concerned with 
in this work is: Can fully-secure MIFE can be constructed from iO? 


1.1 Our Contributions 

Our main result is a fully-secure MIFE scheme from sub- exponentially secure iO. 
More specifically, we use the following primitives: (1) sub-exponentially secure 
iO, (2) sub-exponentially secure injective one-way functions, and (3) standard 
public-key encryption (PKE). Here “sub-exponential security” refers to the fact 
that advantage of any (efficient) adversary should be sub-exponentially small. 
For primitive (2), this should furthermore hold against adversaries running in 
sub-exponential time. 

A few remarks about these primitives are in order. First, the required security 
will depend on the function arity, but not on the number of challenge messages. 
Indeed, Goldwasser et al. already point out that selective-security (though not 
bounded-message security, which instead has to do with their use of statistically 
sound non-interactive proofs) of their MIFE scheme based on iO can be overcome 
by standard complexity leveraging. However, in that case the required security 
level would depend on the the number of challenge messages. As in most appli- 
cations we expect the number of challenge messages to be orders of magnitude 
larger than the function arity, this would result in much larger parameters than 
our scheme. Second, we only use a sub-exponentially secure injective one-way 
function (z.e., primitive (2)) in our security proof not in the scheme itself. Thus 
it suffices for such an injective one-way function to simply exist for security of 
our MIFE scheme, even if we do not know an explicit candidate. 


1.2 Our Techniques 

The starting point of our construction is the fully-secure construction of MIFE 
based on diO due to Goldwasser et al. [25] mentioned above. In their scheme, 
the encryption key for an index i E [n\ (where n is the function arity) is a 
pair of public keys (pk ® , pk] ) for an underlying PKE scheme, and a ciphertext 
for index i consists of encryptions of the plaintext under pk®,pkj respectively, 
along with a simulation-sound non-interactive zero knowledge proof that the two 
ciphertexts are well- formed (z.e., both encrypting the same underlying message). 


3 Actually, [25] required even a stronger form of diO called strong differing-inputs 
obfuscation or differing-inputs obfuscation secure in presence of an oracle. 
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The secret key for a function / is an obfuscation of a program that takes as 
input n ciphertext pairs with proofs (c?, c{, 7Ti ),..., (c^, c 4 , 7r n ), and, if the proofs 
verify, decrypts the first ciphertext from each pair using the corresponding secret 
key, and finally outputs / applied to the resulting plaintexts. Note that it is 
important for the security proof to assume diO, since one needs to argue when 
the function keys are switched to decrypting the second ciphertext in each pair 
instead, an adversary who detects the change can be used to extract a false 
proof. 

We will develop modifications that this scheme so that we can instead lever- 
age a result of [12] that any indistinguishability obfuscator is in fact a differ ing- 
inputs obfuscator on circuits which differ on polynomially many points. In fact, 
we we will only need to use this result for circuits which differ on a single point. 
But, we will need to require the extractor to work given an adversary with even 
exponent ially-small distinguishing gap on the obfuscations of two such circuits, 
due to the exponential number of hybrids in our security proof. Fortunately, [17] 
showed the result of [12] extends to this case of we start with an indistinguisha- 
bility obfuscator that is sub-exponent ially secure. 

Specifically, we need to make the proofs of well-formedness described above 
unique for every ciphertext pair, so that there is only one differing input point in 
the corresponding hybrids in our security proof. To achieve this, we design novel 
“special-purpose” proofs built from iO and punctured pseudorandom functions 
(PRFs) [11, 13, 29], 4 which works as follows. We include in the public parame- 
ters an obfuscated program that takes as input two ciphertexts and a witness 
that they are well-formed (z.e., the message and randomness used for both the 
ciphertexts), and, if this check passes, outputs a (puncturable) PRF evaluation 
on those ciphertexts. Additionally, the secret key for a function / will now be 
an obfuscation of a program which additionally has this PRF key hardwired 
keys and verifies the “proofs” of well-formedness by checking that PRF evalu- 
ations are correct. Interestingly, in the security proof, we will switch to doing 
this check via an injective one-way function applied to the PRF values (z.e., the 
PRF values themselves are not compared, but rather the outputs of an injective 
one-way function applied to them) . This is so that extracting a differing input at 
this step in the security proof will correspond to inverting an injective one-way 
function; otherwise, the correct PRF evaluation would still be hard-coded in the 
obfuscated function key and we do not know how to argue security. 

We now sketch the sequence of hybrids in our security proof. The proof starts 
from a hybrid where each challenge ciphertext encrypts m ? for i E [n \ . Then we 
switch to a hybrid where each c\ is an encryption of m\ instead. These two 
hybrids are indistinguishable due to security of the PKE scheme. Let i denote 
the length of a ciphertext. For each index i E [n\ we define hybrids indexed by x, 
for all x E [2 2n ^], in which function key SK f decrypts the first ciphertext in the 
pair using SK^ when (c?, c];, c® , cjj < x and decrypts the second ciphertext 


4 Due to the number of hybrids in our proof, we will also need the punctured PRFs to 
be sub-exponentially secure, but this already follows from a sub-exponentially secure 
injective one-way function. 


536 V. Goyal et al. 


in the pair using SK \ otherwise. Parse x = (#5, x}, .., x\). Hybrids indexed 

by x and x + 1 can be proven indistinguishable as follows: We first switch to 
sub- hybrids that puncture the PRF key at {x®,x\}, changes a function key SK f 
to check correctness of an PRF value by applying an injective one-way function 
as described above, and hard-coded the output of the injective one-way function 
at the PRF evaluation at the punctured point. Now if the two hybrids differ at 
an input of the form (x?, x}, oq, .., <a n ) where oti is some fixed value (a 

PRF evaluation of {x®,x\)), extracting the differing input can be used to invert 
the injective one-way function on random input (namely the a*). 

Finally, we note that exponentially many hybrids are indexed by all possible 
ciphertext vectors that could be input to decryption (i.e., vectors of length the 
arity of the functionality) and not all possible challenge ciphertext vectors. This 
allows us to handle any unbounded (polynomial) number of ciphertexts for every 
index. 

Our techniques further demonstrate the power of the exponentially-many 
hybrids technique, together with the iO => one-point-diO, which have also been 
used recently in works such as [8,17]. 

1.3 Related Work, Open Problems 

In this work we focus on an indistinguishability -based security notion for MIFE. 
This is justified as Goldwasser et al. [25] show that an MIFE meeting a stronger 
simulation-based security definition in general implies black-box obfuscation [6] 
and hence is impossible. They also point out that in the secret-key setting with 
small function arity, an MIFE scheme meeting indistinguishability-based security 
notion can be “compiled” into a simulation-secure one, following the work of De 
Caro et al. [16]; in such a setting we can therefore achieve simulation-based 
security as well. We note that a main problem left open by our work is whether 
iO without sub-exponential security implies MIFE, which would in some sense 
show these two primitives are equivalent (up to the other primitives used in 
the construction). Another significant open problem is removing the bound a 
function’s arity in our construction, as well as the bound on the message length, 
perhaps by building on recent work in the setting of single-input FE [30]. 

Initial constructions of single-input FE from iO [21] also had the shortcom- 
ings we are concerned with removing for constructions of MIFE in this work, 
namely selective and bounded-message security. These restrictions were simi- 
larly first overcome using differing-inputs obfuscation [1,12], and later removed 
while only relying on iO [2,33]. Unfortunately, we have not been able to make 
the techniques of these works apply to the MIFE setting, which is why we have 
taken a different route. If they could, this would be a path towards solving the 
open problem of relying on iO with standard security mentioned above. 

[14] construct an adaptively secure multi-input functional encryption scheme 
in the secret key setting for any number of ciphertexts from any secret key 
functional encryption scheme. Their construction builds on a clever observation 
that function keys of a secret-key function-hiding functional encryption can be 
used to hide any message. This provides a natural ‘arity amplification’ procedure 
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that allows us to go from a t arity secret key MIFE to a £+1 arity MIFE. However, 
because the arity is amplified one by one, it leads to a blow up in the scheme, 
so the arity of the functions had to be bounded by 0(log(logk )) . [4] builds on 
similar techniques but considers construction of secret key MIFE from a different 
view-point (i.e. building iO from functional encryption). 

The existence of indistinguishability obfuscation is still a topic of active 
research. On one hand there has been recent works such as [31] which break many 
of the existing IO candidates using [20]. However, there have been new/modified 
constructions which provably resist these attacks under a strengthened model of 
security [23]. 

There has also been progress on constructing universal constructions and 
obfuscation combiners [3,19]. An almost updated list of candidates along with 
their status can be found here [3]. Since, Multi-Input Functional Encryption 
implies indistinguishability obfuscation (as shown in [25]) assuming IO is nec- 
essary. Finally, we note that the source of trouble in achieving differing- inputs 
obfuscation is the auxiliary input provided to the distinguisher. Another alter- 
native to using differing- inputs obfuscation is public- coin diO [28], where this 
auxiliary input is simply a uniform random string as done in [5] (they however 
achieve selective security). There are no known implausibility results for public- 
coin diO , and it is interesting to give an alternative construction of fully-secure 
MIFE based on it. Our assumption seems incomparable, as we only need iO but 
also sub-exponential security. 


1.4 Organisation 

The rest of this paper is organized as follows: In Sect. 2, we recall some definitions 
and primitives used in the rest of the paper. In Sect. 3 we formally define MIFE 
and present our security model. Finally in Sect. 4, we present our construction 
and a security proof. 

2 Preliminaries 

In this section we recall various concepts on which the paper is built upon. We 
assume the familiarity of a reader with concepts such as public key encryp- 
tion, one way functions and omit formal description in the paper. For the 
rest of the paper, we denote by N the set of natural numbers {1,2,3, ..}. Sub- 
exponential indistinguishability obfuscation and sub-exponentially secure punc- 
turable pseudo-random functions have been used a lot recently such as in the 
works of [9,15,30]. For completeness, we present these notions below: 


2.1 Indistinguisability Obfuscation 

The following definition has been adapted from [21]: 
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Definition 1. A uniform PPT machine iO is an indistinguishability obfuscator 
for a class of circuits {C n } nG ^ if the following properties are satisfied. 

Correctness: For every k G N, for all {Ck}keN, we have 

Pr[C' iO(l k ,C) : Vs,C"(a;) = C{x)\ = 1 

Security: For any pair of functionally equivalent equi- sized circuits Co, C\ G Cj . c 
we have that: For every non uniform PPT adversary A there exists a negligible 
function e such that for all k G N, 

| Pr[A(l n ,iO(l k , Co), Co, Ci, z) = 1] - Pr[A(l k , iO(l k , Ci), C 0 , Ci, z) = 1] }< e(k) 

We additionally say that iO is sub- exponentially secure if there exists some con- 
stant a > 0 such that for every non uniform PPT A the above indistinguishability 
gap is bounded by e(k) = 0(2~ ka ). 

Definition 2 (Indistinguishability obfuscation for P/poly). iO is a 

secure indistinguishability obfuscator for P/Poly, if it is an indistinguishabil- 
ity obfuscator for the family of circuits {Ck}keN where Ck is the set of all circuits 
of size k. 

2.2 Puncturable Psuedorandom Functions 

A PRF F : ICken x A — > 34gn is a puncturable pseudorandom function if 
there is an additional key space K p and three polynomial time algorithms 
(F.setup, F.eval, F.puncture) as follows: 

- F. setup(l /c ) a randomized algorithm that takes the security parameter k as 
input and outputs a description of the key space /C, the punctured key space 
IC P and the PRF F. 

- F.pur\cture(K,x) is a randomized algorithm that takes as input a PRF key 
K G JC and x G A , and outputs a key K{x} G K p . 

- F. Eva I (AT, x') is a deterministic algorithm that takes as input a punctured key 
K{x} G K p and x' G A. Let K G /C, x G A and K{x} F.puncture(LC, x). 

The primitive satisfies the following properties: 

1. Functionality is preserved under puncturing: For every x* G A, 

Pr[F.e\/3\(K{x*},x) = F(K,x)] = 1 

here probability is taken over randomness in sampling K and puncturing it. 

2. Psuedo-randomness at punctured point: For any poly size distinguisher 
D, there exists a negligible function //(•), such that for all k G N and x* G A, 

| Pr[D(x\K{x*},F(K,x*)) = 1] - Pr[D(x\ K{x*}, u) = 1] |< pb(k) 

where K <— F.Setup(l k ), K{x*} F.puncture(AT, x*) and u 34 

We say that the primitive is sub-exponentially secure if /a is bounded by 
0( 2~ k PRF ), for some constant 0 < cprf < 1. We also abuse the notation 
slightly and use F(K, •) and F. Eva I (if, •) to mean one and same thing irrespec- 
tive of whether key is punctured or not. 
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2.3 Injective One-Way Function 

A one-way function with security (s, e) is an efficiently evaluable function P : 
{0, 1}* — ► {0, 1}* and Pr $ \P(A(P(x))) = P(x)] <e(n) for all circuits A 

x< — {o.i } n 

of size bounded by s(n). It is called an injective one-way function if it is injective 
in the domain {0, l} n for all sufficiently large n. 

In this work we require that there exists 5 (s, e) injective one-way function 
with s(ri) = 2 n owpl and e = 2~ n owp 2 for some constants 0 < c owp i,c owp 2 < 1. 
This assumption is well studied, [27,35] have used (2 cn ,l/2 cn ) secure one-way 
functions and permutations for some constant c. 

This is a reasonable assumption due to following result from [24]. 

Lemma 1. Fix s(n) = 2 n / 5 . For all sufficiently large n, a random permutation 
7 r is ( s(n ), l/2 n / 5 ) secure with probability at least 1 — 2 _2n/2 . 

Such assumptions have been made and discussed in works of [27,34,35]. In par- 
ticular, we require the following assumption: 

Assumption 1: For any adversary A with running time bounded by s(n) = 
0( 2 n owpl f for any apriori bounded polynomial p(n) there exists an injective 
one-way function P such that, 

Pr[n <1 {0, l} n V« e \p],A°(P(r 1 ),..,P(r p )) = (n,..,r p )} < 0( 2 ~^ 2 ) 

for some constant 0 < c owpi ,c owp2 < 1. Here, oracle O can reveal at most p — 1 
values out of ri,..,r p . Note that this assumption follows from the assumption 
described above with a loss p in the security gap. 

2.4 (d, <5)-Weak Extractability Obfuscators 

The concept of weak extractability obfuscator was first introduced in [12] where 
they claimed that if there is an adversary that can distinguish between indis- 
tinguishability obfuscations of two circuits that differ on polynomial number of 
inputs with noticable probability, then there is a PPT extractor that extracts 
a differing input with overwhelming probability. [17] generalised the notion to 
what they call (d, S) weak extractability obfuscator, where they require that 
if there is any PPT adversary that can distinguish between obfuscations of 
two circuits (that differ on at most d inputs) with atleast e > 5 probability, 
then there is an explicit extractor that extracts a differing input with over- 
whelming probability and runs in time poly( 1/e, d, k) time. Such a primitive can 
be constructed from a sub-exponentially secure indistinguishability obfuscation. 
(l,2 -/c ) weak extractability obfuscation will be crucially used in our construc- 
tion for our MIFE scheme. We believe that in various applications of differing 
inputs obfuscation, it may suffice to use this primitive along with other sub- 
exponentially secure primitives. 

5 We however do not require that the injective one-way function can be sampled 
efficiently. 
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Definition 3. A uniform transformation weO is a (d,S) weak extractability 
obfuscator for a class of circuits C = {C&} if the following holds. For every 
PPT adversary A running in time tjs, and 1 > e(k) > 5, there exists a algorithm 
E for which the following holds. For all sufficiently large k, and every pair of 
circuits on n bit inputs , Cq,Ci £ differing on at most d{k) inputs , and every 
auxiliary input z, 

| Pr[A(l k ,weO(l k ,C 0 ),C 0 ,Ci,z) = 1] - Pr[A(l h ,weO(l h ,C 1 ),C 0 ,C u z) = 1] |> e 
=> Pr[x <- E(l k ,C 0 ,Ci,z) : C 0 (x) ± Ci(x) > 1 - negl(fc) 

and the expected runtime of E is 0(p#(l/e, d, tjs,, n, k)) for some fixed polynomial 
Pe- In addition, we also require the obfuscator to satisfy correctness. 

Correctness: For every n £ N, for all {C n } nG ^ ; we have 

Pr[C f <- weO(l n , C) : Vx,C"(x) = C(x)\ = 1 

We now construct a (l,2 _fe ) input weak extractability obfuscator from 
sub-exponentially secure indistinguishability obfuscation. Following algorithm 
describes the obfuscation procedure. 

weO{l k ,C) : The procedure outputs C iO(l kl/a ,C). Here, a > 0 is a con- 
stant chosen such that any polynomial time adversary against indistinguishabil- 
ity obfuscation has security gap upper bounded by 2 -/c /4. 

The proof of the following theorem is proven in [17]. 

Theorem 1. Assuming sub-exponentially secure indistinguishability obfusca- 
tion, there exists (1,5) weak obfuscator for P/poly for any S > 2~ k , where k 
is the size of the circuit. 

In general, assuming sub-exponential security one can construct (d, 5) 
extractability obfuscator for any 5 > 2~ k . Our construction is as follows: 
weO{C ) : Let a be the security constant such that iO with parameter l kl/a 
has security gap upper bounded by 0(2~ 3k ). This can be found due to sub 
exponential security of indistinguishability obfuscation. The procedure outputs 

C' <-iO(l kl/a ,C). 

We cite [12] for the proof of the following theorem. 

Theorem 2 ([12]). Assuming sub-exponentially secure indistinguishability 
obfuscation, there exists (d, S) weak extractability obfuscator for P/poly for any 
5>2~ k . 

3 Multi-input Functional Encryption 

Let X = and y = {34}fceN denote ensembles where each Xj~ and 34 

is a finite set. Let T — {J~k}keN denote an ensemble where each Ek is a finite 
collection of n-ary functions. Each f £ Ek takes as input n strings xi, ..,x n where 
each Xj £ Xk and outputs f(xi, ..,x n ) £ 34 - We now describe the algorithms. 
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- MIFE.Setup(l K , n): is a PPT algorithm that takes as input the security para- 
meter k and the function arity n. It outputs n encryption keys EKi, .., EK n and 
a master secret key MSK. 

- MIFE.Enc(EK, m) : is a PPT algorithm that takes as input an encryption key 
EKj G (EKi,..,EK n ) and an input message m G and outputs a ciphertext 
CTj which denotes that the encrypted plaintext constitutes an \ th input to a 
function f. 

- M I FE. Keygen (MSK, f): is a PPT algorithm that takes as input the master 
secret key MSK and a n— ary function f G J~k and outputs a corresponding 
decryption key SKf. 

- MIFE.Dec(SK f ,CTi,..,CT n ) : is a deterministic algorithm that takes as input a 
decryption key SKf and n ciphertexts CTj, CT n and outputs a string y G 34 - 

The scheme is said to satisfy correctness if for honestly generated encryption 
and function key and any tuple of honestly generated ciphertexts, decryption 
of the cipher-texts with function key for / outputs the joint function value of 
messages encrypted inside the ciphertexts with overwhelming probability. 

Definition 4. Let {f } be any set of functions f G T K . Let [n] = {1, n} and I C 
[n\. Let X° and X 1 be a pair of input vectors, where X b = {x\ j,..,x h n -} q - =1 . We 
define T and (X 0 ,^ 1 ) to be I -compatible if they satisfy the following property: 
For every f G {/}, every i' = {ii,..,i t } Q I, every ji, j n - t G [q\ and every 

1 **5 %i t ^ 


where < yi 1 ,...,yi n > denotes a permutation of the values such that 

the value yi. is mapped to the I th location if yi . is the I th input (out of n inputs) 
to f. 


IND-Secure MIFE: Security definition in [25] was parameterized by two parame- 
ters (£, q) where t denotes the number of encryption keys known to the adversary, 
and q denotes the number of challenge messages per encryption key. Since, our 
scheme can handle any unbounded polynomial q and any t < n, we present a 
definition independent of these parameters. 

Definition 5 (Indistinguishability based security). We say that a multi- 
input functional encryption scheme MIFE for for n ary functions T is fully IND- 
secure if for every PPT adversary A, the advantage of A defined as 


Adv^ IFEJND (l K ) = |Pr[IND^ IFE ] - l/2\ 

is negl(n), where: 

Valid adversaries: In the above experiment, 0( EK, •) is an oracle that takes an 
index i and outputs EKi • Let I be the set of queries to this oracle. £(EK, b, ■) on 
a query (a:® •, (x\ •, (where j denotes the query number) outputs 

CT itj <- MIFE.Enc(EKi , x\ - ) Vi G [n\ . If q is the total number of queries to this 
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Experiment IND^ IFE (1^) 
(EK, MSK ) <- MIFE.Setup(l K , n) 
b^{ 0 , 1 } 

jf ^MIFE.Keygen(MSK,-),0(EK,-),£:(EK,6,-)^ K: ) 

Output (b = b') 


Fig. 1 . Security game 


oracle then let X 1 = {x[j, x l n j}j =1 and l G {0,1}. Also , let {/} denote the 
entire set of function key queries made by A. Then , the challenge message vectors 
X° and X 1 chosen by A must be I— compatible with {/}. The scheme is said to 
be secure if for any valid adversary A the advantage in the game described above 
is negligible (Fig. 1). 


4 Our MIFE Construction 

Notation: Let k denote the security parameter and n = n(k) denote 
the bound on arity of the function for which the keys are issued. By 
PRF = (PRF. Setup, PRF. Puncture, PRF.Eval) denote a sub-exponentially secure 
puncturable PRF with security constant cprf and PKE denote a public key 
encryption scheme. Let P be any one-one function (in the security proof we 
instantiate with a sub-exponentially secure injective one-way function with 
security constants c owp i and c owp 2 ). Finally, let O denote a (l,2 _3nZ_fe ) weak 
extractability obfuscator (here l is the length of the cipher-text of PKE). In par- 
ticular, for any two equivalent circuits security gap of the obfuscation is bounded 
by 2~ Snl ~ k (any algorithm that distinguishes obfuscations of two circuits with 
more than this gap will yield an algorithm that extracts a differing point). 

MIFE.Setup(l k , n) : Sample K z <- PRF.Setup(l A ) and {(PK%,SK%)} he{0tl} <- 
PKE.Setup(l /c ). Let PP Z be the circuit as in Fig. 2. EK Z is declared as the set 
EKi = {PK^PKlPPi = O(PPi), P} and MSK = {SK ? , SK } , K u P} ie[n] . 
Here injective function P takes as input elements from the co-domain the PRF. 
A is set greater than (3 nl + k) 1 ^ CpRF and so that the length of output of the 
PRF is at least max{(bnl + 2k ) 1 / Cowpl , (3 nl + k) 1 / 00 ™? 2 } long. 

MIFE.Enc^LQ, m) : To encrypt a message m, encryptor does the following: 

- Compute = PKE.Enc (PK® ,m]r°) and cj = PKE.Enc(PK( , m; r 1 ). 

- Evaluate 7r z <— PP z (c^, cj, m, r°, r 1 ). 

Output CTi = (c?,cJ,7Ti). 

MIFE.KeyGen(M S K , /) : Let Gj be the circuit described below. Key for / is 
output as Kf <— O(Gj). 

MIFE.Decrypt(ii'/,{c°,4,7r i } ie [ n ]) : Output K f {c\,c\, 7n, c°, 4, ?r n ). 


Multi-input Functional Encryption with Unbounded-Message Security 543 


Hard- wired: PKf , PK } , K, . 

Input: 

The program does the following: 

- Check that c® = PKE.Enc (P7F°,ra;rf) and c\ = PKE.Enc {PK},m\r\). 
If the check fails output _L. 

- Output PRF.Eval (FQ,c°,<4) 


Fig. 2. Program encrypt 


Hard-wired: {SK? , K t , P} ie[n] . 

Input: {c?,c|,7ri} ie[n] 

The program does the following: 

- For all i G [n], check that P(PRF.Eval(FQ, c?, c\)) = If the check 

fails output _L. 

- Output f(PKE.Dec(SK^c 0 1 ),..,PKE.Dec(SK^c° n )). 


Fig. 3. Program G ° 


Remark 

1. We also assume that the circuits are padded appropriately before they are 
obfuscated. 

2. Note that in the scheme, circuit for the key for a function /, Gj is instantiated 
with any one-one function (denoted by P). In the proofs we replace it with 
a sub-exponentially secure injective one-way function. We see that the input 
output behaviour of Gj do not change when it is instantiated with any one- 
one function, hence we can switch to a hybrid when it is instantiated by 
sub-exponentially secure injective one way function and due to the security 
of obfuscation these two hybrids are close. 


4.1 Proof Overview 

The starting point of our construction is the fully-secure construction of MIFE 
based on diO due to Goldwasser et al. [25] mentioned above. In their scheme, 
the encryption key for an index i G [n] (where n is the function arity) is a 
pair of public keys (pk^pkj) for an underlying PKE scheme, and a ciphertext 
for index i consists of encryptions of the plaintext under pk^pkj respectively, 
along with a simulation-sound non-interactive zero knowledge proof that the two 
ciphertexts are well-formed (z.e., both encrypting the same underlying message). 
The secret key for a function / is an obfuscation of a program that takes as 
input n ciphertext pairs with proofs (c?, c}, 7Ti), . . . , (c^, c* , 7r n ), and, if the proofs 
verify, decrypts the first ciphertext from each pair using the corresponding secret 
key, and finally outputs / applied to the resulting plaintexts. Note that it is 


544 V. Goyal et al. 


important for the security proof to assume diO , since one needs to argue when 
the function keys are switched to decrypting the second ciphertext in each pair 
instead, an adversary who detects the change can be used to extract a false 
proof. 

We develop modifications to this scheme so that we can instead leverage a 
result of [12] that any indistinguishability obfuscator is in fact a differing- inputs 
obfuscator on circuits which differ on polynomially many points. In fact, we 
we will only need to use this result for circuits which differ on a single point. 
But, we will need to require the extractor to work given an adversary with even 
exponent ially-small distinguishing gap on the obfuscations of two such circuits, 
due to the exponential number of hybrids in our security proof. We make use of 
sub-exponentially secure obfuscation to achieve this. 

Specifically, we make the proofs of well-formedness described above unique 
for every ciphertext pair, so that there is only one differing input point in the 
corresponding hybrids in our security proof. To achieve this, we design novel 
“special-purpose” proofs built from iO and punctured pseudorandom functions 
(PRFs) [11, 13, 29], 6 which works as follows. We include in the public parameters 
an obfuscated program that takes as input two cipher-texts and a witness that 
they are well- formed (z.e., the message and randomness used for both the cipher- 
texts), and, if this check passes, outputs a (puncturable) PRF evaluation on 
those ciphertexts. Additionally, the secret key for a function / will now be an 
obfuscation of a program which additionally has this PRF key hardwired keys 
and verifies the “proofs” of well-formedness by checking that PRF evaluations 
are correct. Interestingly, in the security proof, we will switch to doing this 
check via an injective one-way function applied to the PRF values (z.e., the 
PRF values themselves are not compared, but rather the outputs of injective 
one-way function applied to them). This is so that extracting a differing input 
at this step in the security proof will correspond to inverting a injective one-way 
function; otherwise, the correct PRF evaluation would still be hard-coded in the 
obfuscated function key and we do not know how to argue security. 

We now sketch the sequence of hybrids in our security proof. The proof starts 
from a hybrid where each challenge ciphertext encrypts m ? for i E [n\ . Then we 
switch to a hybrid where each c\ is an encryption of m\ instead. These two 
hybrids are indistinguishable due to security of the PKE scheme. Let £ denote 
the length of a ciphertext. For each index i E [n\ we define hybrids indexed by x, 
for all x E [2 2n ^], in which function key SK f decrypts the first ciphertext in the 
pair using SK° when (cj, c{, .., c°, c\) < x and decrypts the second ciphertext 
in the pair using SK* otherwise. Parse x = (xj, x\, .., x®, x*). Hybrids indexed 
by x and x + 1 can be proven indistinguishable as follows: We first switch to 
sub- hybrids that puncture the PRF key at {x®,x\}, changes a function key 
SK f to check correctness of an PRF value by applying an injective one-way 
function as described above, and hard-coded the output of the injective one-way 


6 Due to the number of hybrids in our proof, we will also need the punctured PRFs to 
be sub-exponentially secure, but this already follows from sub-exponentially secure 
injective one-way functions. 
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function at the punctured point. Now if the two hybrids differ at an input of the 
form on, x^, x*, <a n ) where oti is some fixed value (a PRF evaluation 

of (x^xj)), extracting the differing input can be used to invert the injective 
one-way function on random input (namely the af). As in [12], this inverter 
runs in time inversely proportional to the distinguishing gap between the two 
consecutive hybrids (which is sub-exponentially small). Hence, we require a sub- 
exponential secure injective one-way function to argue security. 

Finally, we note that exponentially many hybrids are indexed by all possible 
ciphertext vectors that could be input to decryption (i.e., vectors of length the 
arity of the functionality) and not all possible challenge ciphertext vectors. This 
allows us to handle any unbounded (polynomial) number of ciphertexts for every 
index. 


4.2 Proof of Security 

Theorem 3. Assuming an existence of a sub-exponentially secure indistin- 
guishability obfuscator, injective one-way function and a polynomially secure 
public-key encryption scheme there exists a fully IND secure multi-input func- 
tional encryption scheme for any polynomially apriori bounded arity n. 

Proof We start by giving a lemma that will be crucial to the proof. 

Lemma 2. Let X and Y denote two (possibly correlated) random variables 
from distribution A and y , with support \X\ and \y\, and U(X,Y ) denote an 
event that depends on X, Y . We say that U(X,Y) = 1 if the event occurs, and 
U(X,Y) = 0 otherwise. Suppose Pr ( X ,Y)~x,y[U(X,Y) = 1 ] = p. We say that a 
transcript X falls in the set ‘good’ if Pry ~y\U(X,Y\X = X) = 1] > p/2. Then, 
Pr x ~x[X G good } > p/2. 

Proof. We prove the lemma by contradiction. Suppose Prx~x [X G good] = c < 
\ . Then, 

Pr iX , Y )^x,y)[U(XW) = 1] = Pr (X ,Y)~(x,y)MX,Y) = 1\X G good] • PrjX G good] 

+ Pr(x,Y)~&,y)MX, Y) = 1\X 0 good] • Pr x ^[X £ good] 

By definition of the set good, Pr(x,Y)~(x,y) [U(X, Y) = 1\X good] < |. Then, 
p = Pr [U(X,Y) = 1] < 1 • c + (1 — c) • p/2. Then, if c < | , we will have that 
P < f + i’ w hich is a contradiction. This proves our lemma. 

We proceed listing hybrids where the first hybrid corresponds to the hybrid 
where the challenger encrypts message ra+ for all i G [n\ and the last hybrid 
corresponds to the hybrid where the challenger encrypts m\ - . We then prove 
that each consecutive hybrid is indistinguishable from each other. Then, we sum 
up all the advantages between the hybrids and argue that the sum is negligible. 

H 0 

1. Challenger does setup to compute encryption keys EK/sti G [n\ and MSK as 
described in the algorithm. 


546 V. Goyal et al. 


Hard- wired: {. SK f , SK } ,K u x, P\, e w . 

Input: {c?,4,7ri} ie[n ] 

The program does the following: 

- For all i G [n], check that P(PRF .Eval(LQ, c°, c\)) = P^i). If the check 
fails output _L. 

-If (c?, C|, c ° n , c*) < x — 2, output 

/(RKE.Dec(PP^, cj), PKE.Dec(5'P^, c^)) otherwise output 
/(PKE.Dec(5X 1 °, c?), PKE.Dec^, c ° n )). 


Fig. 4. Program G/ >x 


2. *4 may query for encryption keys EKi for some i £ [n], function keys for 
function / and ciphertext queries in an interleaved fashion. 

3. If it asks for an encryption key for index i, it is given EKi. 

4. When A queries keys for n ary function fj and challenger computes keys 
honestly using MSK. 

5. A may also ask encryptions of message vectors M h = {(rajj, where 
h £ {0, 1}, where j denotes the encryption query number. The message vec- 
tors has to satisfy the constraint as given in the security definition. 

6. For all queries j, challenger encrypts CTi^Mi £ [n\ as follows: = 

PKE.En c(P^,my and cE = PKE.Enc (PK^mE) and 7q,/ <- 
PRF.Eval(LQ, cl J ). Then the challenger outputs CTij = (cE, cjj, 7qj). 

7. A can ask for function keys for functions /j, encryption keys EKi s and cipher- 
texts as long as they satisfy the constraint given in the security definition. 

8. A now outputs a guess b' £ {0, 1}. 

H i : Let q denote the number of cipher-text queries. This hybrid is same as the 
previous one except that for all indices i £ [n ] , j £ [q] challenge cipher-text 
cipher-text component c\ - is set as c\ - = PKE.Enc (PK} 

H;e(e [ 2 , 2 2in + 2 ] • This hybrid is same as the previous one except key for every func- 
tion query f is generated as an obfuscation of program (Fig. 4) by hard-wiring 
x (along with SK P , SK} ,K { ,P). 

H 2 2 zn +3 : This hybrid is same as the previous one except that function keys for 
any function / is generated by obfuscating program (Fig. 5). 

H 2 2 zn +4 : Let q denote the number of cipher-text queries made by the adversary. 
This hybrid is same as the previous one except that for all indices i £ [n] , j £ [q\ , 
challenge cipher-text component c}- is generated as c}- = PKE.Enc (PK® 

^ 2 2l n+A+x\xe[ 2 2l ' n +i \ : This hybrid is same as the previous one except key for a 
function / is generated by obfuscating program (Fig. 4) by hard-wiring 2 2 ^ n +3 — x 
(along with SK?, SK}, K u P). 


Multi-input Functional Encryption with Unbounded-Message Security 547 


Hard-wired: {SKj, K h P} ie [n]- 
Input: {c?,cJ,7Ti} ie[n ] 

The program does the following: 

— For all i G [n\. check that P(PRF.Eval(FQ, c°, cj)) = P(7q). If the check 
fails, output _L. 

- Output f{PKE.Dec{SKlc\),..,PKE.Dec{SKlc 1 n )). 


Fig. 5. Program G f 

H 2 .2 2 ^+6 : This hybrid corresponds to the real security game when 6=1. 

We now argue indistinguishability by describing following lemmas. 

Lemma 3. For any PPT distinguisher D, | Pr[P(Flo) = 1] — Pr[D( Hi) = 1] | 

< negl(fc). 

Proof. This lemma follows from the security of the encryption scheme PKE. 
In these hybrids, all function keys only depend on one secret key SKf for all 
i G [n\ and SKj never appears in the hybrids. If there is a distinguisher D 
that distinguishes between the hybrids then there exists an algorithm A that 
breaks the security of the encryption scheme with the same advantage. A gets 
set of public keys PiTi, .., PK n from the encryption scheme challenger and sam- 
ples public keys (PK® , SKffii G [n\ himself and sets PK\ = PKfsIi G [n\. It 
also samples PRF keys Kfii G [n\. Using these keys, it generates encryption 
keys EKiMi G [n\. Then, it invokes D and answers queries for encryption keys 
EKf s and function keys. A generates function keys using only as obfuscation of 
Gf. Finally, D declares M b = .., ™ h n j)}je[ q ]- A sends (M°,M 1 ) to the 

encryption challenger and gets QjVi G [n ] , j G [q\ from the challenger. A com- 
putes cP <— PKE.Enc(PKf ) , m^j). Then evaluates n ij <— PRF.Eval (P^, c^-, qj). 
Then it sets, CTij = (c^-, Qj, 7Tij) and sends it to D. After that D may query 
keys for functions and encryption keys and the response is given as before. D 
now submits a guess b' which is also output by A as its guess for the encryption 
challenge. If Cij is an encryption of mP then P's view is identical to the view in 
H i otherwise its view is identical to the view in H 2 - Hence, distinguishing advan- 
tage of D in distinguishing hybrids is less than the advantage of A in breaking 
the security of the encryption scheme. 

Lemma 4. For any PPT distinguisher D, \ Pr[P(Hi) = 1] — Pr[P(H2) = 1] | 

< negl(fc). 

Proof. For simplicity, we consider the case when there is only single function key 
query /. General case can be argued by introducing v many intermediate hybrids 
where v is the number of keys issued to the adversary. Indistinguishability of 
these hybrids follows from the fact that circuit Gj and G/ jX= 2 are functionally 
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equivalent. Hence, due to the security of indistinguishability obfuscation prop- 
erty of the weak extract ability obfuscator the lemma holds. For completeness, 
we describe the reduction. Namely, we construct an adversary A that uses D 
to break the security of weak extract ability obfuscator. A invokes D and does 
setup (by sampling PKE encryption key pairs and PRF keys for all indices) and 
answers cipher-text queries as in the previous hybrid Hi. On query / from D , 
it sends G° and Gf^ x to the obfuscation challenger. It receives Kf and sends it 
to A. A sends it to D. It replies to the encryption key queries to D using the 
sampled PKE keys and PRF keys. Then it outputs whatever D outputs. Note 
that view of D is identical to the view in Hi (if Kf is an obfuscation of Gj) or 
H 2 (if Kf is an obfuscation of Gf iX= 2 ). Hence, advantage of A is at least the 
advantage of D in distinguishing hybrids. Due to security of obfuscation claim 
holds. 

Lemma 5. For any PPT distinguisher D, | Pr[D(H 2 2Zn +2 ) = 1] — Pr[D 
(H 2 2i„ +3 ) = 1] I < negl(fc). 

Proof. This follows from the indistinguishability obfuscator O. For any function 
/, Gj is functionally equivalent to Gf jX _ 2 2 Zn +2 . Proof of the lemma is similar to 
the proof of Lemma 4. 

Lemma 6. For any PPT distinguisher D , | Pr[D(H 2 2Zn +3 ) = 1] — Pr[D 
( H 2 2 Zn _|_ 4 ) = 1] | < negl(fc). 

Proof. This follows from the security of encryption scheme PKE. Note that in 
both the hybrids SK® is not used anywhere. Proof is similar to the proof of 
Lemma 3. 

Lemma 7. For any PPT distinguisher D, | Pr[D(H 2 2 Zn +4 ) = 1] — Pr[D 
(H 2 2 in +5 ) = 1] | < negl(fc). 

Proof. This follows from the security of indistinguishability obfuscator O. Proof 
is similar to the proof of Lemma 4. 

Lemma 8. For any PPT distinguisher D, | Pr[P(H 2 2 2 tn +5 ) = 1] — Pr[D 
(H 2 . 22 ‘»+e) = 1] I < negl(ft). 

Proof. This follows from the security of indistinguishability obfuscator O. Proof 
is similar to the proof of Lemma 4. 

Lemma 9. For any PPT distinguisher D and x E [2, 2 2ln + 1], | Pr[D(Y\ x ) = 
1] — Pr\D{ H x+ i) = 1] | < 0(y • 2 ~ 2ln ~ k ) for some polynomial v. 

Proof. We now list following sub hybrids and argue indistinguishability between 
these hybrids. 
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H x ,i 

1. Challenger samples key pairs (PKf , SK ® ) , (PKj , SKj) for each i G [n]. 

2. Parses x — 2 = (#?, xj, ... , xV) and computes (a?, a}) <— 

(PKE.Dec(^,^),PKE.Dec(^,^)). 

3. Samples puncturable PRF’s keys FQVi G [n]. 

4. Denote by set Z C [n] such that i G Z if a® ^ a\. Computes oli <— 
PRF.Eval and derives punctured keys K[ <— PRF.Puncture(iF^, 
x®, x\) for all i G [n\. 

5. If A queries for encryption keys for any index i, for any i in Z, P Pi is generated 
as an obfuscation of circuit in Fig. 2 instantiated with the punctured key K[ 
(cq will never be accessed by the circuit PPi in this case). For all other 
indices i, PPi is constructed by using the punctured key K[ and hard-coding 
the value oli (for input (x^x\)) as done in Fig. 6. These PPi are used to 
respond to the queries for EKi. 

6. If A queries keys for n ary function fj and challenger computes keys honestly 
as in PC using MSK. 

7. If A releases message vectors M h = {(rajj, where h G {0, 1}, chal- 

lenger encrypts CTiJ Vi G [n\ , j G [q] as follows: c® • = PKE.Enc (PKf,m^j) 
and cjj = PKE.Enc {PK} ,m]j). If = {x®,x\) set i qj = OLi other- 

wise set 7 T^j <— PRF.Eval(FQ, c-C, c* •). Then the challenger outputs CTij = 
(cP , c]j,7Tij). Here q denotes the total number of encryption queries. 

8. Challenger can ask for function keys for functions fj and encryption keys 
EKi as long as they satisfy the constraint with the message vectors. 

9. A now outputs a guess V G {0, 1}. 


Hard- wired: PK® , PK \ , K[ ,ol^x\^x\. 

Input: c°,cj,m,r°,rj 

The program does the following: 

— Checks that = PKE.Enc(PiF{ ) , m; rf) and cj = 

PKE.Enc (PKf.rrr.rj). If the check fails output _L. 

- If (c°,cl) = (x^x}) output OLi otherwise output PRF.Eval(i^', c°, c\) 


Fig. 6. Program Encrypt* 


PC 5 2 • This hybrid is similar to the previous one except that function key for 
any function / is generated as an obfuscation of program (Fig. 7) by hard- wiring 
(SK® , SKf , K'i, P, P(ai), x® , x])\/i G [n\. 

PC ? 3 This hybrid is similar to the previous hybrid except that for all i G [n], oti 
is chosen randomly from the domain of the injective one way function P. 

PC ?4 : This hybrid is similar to the previous hybrid except that the function key 
is generated as an obfuscation program (Fig. 7) initialised x + 1. 
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Hard- wired: {SKf, SK j ,K[,P, P(a 4 ) , xj } ie[n , . 

Input: {c°,cj,7Ti} ieln] 

The program does the following: 

— For any i G [n], if (c?,<4) = (x^xj) check that P(c^) = P(7q). If the 
check fails output _L. 

- Otherwise, for i G [n], check that P(PRF.Eval(^, c°, c\)) = P(7q). If 
the check fails output _L. 

-If (c?,c},..,c°,4) < x - 2, output 

f(PKE.Dec(SK}, c{), PKE.Dec(SKf, c\)) otherwise output 
/(PKE.Dec(PiF 1 °,c?),..,PKE.DecM,cO)). 


Fig. 7. Program 


: This hybrid is the same as the previous one except that otfH G [n\ is chosen 
as actual PRF values at (x^xj) using the key Ki. 

P\ x ^: This hybrid is the same as the previous one except that key for the function 
/, keys are generated as obfuscation of program (Fig. 4) initialised with x + 1. 

E\ x j: This hybrid is the same as the previous one except for all i G [n\, PPi 
is generated as an obfuscation of (Fig. 2) initialised with genuine PRF key Ki. 
This hybrid is identical to the hybrid H x+ i. 

Claim. For any PPT distinguisher D, | Pr[D(Y \ x ) = 1] — Pr[D(Y\ x i) = 1] | < 
0{n • 2~ Snl ~ k ). 

Proof. This claim follows from the indistinguishability security of weak 
extractability obfuscator. We have that circuits for i G Z, circuit in Fig. 2 ini- 
tialised with regular PRF key Ki is functionally equivalent to when it is ini- 
tialised with punctured key K[. This is because for i G Z, ( x •*, x\) never satisfies 
the check and the PRF is never evaluated at this point and also the fact the 
punctured key outputs correctly at all points except the point at which the PRF 
is punctured. For i G [n]\Z, program in Fig. 2 initialised with Ki is functionally 
equivalent to the program in Fig. 6 initialised with (iC[, a^). 

From the above observation, we can prove the claim by at most n intermediate 
hybrids where we switch one by one obfuscation PPi to use the punctured 
key and each intermediate hybrid is indistinguishable due to the security of 
obfuscation. 

Claim. For any PPT distinguisher D , | Pr[D( H^i) = 1] — Pr[D(H x ?2 ) = 1] | < 
0(p(k) • 2~ 3nl ~ k ). Here, p(k ) is some polynomial. 

Proof. This follows from the indistinguishability obfuscation property of the 
weak extractability obfuscator O. The proof follows by at most p intermedi- 
ate hybrids where each queried Kf is switched to an obfuscation of program 
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(Fig. 4) (with hard-wired values SKf, SK}, Ki, x, P) to an obfuscation of pro- 
gram (Fig. 7) (with hard-wired values SK®, SKf, K' { , P, P(c^), x). Note that in 
this hybrids, both these programs are functionally equivalent. This reduction is 
straight forward and we omit details. 

Claim. For any PPT distinguisher D , | Pr[D(Y \ x ?2 ) = 1] — Pr[D{ H^) — 1] | < 
0(n-2- 2nl - k ). 

Proof. This claim follows from the property that puncturable PRF’s value is 
psuedo-random at punctured point given the punctured key (sub-exponential 
security of the puncturable PRF). This proof goes through by a sequence of at 
most n hybrids where for each index i G [n], {K[, cq = PRF.Eva^FQ, x®, x\)) is 
replaced with (P',a^ <— 7 Z) for all i G [n\. This can be done because in both 
these hybrids, function keys and the encryption keys use only the punctured keys 
and a the value of the PRF at the punctured point. Here 7Z is the co-domain 
of the PRF, which is equal to the domain of the injective one way function 
P. Since, PRF is sub exponentially secure with parameter cprf ( cprf be the 
security constant of the PRF) when PRF is initialised with parameter greater 
than (2 nl-\-k) 1 / CpRF , distinguishing advantage between each intermediate hybrid 
is bounded by 0(2~ 2nl ~ k ). The reduction is straight forward and we omit the 
details. 

Claim. For any PPT distinguisher D, | Pr[D(Y\ x ^) = 1] — Pr{D(Y\ x ^) = 1] | < 
0(p(k).2~ 2nl ~ k ). for some polynomial p{k). 

Proof. We prove this claim for a simplified case when only one function key 
is queried. The general case by considering a sequence of intermediate hybrids 
where function keys are changed one by one, hence the factor p(k). Assume 
that there is a PPT algorithm D such that | Pr[D(H x ?3 ) = 1] — Pr[D(H x ?4 ) = 
1] | > e > 2~ 2nl ~ k . Note that these hybrids are identical upto the point the 
adversary asks for a key for a function /. We argue indistinguishability according 
to following cases. 

1. Case 0: Circuit given in Fig. 7 initialised with x is functionally equivalent to 
circuit Fig. 7 initialised with x + 1. 

2. Case 1: This is the case in which the two circuits described above are not 
equivalent. 

Let Q denote the random variable and Q = 0 if adversary is in case 0, otherwise 
Q = 1. By eQ = b denote the value | Pr[D(Y \ x ?3 ) = 1/Q = b\ — Pr[D(Y \ x ?4 ) = 
1/Q = b] |. It is known that Pr[Q = 0]eQ = o + Pr[Q = l]eQ=i > e. 

Now we analyse both these cases: 

Pr[Q = 0]e Q=o <2 2nl k : This claim follows due to the indistinguishability 
security of (1, 2~ 3nl ~ k ) weak extract ability obfuscator. Consider an adversary D 
with Q = 0 and challenger C, we construct an algorithm A that uses D and 
breaks the indistinguishability obfuscation of the weak extractability obfuscator 
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with the same advantage. A works as follows: A invokes G that invokes D. C 
does the setup as in the hybrid and responds to the queries of D. D outputs 
/. A gives Gj x and Gy- X+1 to the obfuscation challenger and gets back Kf 
in return which is given to D. ZTs queries are now answered by G. A outputs 
whatever D outputs. A breaks the indistinguishability obfuscation security of 
the weak extract ability obfuscator with advantage at least cq = o as the view of 
D is identical to if G*^ x was obfuscated and it is identical to H Xj 4 otherwise. 

Pr[Q = l]e Q =i <2 2nl k : The only point at which the two circuits Gj x and 
Gj X+1 in this case may differ is (x?, x 1 , aq, ..., x n , a n ) where oti is the inverse 
of a fixed injective one way function value P(c^). In this case, due to secu- 
rity of weak extract ability obfuscator the claim holds. Assume to the contrary 
Pr[Q = 1]cq— i > S > 2~ 2nl ~ k . In this case, let r be the transcript (including 
the randomness to generate PKE keys, PRF keys along with chosen <a's) between 
the challenger and the adversary till the point function key for function / is 
queried. We denote r G good if conditioned on r, t r ,Q=i > £q= i/2. Then, using 
Lemma 2, one can show that Pr[r G good] > €q = i/2. 

Now, let us denote by set Z a set that contains indices in i G [n\ such that 
a® 7^ a\. Note that oti can be requested by the adversary in one of the two 
following ways: a ? = a\ and adversary queries for EKi or adversary queries for 
an encryption of (a®, a}) and challenger sends encryption as (x^xj^ai) with 
some probability. Let E denote the set of indices for which c^’s queried by the 
adversary through first method and S denote the set queried through second 
method. Then it holds that SUE [n\. This is because adversary cannot query 
for such cipher-texts and encryption keys in these hybrids since Q = 1 and in 
particular it holds that /(< {a®} ieS , {a^}i e E >) ^ /(< {aj }ies, {(4 }e >)• Here 
<, > denotes the permutation which sends a variable with subscript i to index i. 

Now we let T C [n\ denote the set of oti for i G [n\ requested by D (either by 
querying cipher-text or by querying for EKi such that a® = a\). We know that 
conditioned on r (randomness upto the point / is queried), 

| Pr[D{ H s>3 ) = 1 IQ = 1, r] - Pr[D(H xA ) = 1/Q = 1, r] | > e Q=1 /2 
For all t C Z, 

E t | Pr[D(Y\ x ^) = 1 fl T = t/Q = l,r] - Pr[D( H Xj4 ) = 1 n T = t/Q = 1 , r] | > cq= i /2 


Since number of proper subsets of [n\ is bounded by 2 n , there exists a set t such 
that 

| Pr[D( H Xj3 ) = 1 nr = t/Q = l,r]-Pr [D(H xA ) = lnT = t/Q = l,r] | > e Q=1 /2 n+1 

Now we construct an adversary A that breaks the security of injective one way 
function with probability Pr[Q = l]eQ=i/2 n+1 that runs in time O (2 2n / €q =1 ) . 
A runs as follows: 

1. A invokes D. Then it does setup and generates PKE keys and punctured PRF 
keys K[ for all indices in [n\ according to hybrid H^. 
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2. A gets injective one way function values from the injective one way function 
challenger (P, P(aq), .., P(a n )). 

3. A now guesses a random proper subset t C [n\. 

4. For all indices in i G t it gets from the injective one way function challenger. 

5. If EKi is asked for any i G t U Z, it is generated as in and given out. 
Otherwise, A aborts. We call the transcript till here r. 

6. When D asks for a key for /. If / is such that Q = 0, A outputs _L. A now 
constructs a distinguisher B of obfuscation of circuits G^ x and G*^ x+1 as 
follows: 

- A gets as a challenge obfuscation Cf which is an obfuscation G^ x or 

/o* 

i* 

- A gives this obfuscation to B which invokes D from the point of the 
transcript r and gives this obfuscation to D. 

- When D asks for a cipher-text, if the queries are such that B can generate 
it using a.iii G t then answer the cipher-text query. Otherwise, it outputs 
0. 

- If EKi is asked by D for any i G tU Z, it is generated as in and given 
out. If any other encryption key is queried, it outputs 0. 

- If set of indices for which o^’s used to generate response to the queries (in 
the transcript r and the queries asked by D when run by B) equals t it 

outputs whatever D outputs otherwise, B outputs 0. 

7. If t is correctly guessed as £*, it is easy to check that | Pr[B{G*f x , 

G* f<x+1 ,0(G* f , x ),aux) = 1] - Pr[B(Gl x ,G* f<x+1 ,0(G* f<x+1 ),aux) = 1] |> 
€q= i/2 n+1 . (Here aux is the information with A required to run B includ- 
ing a.iii G £, P(oti),PK J, PK \ , SKf , SKf , P'Vi G [n\ and transcript r till 
point 4). This is because, 

| Pr[B{Gl x ,G)^0{G)^aux) = 1] - Pr[B(G} ?x , (9(G} ?X+1 ), aux) = 1] | = 

| Pr[D( H x>3 ) = 1 n T = t/Q = 1, r] - Pr[D( H xA ) = 1 n T = t/Q = 1, r] | > e Q=1 /2 n+1 

8. We finally run the extractor E of the weak extractability obfuscator using 

B to extract a point {pc\, x\, cki, .., x*, OL n ). (This extraction can be run 

as long as cq= i/2 n+1 > 2~ Snl implying €q = i > 2~ 2nl ~ k as otherwise there 
is nothing to prove and claim trivially goes through). This extractor runs in 
time 0(t£>.2 2n /eg =1 ). Probability of success of this extraction is 

Pr[Q = 1] -Pr[r is good] -Pr[ t is guessed correctly] > Pr[Q = 1] -eg = i/2 n+1 

Let /i be the input length for injective one way function. We note the following 
cases: 

Case 0: If Pr[Q = l]eg=i < 0(2~ 2nl ~ k ), in this case the claim goes through. 

Case 1: If Pr[Q = l]eQ=i/2 n+1 < 0(2~^ c ° wp2 ), in this case the claim goes 
through if fi is set to be greater than (3 nl + fc) 1 /^ 2 . 

Case 2: If case 1 does not occur, then we must have that 2 2n /eg =1 > 2^ c ° wpl , 
implying that if /i is greater than (5 nl + 2k) 1 / Cowpl the claim holds (due to the 
security of injective one way function P). 
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Hence, if fi > max{(3nl + k) 1 / 00 ™? 2 , (bnl + 2k) 1 / Cowpl }, Pr[Q = 1]cq=i < 
2~2 nl-k an( ^ c } a i m holds. 

Claim. For any PPT distinguisher D , | Pr[D{Y \ x j4 ) = 1] — Pr[Z)(H X5 5 ) = 1] | < 
0(n • 2~ 2nl ~ k ). 

Proof. This claim follows from the security of the puncturable PRF’s. This is 
similar to the proof of the Claim 4.2. 

Claim. For any PPT distinguisher D, | Pr[D(H x j5 ) = 1] — Pr[D(H x j6 ) = 1] | < 
0(p(k) • 2~ 2nl ~ k ). Here p(-) is a some polynomial. 

Proof. This claim follows from the indistinguishability obfuscation security of the 
weak extractability obfuscator. This proof is similar the proof of the Claim 4.2. 

Claim. For any PPT distinguisher D, | Pr[D{Y\ x $) = 1] — Pr[D(Y\ x j) = 1] | < 
0(n • 2~ 2nl ~ k ). 

Proof. This claim follows from the indistinguishability obfuscation security of the 
weak extractability obfuscator O. This proof is similar the proof of the Claim 4.2. 
Combining all the claims above, we prove the lemma. 

Lemma 10. For any PPT distinguisher D and x G [! 2 2ln ], | Pr[P(H 2 2 Zn +4+a ,) = 
1] — Pr[D(H 2 2 m+ 5 + x ) = 1] | < 0(v{k ) • 2 ~ 2nl ~ k ) for some polynomial v{k). 

Proof. Proof of this lemma is similar to the proof of Lemma 9. 

Combining all these lemmas above, we get that for any PPT P, 

| p r [D( Ho) = 1] -Pr[P(H 2 2 2 Zn +6 ) = 1] | < negl(fc) +2.2 2nl O(v(k) .2~ 2nl ~ k ) < negl(fe). 
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Abstract. In light of security challenges that have emerged in a world 
with complex networks and cloud computing, the notion of functional 
encryption has recently emerged. In this work, we show that in several 
applications of functional encryption (even those cited in the earliest 
works on functional encryption) , the formal notion of functional encryp- 
tion is actually not sufficient to guarantee security. This is essentially 
because the case of a malicious authority and/or encryptor is not con- 
sidered. To address this concern, we put forth the concept of verifiable 
functional encryption , which captures the basic requirement of output 
correctness: even if the ciphertext is maliciously generated (and even if 
the setup and key generation is malicious), the decryptor is still guar- 
anteed a meaningful notion of correctness which we show is crucial in 
several applications. 

We formalize the notion of verifiable function encryption and, fol- 
lowing prior work in the area, put forth a simulation-based and an 
indistinguishability-based notion of security. We show that simulation- 
based verifiable functional encryption is unconditionally impossible even 
in the most basic setting where there may only be a single key and a 
single ciphertext. We then give general positive results for the indistin- 
guishability setting: a general compiler from any functional encryption 
scheme into a verifiable functional encryption scheme with the only addi- 
tional assumption being the Decision Linear Assumption over Bilinear 
Groups (DLIN). We also give a generic compiler in the secret-key set- 
ting for functional encryption which maintains both message privacy 
and function privacy. Our positive results are general and also apply 
to other simpler settings such as Identity- Based Encryption, Attribute- 
Based Encryption and Predicate Encryption. We also give an application 
of verifiable functional encryption to the recently introduced primitive 


A. Sahai — Research supported in part from a DARPA/ARL SAFEWARE award, 
NSF Frontier Award 1413955, NSF grants 1228984, 1136174, and 1065276, a Xerox 
Faculty Research Award, a Google Faculty Research Award, an equipment grant 
from Intel, and an Okawa Foundation Research Grant. This material is based upon 
work supported by the Defense Advanced Research Projects Agency through the 
ARL under Contract W911NF-15-C-0205. The views expressed are those of the 
author and do not reflect the official policy or position of the Department of Defense, 
the National Science Foundation, or the U.S. Government. 

(c) International Association for Cryptologic Research 2016 

J.H. Cheon and T. Takagi (Eds.): ASIACRYPT 2016, Part II, LNCS 10032, pp. 557-587, 2016. 

DOI: 10.1007/978-3-662-53890-6-19 



558 S. Badrinarayanan et al. 

of functional commitments. Finally, in the context of indistinguishabil- 
ity obfuscation, there is a fundamental question of whether the correct 
program was obfuscated. In particular, the recipient of the obfuscated 
program needs a guarantee that the program indeed does what it was 
intended to do. This question turns out to be closely related to verifi- 
able functional encryption. We initiate the study of verifiable obfuscation 
with a formal definition and construction of verifiable indistinguishability 
obfuscation. 

1 Introduction 

Encryption has traditionally been seen as a way to ensure confidentiality of a 
communication channel between a unique sender and a unique receiver. How- 
ever, with the emergence of complex networks and cloud computing, recently 
the cryptographic community has been rethinking the notion of encryption to 
address security concerns that arise in these more complex environments. 

In particular, the notion of functional encryption (FE) was introduced 
[29,30], with the first comprehensive formalizations of FE given in [13,26]. In 
FE, there is an authority that sets up public parameters and a master secret key. 
Encryption of a value x can be performed by any party that has the public para- 
meters and x. Crucially, however, the master secret key can be used to generate 
limited “function keys.” More precisely, for a given allowable function /, using 
the master secret key, it is possible to generate a function key SKf. Applying 
this function key to an encryption of x yields only f(x). In particular, an adver- 
sarial entity that holds an encryption of x and SK f learns nothing more about x 
than what is learned by obtaining f(x). It is not difficult to imagine how useful 
such a notion could be - the function / could enforce access control policies, or 
more generally only allow highly processed forms of data to be learned by the 
function key holder. 

Our work: The case of dishonest authority and encryptor. However, 
either implicitly or explicitly, almost 1 all known prior work on FE has not con- 
sidered the case where either the authority or the encryptor, or both, could 
be dishonest. This makes sense historically, since for traditional encryption, for 
example, there usually isn’t a whole lot to be concerned about if the receiver 
that chooses the public/secret key pair is herself dishonest. However, as we now 
illustrate with examples, there are simple and serious concerns that arise for 
FE usage scenarios when the case of a dishonest authority and encryptor is 
considered: 

- Storing encrypted images: Let us start with a motivating example for FE 
given in the paper of Boneh, Sahai, and Waters [13] that initiated the system- 
atic study of FE. Suppose that there is a cloud service on which customers 

1 One of the few counter-examples to this that we are aware of is the following works 
[19,20,28] on Accountable Authority IBE that dealt with the very different problem 
of preventing a malicious authority that tries to sell decryption boxes. 
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store encrypted images. Law enforcement may require the cloud to search for 
images containing a particular face. Thus, customers would be required to 
provide to the cloud a restrictive decryption key which allows the cloud to 
decrypt images containing the target face (but nothing else). Boneh et al. 
argued that one could use functional encryption in such a setting to provide 
these restricted decryption keys. 

However, we observe that if we use functional encryption, then law enforce- 
ment inherently has to trust the customer to be honest, because the customer 
is acting as both the authority and the encryptor in this scenario. In particu- 
lar, suppose that a malicious authority could create malformed ciphertexts and 
“fake” decryption keys that in fact do not provide the functionality guaran- 
tees required by law enforcement. Then, for example, law enforcement could 
be made to believe that there are no matching images, when in fact there 
might be several matching images. 

A similar argument holds if the cloud is storing encrypted text or emails (and 
law enforcement would like to search for the presence of certain keywords or 
patterns). 

- Audits: Next, we consider an even older example proposed in the pioneering 
work of Goyal, Pandey, Sahai, and Waters [21] to motivate Attribute-Based 
Encryption, a special case of FE. Suppose there is a bank that maintains large 
encrypted databases of the transactions in each of its branches. An auditor 
is required to perform a financial audit to certify compliance with various 
financial regulations such as Sarbanes-Oxley. For this, the auditor would need 
access to certain types of data (such as logs of certain transactions) stored on 
the bank servers. However the bank does not wish to give the auditors access 
to the entire data (which would leak customer personal information, etc.). A 
natural solution is to have the bank use functional encryption. This would 
enable it to release a key to the auditor which selectively gives him access to 
only the required data. 

However, note that the entire purpose of an audit is to provide assurances 
even in the setting where the entity being audited is not trusted. What if 
either the system setup, or the encryption, or the decryption key generation 
is maliciously done? Again, with the standard notions of FE, all bets are off, 
since these scenarios are simply not considered. 

Surprisingly, to the best of our knowledge, this (very basic) requirement of 
adversarial correctness has not been previously captured in the standard defi- 
nitions of functional encryption. Indeed, it appears that many previous works 
overlooked this correctness requirement while envisioning applications of (differ- 
ent types of) functional encryption. The same issue also arises in the context 
of simpler notions of functional encryption such as identity based encryption 
(IBE), attribute based encryption (ABE), and predicate encryption (PE), which 
have been studied extensively [11,17,18,21,23,29,32]. 
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In order to solve this problem, we define the notion of Verifiable Functional 
Encryption 2 (VFE). Informally speaking, in a VFE scheme, regardless of how 
the system setup is done, for each (possibly maliciously generated) ciphertext C 
that passes a publicly known verification procedure, there must exist a unique 
message m such that: for any allowed function description / and function key 
SKf that pass another publicly known verification procedure, it must be that 
the decryption algorithm given C, SKf, and / is guaranteed to output f(m). In 
particular, this also implies that if two decryptions corresponding to functions 
/i and /2 of the same ciphertext yield y\ and 7/2 respectively, then there must 
exist a single message m such that y% = fi(m) and y 2 = /2(m). 

We stress that even the public parameter generation algorithm can be cor- 
rupted. As illustrated above, this is critical for security in many applications. 
The fact that the public parameters are corrupted means that we cannot rely 
on the public parameters to contain an honestly generated Common Random 
String or Common Reference String (CRS). This presents the main technical 
challenge in our work, as we describe further below. 

1.1 Our Contributions for Verifiable Functional Encryption 

Our work makes the following contributions with regard to VFE: 

- We formally define verifiable functional encryption and study both indistin- 
guishability and simulation-based security notions. Our definitions can adapt 
to all major variants and predecessors of FE, including IBE, ABE, and pred- 
icate encryption. 

- We show that simulation based security is unconditionally impossible to 
achieve by constructing a one-message zero knowledge proof system from any 
simulation secure verifiable functional encryption scheme. Interestingly, we 
show the impossibility holds even in the most basic setting where there may 
only be a single key and a single ciphertext that is queried by the adversary (in 
contrast to ordinary functional encryption where we know of general positive 
results in such a setting from minimal assumptions [ 27 ]). Thus, in the rest of 
our work, we focus on the indistinguishability-based security notion. 

- We give a generic compiler from any public-key functional encryption scheme 
to a verifiable public-key functional encryption scheme, with the only addi- 
tional assumption being Decision Linear Assumption over Bilinear Groups 
(DLIN). Informally, we show the following theorem. 

Theorem 1. (Informal) Assuming there exists a secure public key functional 
encryption scheme for the class of functions T and DLIN is true , there exists 
an explicit construction of a secure verifiable functional encryption scheme for 
the class of functions T . 

2 A primitive with the same name was also defined in [8]. However, their setting is 
entirely different to ours. They consider a scenario where the authority as well as 
the encryptor are honest. Their goal is to convince a weak client that the decryption 
(performed by a potentially malicious cloud service provider) was done correctly 
using the actual ciphertext and function secret key. 
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Table 1 . Our Results for Verifiable FE 


Verifiable Functionality 

Assumptions Needed 

Verifiable IBE 

BDH+Random Oracle [11] 

Verifiable IBE 

BDH+DLIN [32] 

Verifiable ABE for NC 1 

DLIN [25,31] 

Verifiable ABE for all Circuits 

LWE + DLIN [12, 17] 

Verifiable PE for all Circuits 

LWE + DLIN [18] 

Verifiable FE for Inner Product Equality 

DLIN [25,31] 

Verifiable FE for Inner Product 

DLIN [1] 

Verifiable FE for Bounded Collusions 

DLIN [16,27] 

Verifiable FE for Bounded Collusions 

LWE + DLIN [15] 

Verifiable FE for all Circuits 

iO + Injective OWF [14] 


IBE stands for identity-based encryption, ABE for attribute-based encryption 

and PE for predicate encryption. The citation given in the assumption column 
shows a relevant paper that builds ordinary FE without verifiability for the 
stated function class. 


In the above, the DLIN assumption is used only to construct non-interactive 
witness indistinguishable (NIWI) proof systems. We show that NIWIs are 
necessary by giving an explicit construction of a NIWI from any verifiable 
functional encryption scheme. This compiler gives rise to various verifiable 
functional encryption schemes under different assumptions. Some of them 
have been summarized in Table 1. 

- We next give a generic compiler for the secret-key setting. Namely, we con- 
vert from any secret-key functional encryption scheme to a verifiable secret- 
key functional encryption scheme with the only additional assumption being 
DLIN. Informally, we show the following theorem: 

Theorem 2. (Informal) Assuming there exists a message hiding and function 
hiding secret-key functional encryption scheme for the class of functions T and 
DLIN is true, there exists an explicit construction of a message hiding and func- 
tion hiding verifiable secret-key functional encryption scheme for the class of 
functions T . 


An Application: Non- Interactive Functional Commitments: In a traditional non- 
interactive commitment scheme, a committer commits to a message m which is 
revealed entirely in the decommitment phase. Analogous to the evolution of 
functional encryption from traditional encryption, we consider the notion of 
functional commitments which were recently studied in [24] as a natural gener- 
alization of non- interactive commitments. In a functional commitment scheme, a 
committer commits to a message m using some randomness r. In the decommit- 
ment phase, instead of revealing the entire message m, for any function / agreed 
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upon by both parties, the committer outputs a pair of values (a, b ) such that 
using b and the commitment, the receiver can verify that a = f(m) where m was 
the committed value. Similar to a traditional commitment scheme, we require 
the properties of hiding and binding. Roughly, hiding states that for any pair of 
messages (mo, mi), a commitment of mo is indistinguishable to a commitment 
of mi if /(mo) = /(mi) where / is the agreed upon function. Informally, bind- 
ing states that for every commitment c, there is a unique message m committed 
inside c. 

We show that any verifiable functional encryption scheme directly gives rise 
to a non-interactive functional commitment scheme with no further assumptions. 

Verifiable iO: As shown recently [3,4,10], functional encryption for general 
functions is closely tied to indistinguishability obfuscation [6,14]. In obfusca- 
tion, aside from the security of the obfuscated program, there is a fundamental 
question of whether the correct program was obfuscated. In particular, the recip- 
ient of the obfuscated program needs a guarantee that the program indeed does 
what it was intended to do. 

Indeed, if someone hands you an obfuscated program, and asks you to run it, 
your first response might be to run away. After all, you have no idea what the 
obfuscated program does. Perhaps it contains backdoors or performs other prob- 
lematic behavior. In general, before running an obfuscated program, it makes 
sense for the recipient to wait to be convinced that the program behaves in an 
appropriate way. More specifically, the recipient would want an assurance that 
only certain specific secrets are kept hidden inside it, and that it uses these 
secrets only in certain well-defined ways. 

In traditional constructions of obfuscation, the obfuscator is assumed to be 
honest and no correctness guarantees are given to an honest evaluator if the 
obfuscator is dishonest. To solve this issue, we initiate a formal study of verifia- 
bility in the context of indistinguishability obfuscation, and show how to convert 
any iO scheme into a usefully verifiable iO scheme. 

We note that verifiable iO presents some nontrivial modeling choices. For 
instance, of course, it would be meaningless if a verifiable iO scheme proves that a 
specific circuit C is being obfuscated - the obfuscation is supposed to hide exactly 
which circuit is being obfuscated. At the same time, of course every obfuscated 
program does correspond to some Boolean circuit, and so merely proving that 
there exists a circuit underlying an obfuscated program would be trivial. To 
resolve this modeling, we introduce a public predicate P, and our definition will 
require that there is a public verification procedure that takes both P and any 
maliciously generated obfuscated circuit C as input. If this verification procedure 
is satisfied, then we know that there exists a circuit C equivalent to C such that 
P(C) — 1. In particular, P could reveal almost everything about (7, and only 
leave certain specific secrets hidden. (We also note that our VFE schemes can 
also be modified to also allow for such public predicates to be incorporated there, 
as well.) 

iO requires that given a pair (Co,Ci) of equivalent circuits, the obfuscation 
of Cq should be indistinguishable from the obfuscation of C\. However, in our 
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construction, we must restrict ourselves to pairs of circuits where this equivalence 
can be proven with a short witness. In other words, there should be an NP 
language L such that (Co, Ci) G L implies that Co is equivalent to C\. We leave 
removing this restriction as an important open problem. However, we note that, 
to the best of our knowledge, all known applications of iO in fact only consider 
pairs of circuits where proving equivalence is in fact easy given a short witness 3 . 


1.2 Technical Overview 

At first glance, constructing verifiable functional encryption may seem easy. One 
naive approach would be to just compile any functional encryption (FE) system 
with NIZKs to achieve verifiability. However, note that this doesn’t work, since 
if the system setup is maliciously generated, then the CRS for the NIZK would 
also be maliciously generated, and therefore soundness would not be guaranteed 
to hold. 

Thus, the starting point of our work is to use a relaxation of NIZK proofs 
called non-interactive witness indistinguishable proof (NIWI) systems, that do 
guarantee soundness even without a CRS. However, NIWIs only guarantee wit- 
ness indistinguishability, not zero-knowledge. In particular, if there is only one 
valid witness, then NIWIs do not promise any security at all. When using NIWIs, 
therefore, it is typically necessary to engineer the possibility of multiple wit- 
nesses. 

A failed first attempt and the mismatch problem: Two parallel FE 
schemes. A natural initial idea would be to execute two FE systems in parallel 
and prove using a NIWI that at least one of them is fully correct: that is, its setup 
was generated correctly, the constituent ciphertext generated using this system 
was computed correctly and the constituent function secret key generated using 
this system was computed correctly. Note that the NIWI computed for proving 
correctness of the ciphertext will have to be separately generated from the NIWI 
computed for proving correctness of the function secret key. 

This yields the mismatch problem : It is possible that in one of the FE systems, 
the ciphertext is maliciously generated, while in the other, the function secret key 
is! Then, during decryption, if either the function secret key or the ciphertext is 
malicious, all bets are off. In fact, several known FE systems [14,15] specifically 
provide for programming either the ciphertext or the function secret key to force 
a particular output during decryption. 

Could we avoid the mismatch problem by relying on majority-based decod- 
ing? In particular, suppose we have three parallel FE systems instead of two. 
Here, we run into the following problem: If we prove that at least two of the 
three ciphertexts are honestly encrypting the same message, the NIWI may not 
hide this message at all: informally speaking, the witness structure has too few 

3 For instance, suppose that Co uses an ordinary GGM PRF key, but C\ uses a 
punctured GGM PRF key. It is easy to verify that these two keys are equivalent by 
simply verifying each node in the punctured PRF tree of keys by repeated application 
of the underlying PRG. 
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“moving parts”, and it is not known how to leverage NIWIs to argue indistin- 
guishability. On the other hand, if we try to relax the NIWI and prove only 
that at least two of the three ciphertexts are honestly encrypting some (possibly 
different) message, each ciphertext can no longer be associated with a unique 
message, and the mismatch problem returns, destroying verifiability. 

Let’s take a look at this observation a bit more in detail in the context of 
functional commitments, which is perhaps a simpler primitive. Consider a scheme 
where the honest committer commits to the same message m thrice using a non- 
interactive commitment scheme. Let Zi, Z2, Z3 be these commitments. Note that 
in the case of a malicious committer, the messages being committed mo, mi, m2, 
may all be potentially different. In the decommitment phase, the committer 
outputs a and a NIWI proving that two out of the three committed values (say 
rrii and rrij) are such that a = /(m^) = f(rrtj). With such a NIWI, it is possible 
to give a hybrid argument that proves the hiding property (which corresponds to 
indistinguishability in the FE setting). However, binding (which corresponds to 
verifiability) is lost: One can maliciously commit to mo, mi, m2 such that they 
satisfy the following property: there exists functions /, <7, h for which it holds 
that /(m 0 ) = /(mi) ± /(m 2 ), g(m 0 ) ^ g(mi) = g(m 2 ) and h(m 0 ) = h(m 2 ) ^ 
h(mi). Now, if the malicious committer runs the decommitment phase for these 
functions separately, there is no fixed message bound by the commitment. 

As mentioned earlier, one could also consider a scheme where in the decom- 
mitment phase, the committer outputs /(m) and a NIWI proving that two out of 
the three commitments correspond to the same message m (i.e. there exists i, j 
such that rrii = rrij) and /(m^) = a. The scheme is binding but does not satisfy 
hiding any more. This is because there is no way to move from a hybrid where 
all three commitments correspond to message m q to one where all three com- 
mitments correspond to message m*, since at every step of the hybrid argument, 
two messages out of three must be equal. 

This brings out the reason why verifiability and security are two conflict- 
ing requirements. Verifiability seems to demand a majority of some particular 
message in the constituent ciphertexts whereas in the security proof, we have 
to move from a hybrid where the majority changes (from that of to that of 
m l ) . Continuing this way it is perhaps not that hard to observe that having any 
number of systems will not solve the problem. Hence, we have to develop some 
new techniques to solve the problem motivated above. This is what we describe 
next. 

Our solution: Locked trapdoors. Let us start with a scheme with five parallel 
FE schemes. Our initial idea will be to commit to the challenge constituent 
ciphertexts as part of the public parameters, but we will need to introduce a 
twist to make this work, that we will mention shortly. Before we get to the 
twist, let’s first see why having a commitment to the challenge ciphertext doesn’t 
immediately solve the problem. Let’s introduce a trapdoor statement for the 
relation used by the NIWI corresponding to the VFE ciphertexts. This trapdoor 
statement states that two of the constituent ciphertexts are encryptions of the 
same message and all the constituent ciphertexts are committed in the public 
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parameters. Initially, the NIWI in the challenge ciphertext uses the fact that 
the trapdoor statement is correct with the indices 1 and 2 encrypting the same 
message uiq. The NIWIs in the function secret keys use the fact that the first 
four indices are secret keys for the same function. Therefore, this leaves the fifth 
index free (not being part of the NIWI in any function secret key or challenge 
ciphertext) and we can switch the fifth constituent challenge ciphertext to be an 
encryption of m\. We can switch the indices used in the NIWI for the function 
secret keys (one at a time) appropriately to leave some other index free and 
transform the challenge ciphertext to encrypt in the first two indices and m\ 
in the last three. We then switch the proof in the challenge ciphertext to use the 
fact that the last two indices encrypt the same message m*. After this, in the 
same manner as above, we can switch the first two indices (one by one) of the 
challenge ciphertext to also encrypt m\. This strategy will allow us to complete 
the proof of indistinguishability security. 

Indeed, such an idea of committing to challenge ciphertexts in the public 
parameters has been used in the FE context before, for example in [14]. How- 
ever, observe that if we do this, then verifiability is again lost, because recall 
that even the public parameters of the system are under the adversary’s con- 
trol! If a malicious authority generates a ciphertext using the correctness of the 
trapdoor statement, he could encrypt the tuple (m, m, mi, m 2 , m 3 ) as the set 
of messages in the constituent ciphertexts and generate a valid NIWI. Now, for 
some valid function secret key, decrypting this ciphertext may not give rise to 
a valid function output. The inherent problem here is that any ciphertext for 
which the NIWI is proved using the trapdoor statement and any honestly gener- 
ated function secret key need not agree on a majority (three) of the underlying 
systems. 

To overcome this issue, we introduce the idea of a guided locking mechanism. 
Intuitively, we require that the system cannot have both valid ciphertexts that 
use the correctness of the trapdoor statement and valid function secret keys. 
Therefore, we introduce a new “lock” in the public parameters. The statement 
being proved in the function secret key will state that this lock is a commitment 
of 1 , while the trapdoor statement for the ciphertexts will state that the lock 
is a commitment of 0. Thus, we cannot simultaneously have valid ciphertexts 
that use the correctness of the trapdoor statement and valid function secret 
keys. This ensures verifiability of the system. However, while playing this cat 
and mouse game of ensuring security and verifiability, observe that we can no 
longer prove that the system is secure! In our proof strategy, we wanted to switch 
the challenge ciphertext to use the correctness of the trapdoor statement which 
would mean that no valid function secret key can exist in the system. But, the 
adversary can of course ask for some function secret keys and hence the security 
proof wouldn’t go through. 

We handle this scenario by introducing another trapdoor statement for the 
relation corresponding to the function secret keys. This trapdoor statement is 
similar to the honest one in the sense that it needs four of the five constituent 
function secret keys to be secret keys for the same function. Crucially, how- 
ever, additionally, it states that if you consider the five constituent ciphertexts 
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committed to in the public parameters, decrypting each of them with the cor- 
responding constituent function secret key yields the same output. Notice that 
for any function secret key that uses the correctness of the trapdoor statement 
and any ciphertext generated using the correctness of its corresponding trapdoor 
statement, verifiability is not lost. This is because of the condition that all corre- 
sponding decryptions yield the same output. Indeed, for any function secret key 
that uses the correctness of the trapdoor statement and any ciphertext generated 
using the correctness of its non-trapdoor statement, verifiability is maintained. 
Thus, this addition doesn’t impact the verifiability of the system. 

Now, in order to prove security, we first switch every function secret key to 
be generated using the correctness of the trapdoor statement. This is followed 
by changing the lock in the public parameter to be a commitment of 1 and 
then switching the NIWI in the ciphertexts to use their corresponding trapdoor 
statement. The rest of the security proof unravels in the same way as before. 
After the challenge ciphertext is transformed into an encryption of message m*, 
we reverse the whole process to switch every function secret key to use the real 
statement (and not the trapdoor one) and to switch the challenge ciphertext 
to use the corresponding real statement. Notice that the lock essentially guides 
the sequence of steps to be followed by the security proof as any other sequence 
is not possible. In this way, the locks guide the hybrids that can be considered 
in the security argument, hence the name “guided” locking mechanism for the 
technique. In fact, using these ideas, it turns out that just having four parallel 
systems suffices to construct verifiable functional encryption in the public key 
setting. 

In the secret key setting, to achieve verifiability, we also have to commit to 
all the constituent master secret keys in the public parameters. However, we 
need an additional system (bringing the total back to five) because in order to 
switch a constituent challenge ciphertext from an encryption of to that of 
m*, we need to puncture out the corresponding master secret key committed in 
the public parameters. We observe that in the secret key setting, ciphertexts and 
function secret keys can be seen as duals of each other. Hence, to prove function 
hiding, we introduce indistinguishable modes and a switching mechanism. At any 
point in time, the system can either be in function hiding mode or in message 
hiding mode but not both. At all stages, verifiability is maintained using similar 
techniques. 

Organisation: In Sect. 2 we define the preliminaries used in the paper. In Sect. 3, 
we give the definition of a verifiable functional encryption scheme. This is fol- 
lowed by the construction and proof of a verifiable functional encryption scheme 
in Sect. 4. In Sect. 5, we give the construction of a secret key verifiable functional 
encryption scheme. Section 6 is devoted to the study of verifiable obfuscation. 
An application of verifiable functional encryption is in achieving functional com- 
mitments. Due to lack of space, this has been discussed in the full version [5]. 
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2 Preliminaries 

Throughout the paper, let the security parameter be A and let PPT denote a 
probabilistic polynomial time algorithm. We assume that reader is familiar with 
the concept of public key encryption and non-interactive commitment schemes. 

2.1 One Message WI Proofs 

We will be extensively using one message witness indistinguishable proofs NIWI 
as provided by [22]. 

Definition 1. A pair of PPT algorithms (“P, V) is a NIWI for an NP relation 
1 Zc if it satisfies: 

1. Completeness: for every (x,w) G 7 Zc, Pr\V(x, tt) = 1 : tt <— V(x,w)] = 1. 

2. (Perfect) Soundness: Proof system is said to be perfectly sound if there for 
every x £ L and i r G {0, 1}* 

Pr[V(x , tt) = 1] = 0. 

3. Witness indistinguishability: for any sequence T = {(x,w\,W 2 ) : W\,W 2 G 
Uc(x)} 

{tTi • TT\ <■ P{x^ Wi)^^ X Wl W2 ^2 ~ c \jT2 • TT 2 * P{x : VJ2)}( x ,wi , , ^ 2 )eX 

[22] provides perfectly sound one message witness indistinguishable proofs based 
on the decisional linear (DLIN) assumption. [7] also provides perfectly sound 
proofs (although less efficient) under a complexity theoretic assumption, namely 
that Hitting Set Generators against co-non deterministic circuits exist. [9] con- 
struct NIWI from one-way permutations and indistinguishability obfuscation. 

3 Verifiable Functional Encryption 

In this section we give the definition of a (public-key) verifiable functional 
encryption scheme. Let X = {T\}agn and y = {J’aIagn denote ensem- 
bles where each X\ and Ta is a finite set. Let T — {^aIagn denote an 
ensemble where each T\ is a finite collection of functions, and each function 
/ G T\ takes as input a string x G X\ and outputs f(x) £ y\. A verifi- 
able functional encryption scheme is similar to a regular functional encryption 
scheme with two additional algorithms (VerifyCT, Verify K). Formally, VFE = 
(Setup, Enc, KeyGen, Dec, VerifyCT, VerifyK) consists of the following polynomial 
time algorithms: 

- Setup(l A ). The setup algorithm takes as input the security parameter A and 
outputs a master public key-secret key pair (MPK, MSK). 

- Enc(MPK, x) — > CT. The encryption algorithm takes as input a message x G 
X\ and the master public key MPK. It outputs a ciphertext CT. 

- KeyGen (MPK, MSK,/) — ► SK f. The key generation algorithm takes as input a 
function / G T\, the master public key MPK and the master secret key MSK. 
It outputs a function secret key SK/. 
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- Dec(MPK, /, SK/, CT) — > y or _L. The decryption algorithm takes as input the 
master public key MPK, a function /, the corresponding function secret key 
SK f and a ciphertext CT. It either outputs a string y G y or _L. Informally 
speaking, MPK is given to the decryption algorithm for verification purpose. 

- VerifyCT(MPK, CT) — ► 1/0. Takes as input the master public key MPK and a 
ciphertext CT. It outputs 0 or 1. Intuitively, it outputs 1 if CT was correctly 
generated using the master public key MPK for some message x. 

- VerifyK(MPK, /, SK) — ► 1/0. Takes as input the master public key MPK, a 
function / and a function secret key SK /. It outputs either 0 or 1 . Intuitively, 
it outputs 1 if SK/ was correctly generated as a function secret key for /. 

The scheme has the following properties: 

Definition 2. (Correctness) A verifiable functional encryption scheme VFE for 

T is correct if for all f G T\ and all x G X\ 


Pr 


(MPK,MSK) ^Setup(l A ) 

SK f <- KeyGen(MPK, MSK, /) 
Dec(MPK, /, SK/, Enc(MPK, x)) = f{x) 


1 


Definition 3. (Verifiability) A verifiable functional encryption scheme VFE for 
T is verifiable if for all MPK G {0, 1}*, for all CT G {0, 1}*, there exists x G X 
such that for all f G T and SK G {0, 1}* ; if 


VerifyCT (MPK, CT) = 1 and VerifyK(MPK, /, SK) = 1 


then 


Pr 


Dec(MPK, /, SK, CT) = f(x) 


= 1 


Remark. Intuitively, verifiability states that each ciphertext (possibly associ- 
ated with a maliciously generated public key) should be associated with a unique 
message and decryption for a function / using any possibly maliciously gener- 
ated key SK should result in f{x) for that unique message f{x) and nothing else 
(if the ciphertext and keys are verified by the respective algorithms). 

We also note that a verifiable functional encryption scheme should satisfy 
perfect correctness. Otherwise, a non-uniform malicious authority can sample 
ciphertext s/keys from the space where it fails to be correct. Thus, the primitives 
that we will use in our constructions are assumed to have perfect correctness. 
Such primitives have been constructed before in the literature. 


3.1 Indistinguishability Based Security 

The indistinguishability based security for verifiable functional encryption is sim- 
ilar to the security notion of a functional encryption scheme. For completeness, 
we define it below. We also consider a {full/selective} CCA secure variant where 
the adversary, in addition to the security game described below, has access to a 
decryption oracle which takes a ciphertext and a function as input and decrypts 
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the ciphertext with an honestly generated key for that function and returns the 
output. The adversary is allowed to query this decryption oracle for all cipher- 
texts of his choice except the challenge ciphertext itself. 

We define the security notion for a verifiable functional encryption scheme 
using the following game (Full — IND) between a challenger and an adversary. 

Setup Phase: The challenger (MPK, MSK) vFE.Setup(l A ) and then hands 
over the master public key MPK to the adversary. 

Key Query Phase 1: The adversary makes function secret key queries by 
submitting functions f G T\. The challenger responds by giving the adversary 
the corresponding function secret key SKf vFE.KeyGen(MPK, MSK,f). 

Challenge Phase: The adversary chooses two messages (mo, mi) of the same 
size (each in X\f) such that for all queried functions f in the key query phase, 
it holds that f(mo) = f(mi). The challenger selects a random bit b G {0, 1} and 
sends a ciphertext CT vFE.Enc(MPK, mb) to the adversary. 

Key Query Phase 2: The adversary may submit additional key queries f 
as long as they do not violate the constraint described above. That is, for all 
queries /, it must hold that f(m 0 ) = f(mi). 

Guess: The adversary submits a guess b' and wins if b' = b. The adversary’s 
advantage in this game is defined to be 2* | Pr[b = b] — 1/2|. 

We also define the selective security game, which we call (sel — IND) where the 
adversary outputs the challenge message pair even before seeing the master pub- 
lic key. 

Definition 4. A verifiable functional encryption scheme VFE is { selective, 
fully} secure if all polynomial time adversaries have at most a negligible advan- 
tage in the {Sel — IND, Full — IND} security game. 

Functional Encryption: In our construction, we will use functional encryption 
as an underlying primitive. Syntax of a functional encryption scheme is defined 
in [14]. It is similar to the syntax of a verifiable functional encryption scheme 
except that it doesn’t have the VerifyCT and VerifyK algorithms, the KeyGen 
algorithm does not take as input the master public key and the decryption algo- 
rithm does not take as input the master public key and the function. Other than 
that, the security notions and correctness are the same. However, in general any 
functional encryption scheme is not required to satisfy the verifiability property. 


3.2 Simulation Based Security 

Many variants of simulation based security definitions have been proposed for 
functional encryption. In general, simulation security (where the adversary can 
request for keys arbitrarily) is shown to be impossible [2] . We show that even the 
weakest form of simulation based security is impossible to achieve for verifiable 
functional encryption. 
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Theorem 3. There exists a family of functions, each of which can be represented 
as a polynomial sized circuit, for which there does not exist any simulation secure 
verifiable functional encryption scheme. 

Proof Let L be a NP complete language. Let 7 Z be the relation for this language. 
7 Z : {0, 1}* x {0, 1}* — > {0, 1}, takes as input a string x and a polynomial sized 
(in the length of x) witness w and outputs 1 iff x E L and re is a witness to this 
fact. For any security parameter A, let us define a family of functions T\ as a 
family indexed by strings y E {0, 1} A . Namely, T\ — {7 Z(y, •) \/y E {0, 1} A }. 

Informally speaking, any verifiable functional encryption scheme that is also 
simulation secure for this family implies the existence of one message zero knowl- 
edge proofs for L. The proof system is described as follows: the prover, who has 
the witness for any instance x of length A, samples a master public key and mas- 
ter secret key pair for a verifiable functional encryption scheme with security 
parameter A. Using the master public key, it encrypts the witness and samples 
a function secret key for the function 1Z(x, •). The verifier is given the master 
public key, the ciphertext and the function secret key. Informally, simulation 
security of the verifiable functional encryption scheme provides computational 
zero knowledge while perfect soundness and correctness follow from verifiability. 
A formal proof is can be found in the fullversion [5] . 

In a similar manner, we can rule out even weaker simulation based definitions 
in the literature where the simulator also gets to generate the function secret 
keys and the master public key. Interestingly, IND secure VFE for the circuit 
family described in the above proof implies one message witness indistinguishable 
proofs (N I Wl) for NP and hence it is intuitive that we will have to make use of 
NIWI in our constructions. 

Theorem 4. There exists a family of functions, each of which can be represented 
as a polynomial sized circuit, for which (selective) IND secure verifiable func- 
tional encryption implies the existence of one message witness indistinguishable 
proofs for NP (IMIWI ). 

We prove the theorem in the full version [5]. 

The definition for verifiable secret key functional encryption and verifiable 
multi-input functional encryption can be found in the full version [5]. 

4 Construction of Verifiable Functional Encryption 

In this section, we give a compiler from any Sel — IND secure public key func- 
tional encryption scheme to a Sel — IND secure verifiable public key functional 
encryption scheme. The techniques used in this construction have been elabo- 
rated upon in Sect. 1.2. The resulting verifiable functional encryption scheme 
has the same security properties as the underlying one - that is, the resulting 
scheme is g-query secure if the original scheme that we started out with was 
g-query secure and so on, where q refers to the number of function secret key 
queries that the adversary is allowed to make. We prove the following theorem: 
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Theorem 5. Let T = {*Fa}agN be a parameterized collection of functions. 
Then , assuming there exists a Sel — IND secure public key functional encryp- 
tion scheme FE for the class of functions T , a non-interactive witness indistin- 
guishable proof system , a non-interactive perfectly binding and computationally 
hiding commitment scheme , the proposed scheme VFE is a Sel — IND secure ver- 
ifiable functional encryption scheme for the class of functions T according to 
Definition 3. 

Notation: Without loss of generality, let’s assume that every plaintext mes- 
sage is of length A where A denotes the security parameter of our scheme. Let 
(Prove, Verify) be a non-interactive witness-indistinguishable (NIWI) proof sys- 
tem for NP, FE = (FE. Setup, FE.Enc, FE.KeyGen, FE.Dec) be a Sel - IND secure 
public key functional encryption scheme, Com be a statistically binding and 
computationally hiding commitment scheme. Without loss of generality, let’s 
say Com commits to a string bit-by-bit and uses randomness of length A to com- 
mit to a single bit. We denote the length of ciphertexts in FE by c-len = c-len(A). 
Let len = 4 • c-len. 

Our scheme VFE = (VFE. Setup, VFE.Enc, VFE.KeyGen, VFE. Dec, VFE.VerifyCT, 
VFE.VerifyK) is as follows: 

- Setup VFE.Setup(l A ): 

The setup algorithm does the following: 

1. For all i G [4], compute (MPK*, MSK^) <— FE.Setup(l A ; Si) using random- 
ness Si. 

2. Set Z = Com(O len ;'u) and Zi = Com(l;izi) where u,u\ represent the ran- 
domness used in the commitment. 

The master public key is MPK = ({MPhQ} ie [ 4 ], Z, Zi). 

The master secret key is MSK = ({MSK^} iG [ 4 ], {si}* e [ 4 ], u, ui). 

- Encryption VFE. Enc(MPK, m): 

To encrypt a message m, the encryption algorithm does the following: 

1. For all i G [4], compute CT^ = FE.Enc(MPK^, ra; r^). 

2. Compute a proof i r Pro ve(y,w) for the statement that y G L using 

witness w where: 

y = ({CTj} i€ [ 4 ], {MPKj} i€ [ 4 ], Z, Zi), 

W = (m,{n} ie[ 4],0,0,0l“l, Ol^l). 

L is defined corresponding to the relation R defined below. 

- RelationiL 

Instance: y = ({CT*}^], {MPKi}^], Z, Z x ) 

Witness: w = (to, {n} ie [ 4 ], i lt i 2 , u, ui) 

R\ (y, w) = 1 if and only if either of the following conditions hold: 

1. All 4 constituent ciphertexts encrypt the same message. That is, 

Vi G [4], CTi = FE.Enc(MPK i ,TO;r i ) 

(OR) 

2. 2 constituent ciphertexts (corresponding to indices ii,^) encrypt the 
same message, Z is a commitment to all the constituent ciphertexts and 
Zi is a commitment to 0. That is, 
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(a) Mi G {11,22}, CTi = FE.Enc(MPKi, m; 77). 

(b) Z = Com({CTi} iG[4] ;?z). 

(c) Zi = Com(0; u\). 

The output of the algorithm is the ciphertext CT = ( { CT i [4] ? 7r ) * 

7 r is computed for statement 1 of relation R. 

- Key Generation VFE.KeyGen(MPK, MSK, /): 

To generate the function secret key K*^ for a function /, the key generation 
algorithm does the following: 

1 . Mi G [ 4 ], compute K{ = FE.KeyGen(MSK^ /; 77). 

2. Compute a proof 7 <— Pro ve(y,w) for the statement that y G L\ using 
witness w where: 

V = ({Kf }*£[4], {MPKj} ie[ 4], Z, Za), 

^ ( f : { MSK^ j- [4] 1 } *£ [4] 5 {Vi } ZE [4] 5 0 ,0^ ^ ZZ4 ) . 

Li is defined corresponding to the relation Ri defined below. 

- Relational: 

Instance: y = (/, {Kf } <e[4 ], {MPKi} ie[4 ], Z, Zi). 

Witness: w = ({MSKi} ie [ 4 ], {s»}je[4], { r »}<e[4], *3, «,«i) 

i2i(i/, w) = 1 if and only if either of the following conditions hold: 

1. Zi is a commitment to 1, all 4 constituent function secret keys are secret 
keys for the same function and are constructed using honestly generated 
public key-secret key pairs. 

(a) Vz e [ 4 ], K:f = FE.KeyGen(MSK u f\n). 

(b) Vz e [ 4 ], (MPKj.MSKj) «- FE.Setup(l A ; 8i ). 

(c) Zi = Com(l; u\). 

(OR) 

2. 3 of the constituent function secret keys (corresponding to indices 
21,22,23) are keys for the same function and are constructed using honestly 
generated public key-secret key pairs, Z is a commitment to a set of cipher- 
texts CT such that each constituent ciphertext in CT when decrypted with 
the corresponding function secret key gives the same output. That is, 

(a) Vz e {zi,z 2 ,Z3}, K{ = FE.KeyGen(MSK i ,/;r i ). 

(b) Vz e {zi,z 2 ,z 3 }, (MPKj, MSKj) — FE.Setup(l A ; s f ). 

(c) Z = Com({CT i } ie[4] ;u). 

(d) 3 a; e X x such that Vz e [ 4 ], FE.Dec(CT i , K{) = x 

The output of the algorithm is the function secret key K-^ = 
({ K f}ze[4],7)- 

7 is computed for statement 1 of relation R±. 

- Decryption VFE.Dec(MPK, /, K*^, CT): This algorithm decrypts the cipher- 
text CT = ({CT ij-ie [4] , 7r ) using function secret key K*^ = ({ [ 4 ] , 7) in the 
following way: 

1. Let y = ({CTi} iG [ 4 ], {MPK^} iG [ 4 ], Z, Zi) be the statement corresponding 
to proof 7 r. If Verify(7/, 7r) = 0, then stop and output _L. Else, continue to 
the next step. 

2. Let yi = (/, { [4] , { M P [ 4 ] , Z, Zi) be the statement corresponding 
to proof 7. If Verify (7/1, 7) = 0, then stop and output _L. Else, continue to 
the next step. 
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3 . For i E [ 4 ], compute rrii = FE.Dec(CT^, K{). If at least 3 of the m^s are 
equal (let’s say that value is ra), output m. Else, output _L. 

- VerifyCT VFE.VerifyCT(MPK, CT): Given a ciphertext CT = ({CT^ }^ e [ 4 j , 7r) , 
this algorithm checks whether the ciphertext was generated correctly using 
master public key MPK. Let y = ({dV} iG [ 4 j, {MPK^ G [ 4 ], Z, Zi) be the state- 
ment corresponding to proof i r. If Verify (?/, i r) = 1 , it outputs 1 . Else, it outputs 

0. 

- VerifyK VFE.VerifyK(MPK, /, K): Given a function / and a function secret 
key K = ({ [4] , 7 ), this algorithm checks whether the key was generated 
correctly for function / using the master secret key corresponding to master 
public key MPK. Let y = (/, {K^} iG [ 4 ], {MPK*}^ G [ 4 ], Z, Zi) be the statement 
corresponding to proof 7. If Verify^, 7) = 1 , it outputs 1. Else, it outputs 0 . 

Correctness: Correctness follows directly from the correctness of the underlying 

FE scheme, correctness of the commitment scheme and the completeness of the 

NIWI proof system. 


4.1 Verifiability 

Consider any master public key MPK and any ciphertext CT = ({CT z}i G [ 4 ] , 7 r) 
such that 

VFE.VerifyCT(MPK, CT) = 1 . Now, there are two cases possible for the proof 7 r. 

1 . Statement 1 of relation R is correct: 

Therefore, there exists m E X\ such that Vi E [ 4 ], CT$ = FE.Enc(MPK^, m; 77) 
where 77 is a random string. Consider any function / and function secret key 
K = ({K*} iG [ 4 ] , 7) such that VFE.VerifyK(MPK, /, K) = 1. There are two cases 
possible for the proof 7. 

(a) Statement 1 of relation Ri is correct: 

Therefore, Vi E [4], K* is a function secret key for the same func- 
tion - /. That is, Vi E [4], K^ = FE.KeyGen(MSK^, /; r[) where r[ is a 
random string. Thus, for all i E [4], FE.Dec(CT^, K^) = f(m). Hence, 
VFE.Dec(MPK, /, K, CT) = f(m). 

(b) Statement 2 of relation Ri is correct: 

Therefore, there exists 3 indices ii,i 2 ,i3 such that K^, K^ 2 , K are func- 
tion secret keys for the same function - /. That is, Vi E {ii , i 2 , ^3}, 
K^ = FE.KeyGen(MSK^, /; r[) where r[ is a random string Thus, for all i E 
{ii,i 2 ,i 3 }, FE.Dec(CT^,K i ) = /(m). Hence, VFE.Dec(MPK, /, K, CT) = 

/(H- 

2. Statement 2 of relation R is correct: 

Therefore, Zi = Com(0;i/i) and Z = Com({CT^} iG [ 4 ]; iz) for some random 
strings 7/, u\. Also, there exists 2 indices ii,i 2 and a message m E X\ such 
that for i E {ii , i 2 } , CT^ = FE.Enc(MPK^, m; 77) where r 7 is a random string. 
Consider any function / and function secret key K = ({ K^ }^ G [ 4 ] , 7) such that 
VFE.VerifyK(MPK, /, K) = 1. There are two cases possible for the proof 7. 
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(a) Statement 1 of relation R\ is correct: 

Then, it must be the case that Z x = Com(l;^ / 1 ) for some random string 
u[. However, we already know that Zi = Com(0;^i) and Com is a per- 
fectly binding commitment scheme. Thus, this scenario isn’t possible. 
That is, both VFE.VerifyCT(MPK, CT) and VF E. Verify K(MPK, /, K) can’t 
be equal to 1 . 

(b) Statement 2 of relation R\ is correct: 

Therefore, there exists 3 indices i}, i 3 such that Kq , are func- 
tion secret keys for the same function - /. That is, Vi G {i},^,^}, = 

FE.KeyGen(MSKi, /; r[) where r[ is a random string. Thus, by pigeon- 
hole principle, there exists i* G {ii,^,^} such that i* G { 11 , 12 } as well. 
Also, Z = Com({CT^ G [ 4 ]; u) and Vi G [4], FE.Dec(CT^, K^) is the same. 
Therefore, for the index i*, FE.Dec(CT^*, K^*) = /(m). Hence, Vi G [4], 
FE.Dec(CT i , K *) = f(m). Therefore, VFE.Dec(MPK, /, K, CT) = /(m). 


4.2 Security Proof 

We now prove that the proposed scheme VFE is Sel — IND secure. We will prove 

this via a series of hybrid experiments Hi, , H is where Hi corresponds to the 

real world experiment with challenge bit 5 = 0 and Hie corresponds to the real 
world experiment with challenge bit 5=1. The hybrids are summarized below 
in Table 2. 

We briefly describe the hybrids below. A more detailed description can be 
found in the full version [5]. 

- Hybrid H 1 : This is the real experiment with challenge bit 5 = 0. The master 

public key is MPK = ({MPKi} iG [ 4 j, Z, Z x ) such that Z = Com(0 len ;^) and 
Zi = Com(l;^i) for random strings u,u\. The challenge ciphertext is CT* = 
({CT*}i G [ 4 ], 7 r*), where for all i G [4], CT* = FE.Enc(MPK^ for some 

random string 77 . 7 r* is computed for statement 1 of relation R. 

- Hybrid H 2 : This hybrid is identical to the previous hybrid except that Z is 
computed differently. Z = Com({CT*} iG [ 4 ]; u). 

- Hybrid H 3 : This hybrid is identical to the previous hybrid except that for 
every function secret key K^, the proof 7 is now computed for statement 2 
of relation Ri using indices {1,2,3} as the set of 3 indices {zi ,^ 2 ,^ 3 } in the 
witness. That is, the witness is w = (MSKi, MSK 2 , MSK 3 , ol MSK 4 l, si, s 2 , s 3 , 
0 |S4 ', n,r 2 ,r 3 , OH 1 , 2 , 3, u,()M). 

- Hybrid H 4 : This hybrid is identical to the previous hybrid except that Zi is 
computed differently. Z x = Com( 0 ;^i). 

- Hybrid H 5 : This hybrid is identical to the previous hybrid except that the 
proof 7r* in the challenge ciphertext is now computed for statement 2 of relation 
R using indices { 1 , 2 } as the 2 indices {ii,i 2 } in the witness. That is, the 
witness is w = (m, r x , r 2 , 0 1 r ' 3 1 , 0 1 1 , 1 , 2 , u , u{). 

- Hybrid H 6 : This hybrid is identical to the previous hybrid except that 
we change the fourth component CT 4 of the challenge ciphertext to be 
an encryption of the challenge message m\ (as opposed to mo). That is, 
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Table 2. Here, (mo,mo,mo,mo) indicates the messages that are encrypted to form 
the challenge ciphertext {CT*} iG [ 4 ]. Similarly for the column {K^ }*e[4] - The column 7r* 
(and 7) denote the statement proved by the proof in relation R ( and R±). The text 
in red indicates the difference from the previous hybrid. The text in blue denotes the 
indices used in the proofs 7r* and 7. That is, the text in blue in the column ({CT*} i(E [ 4 ]) 
denotes the indices used in the proof 7 r* and the text in blue in the column 
denotes the indices used in the proof 7 for every function secret key corresponding 
to function /. In some cases, the difference is only in the indices used in the proofs 7 r* 
or 7 and these are not reflected using red. 


Hybrid 

({CT*} ie[4 ]) 

7T* 

( K f he [4] 

7 

Z 

Zi 

Security 

Hi 

(mo, mo, mo, mo) 

1 

(/,/,/, /) 

1 

Com(O) 

Com(l) 

- 

h 2 

(m 0 , m 0 , m 0 , m 0 ) 

1 

(/, f, f, f) 

1 

Com({CT*} i6[4] ) 

Com(l) 

Corn-Hiding 

h 3 

(m 0 , m 0 , m 0 , m 0 ) 

1 

(/, f, f, f ) 

2 

Com({CT*} is[4] ) 

Com(l) 

NIWI 

h 4 

(mo, mo, mo, mo) 

1 

(/,/,/,/) 

2 

Com({CT| }ig [4 ]) 

Com(O) 

Corn-Hiding 

h 5 

{mo, mo, mo, mo) 

2 

a/,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

NIWI 

He 

(m 0 , m 0 , m 0 , mi) 

2 

(/, f, f, f ) 

2 

Com({CT*} is[4] ) 

Com(O) 

IND-secure FE 

H 7 

(mo, mo, mo, mi) 

2 

(/,/,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

NIWI 

Hg 

(mo, mo, mi , mi) 

2 

(/,/,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

IND-secure FE 

h 9 

(m 0 , m 0 , mi, mi) 

2 

(/,/,/, /) 

2 

Com({CT*}j g[4] ) 

Com(O) 

NIWI 

H 10 

(mo, mi, mi, mi) 

2 

(/./,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

IND-secure FE 

Hu 

(mo, mi, mi, mi) 

2 

(/./,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

NIWI 

H 12 

(mi, mi, mi, mi) 

2 

(/,/,/, /) 

2 

Com({CT*} is[4] ) 

Com(O) 

IND-secure FE 

H 13 

(mi, mi, mi, mi) 

1 

(/, /> /> /) 

2 

Com({CT*} is[4] ) 

Com(O) 

NIWI 

H 14 

(mi, mi, mi, mi) 

1 

(/./,/, /) 

2 

Com({CT*} is[4] ) 

Com(l) 

Corn-Hiding 

H 15 

(mi, mi, mi, mi) 

1 

(/, /> f, f) 

1 

Com({CT*} is[4) ) 

Com(l) 

NIWI 

H 16 

(mi, mi, mi, mi) 

1 

(/, /> /> /) 

1 

Com(O) 

Com(l) 

Corn-Hiding 


CT4 = FE.Enc(MPK4, m 4 ; 7*4) for some random string 7*4. Note that the proof 
7 r* is unchanged and is still proven for statement 2 of relation R. 

- Hybrid H 7 : This hybrid is identical to the previous hybrid except that for 
every function secret key K^, the proof 7 is now computed for statement 2 
of relation Ri using indices {1,2,4} as the set of 3 indices {21,22,23} in the 
witness. That is, the witness is w = (MSKi, MSK 2 , ol MSKs I , MSK 4 , si, s 2 , Ol S3 l, 
S4,n,r 2 , 0 |r3 1 , r 4 , 1, 2, 4, u, 0 1 " 1 1) . 

- Hybrid H 8 : This hybrid is identical to the previous hybrid except that 
we change the third component CT3 of the challenge ciphertext to be an 
encryption of the challenge message mi (as opposed to mo). That is, CT3 = 
FE.Enc(MPK 3 , mi; 7*3) for some random string r 3 . 

Note that the proof 7 r* is unchanged and is still proven for statement 2 of 
relation R. 

- Hybrid H 9 : This hybrid is identical to the previous hybrid except that the 
proof 7 r* in the challenge ciphertext is now computed for statement 2 of rela- 
tion R using message mi and indices {3,4} as the 2 indices {ii,i 2 } in the 
witness. That is, the witness is w = (mi, (} ri l, Ol r2 l, r 3 , 7*4, 3, 4, u, u\). 


576 S. Badrinarayanan et al. 


Also, for every function secret key K-^, the proof 7 is now computed for state- 
ment 2 of relation R\ using indices { 1 , 3 , 4 } as the set of 3 indices {21,22,23} 
in the witness. That is, the witness is w = (MSK 1 ,oI MSK 2 I,MSK 3 ,MSK 4 ,si, 
0 |s 2 | ,s 3 ,S 4 ,ri, 0 |r 2 | ,r 3 ,r 4 , 1 , 3 , 4 ,m, 0 |ui1 ). 

- Hybrid Hiq: This hybrid is identical to the previous hybrid except that 
we change the second component CT2 of the challenge ciphertext to be 
an encryption of the challenge message mi (as opposed to mo). That is, 
CT; = FE.Enc(MPK 2 , mi; 7*2) for some random string r 2 . 

Note that the proof 7 r* is unchanged and is still proven for statement 2 of 
relation R. 

- Hybrid Hu: This hybrid is identical to the previous hybrid except that for 
every function secret key K^, the proof 7 is now computed for statement 2 
of relation Ri using indices { 2 , 3 , 4 } as the set of 3 indices {21,22,23} in the 
witness. That is, the witness is w = ( 0 ^ MSKl I , MSK 2 , MSK3, MSK4, O ^ 1 1 , s 2 , 53, 
s 4 , 07I , r 2 , r 3 , r 4 , 2, 3 , 4 , u, O^ 1 !). 

- Hybrid Hi 2 : This hybrid is identical to the previous hybrid except that 
we change the first component CT^ of the challenge ciphertext to be an 
encryption of the challenge message mi (as opposed to mo). That is, CT^ = 
FE.Enc(MPKi , mi; ri) for some random string 77. Note that the proof 7 r* is 
unchanged and is still proven for statement 2 of relation R. 

- Hybrid H13: This hybrid is identical to the previous hybrid except that the 
proof 7 r* in the challenge ciphertext is now computed for statement 1 of relation 
R. The witness is w = (mi, {77}^ [4], 0 , 0 , 0 ^ 1 , O^ 1 1 ) . 

- Hybrid H 14. This hybrid is identical to the previous hybrid except that Zi is 
computed differently. Zi == Com(l;i2i). 

- Hybrid H15: This hybrid is identical to the previous hybrid except that for 
every function secret key K^, the proof 7 is now computed for statement 1 of 
relation R\. The witness is w = ({MSK^}^^, {si}i e [ 4 ], {^i}ie[4] , 0 3 , 0 ^ 1 , u\). 

- Hybrid Hi6: This hybrid is identical to the previous hybrid except that Z 
is computed differently. Z = Com( 0 len ; u). This hybrid is identical to the real 
experiment with challenge bit b = 1. 

Below we will prove that (Hi H 2 ) and (H 5 H 6 ). The indistinguishability 

of other hybrids will follow along the same lines and is described in the full 
version [ 5 ]. 

Lemma 1 (Hi H 2 ). Assuming that Com is a (computationally) hiding com- 
mitment scheme, the outputs of experiments Hi and H 2 are computationally 
indistinguishable. 

Proof. The only difference between the two hybrids is the manner in which the 
commitment Z is computed. Let’s consider the following adversary * 4 .c 0 m that 
interacts with a challenger C to break the hiding of the commitment scheme. Also, 
internally, it acts as the challenger in the security game with an adversary A 
that tries to distinguish between Hi and H 2 . * 4 com executes the hybrid Hi except 
that it does not generate the commitment Z on it’s own. Instead, after receiving 
the challenge messages (mo, mi) from A, it computes CT* = ({CT*} iG [ 4 ],7r*) as 
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an encryption of message mo by following the honest encryption algorithm as 
in Hi and H 2 . Then, it sends two strings, namely (0 len ) and ({CT*} iG [ 4 ]) to the 
outside challenger C. In return, Mcom receives a commitment Z corresponding to 
either the first or the second string. It then gives this to A. Now, whatever bit 
b A guesses, Mcom forwards the same guess to the outside challenger C. Clearly, 
*4.com is a polynomial time algorithm and breaks the hiding property of Com 
unless Hi H 2 . 

Lemma 2. (H5 Hq). Assuming that FE is a Sel — IND secure functional 
encryption scheme, the outputs of experiments H 5 and H 6 are computationally 
indistinguishable. 

Proof. The only difference between the two hybrids is the manner in which the 
challenge ciphertext is created. More specifically, in H5, the fourth component 
of the challenge ciphertext CT 4 is computed as an encryption of message mo, 
while in H 6 , CT 4 is computed as an encryption of message mi. Note that the 
proof 7 r* remains same in both the hybrids. 

Let’s consider the following adversary Afe that interacts with a challenger 
C to break the security of the underlying FE scheme. Also, internally, it acts as 
the challenger in the security game with an adversary A that tries to distinguish 
between H5 and Hq. Afe executes the hybrid H 5 except that it does not generate 
the parameters (MPK 4 , MSK 4 ) itself. It sets (MPK 4 ) to be the public key given 
by the challenger C. After receiving the challenge messages (mo, mi) from A , 
it forwards the pair (mo, mi) to the challenger C and receives a ciphertext CT 
which is either an encryption of mo or mi using public key MPK 4 . Mfe sets 
CT 4 = CT and computes CT* = ({CT*} iG [ 4 ], 7r*) as the challenge ciphertext as 
in H 5 . Note that proof 7r* is proved for statement 2 of relation R. It then sets 
the public parameter Z = Com({CT*} iG [ 4 ]; u) and sends the master public key 
MPK and the challenge ciphertext CT* to A. 

Now, whatever bit b A guesses, Afe forwards the same guess to the outside 
challenger C. Clearly, Afe is a polynomial time algorithm and breaks the security 
of the functional encryption scheme FE unless H5 H 6 . 

5 Construction of Verifiable Secret Key Functional 
Encryption 

In this section, we give a compiler from any Sel — IND secure message hiding and 
function hiding secret key functional encryption scheme to a Sel — IND secure 
message hiding and function hiding verifiable secret key functional encryption 
scheme. The resulting verifiable functional encryption scheme has the same secu- 
rity properties as the underlying one - that is, the resulting scheme is g-query 
secure if the original scheme that we started out with was g-query secure and so 
on, where q refers to the number of function secret key queries (or encryption 
queries) that the adversary is allowed to make. We prove the following theorem. 
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Theorem 6. Let T — {^a}agn be a parameterized collection of functions. 
Then , assuming there exists a Sel — IND secure message hiding and function 
hiding secret key functional encryption scheme FE for the class of functions 
T , a non-interactive witness indistinguishable proof system , a non-interactive 
perfectly binding and computationally hiding commitment scheme, the proposed 
scheme VFE is a Sel — IND secure message hiding and function hiding verifiable 
secret key functional encryption scheme for the class of functions T according 
to Definition 3. 

Notation: Without loss of generality, let’s assume that every plaintext mes- 
sage is of length A where A denotes the security parameter of our scheme 
and that the length of every function in T\ is the same. Let (Prove, Verify) 
be a non-inter active witness-indistinguishable (NIWI) proof system for NP, 
FE = (FE. Setup, FE.Enc, FE.KeyGen, FE.Dec) be a Sel — IND secure message hid- 
ing and function hiding secret key functional encryption scheme, Com be a sta- 
tistically binding and computationally hiding commitment scheme. Without loss 
of generality, let’s say Com commits to a string bit-by-bit and uses randomness 
of length A to commit to a single bit. We denote the length of ciphertexts in 
FE by c-len = c-len(A). Let the length of every function secret key in FE be 
k-len = k-len(A). Let len^T = 5 • c-len and lenj = 5 • k-len. 

Our scheme VFE = (VFE. Setup, VFE.Enc, VFE.KeyGen, VFE. Dec, VFE.VerifyCT, 
VFE.VerifyK) is as follows: 

- Setup VFE.Setup(l A ) : 

The setup algorithm does the following: 

1. For all i G [5], compute (MSK^) <— FE.Setup(l A ;pi) and S* = 
Com(MSK^; sf) using randomness s*. 

2. Set Zct = Coir^O^; a) and Zf = Com(0j n ;6) where a,b represents the 
randomness used in the commitments. 

3. For all i G [3], set Z i = Com(l;i^) where Ui represents the randomness 
used in the commitment. Let’s denote u-len = \u± \ + \u 2 \ + 1^3 1. 

The public parameters are PP = ({S*} ie[5 ], Z C t, Z f , {Zj ie [ 3 ]). 

The master secret key is MSK = ({MSK i}i G[ 5], {Pi}ie[5], {«i}i€[5], 
a, 6, {ui } ie[ 3 ]). 

- Encryption VFE. Enc(PP, MSK, m) : 

To encrypt a message m, the encryption algorithm does the following: 

1. For all i G [5], compute CT^ = FE.Enc(MSK^, m; rf). 

2. Compute a proof 7 r Pro ve(y,w) for the statement that y G L using 

witness w where: 

V = ({CTi} i€ [5], PP), 
w = (m, MSK, {r-i}i£[5],0 2 ,5,0). 

L is defined corresponding to the relation R defined below. 

- Relation R: 

Instance: y = ({CTj} ie [ 5 ], PP) 

Witness: w = (m, MSK, {r,} ie [ 5 ], h, i 2 ,j, k) 

Ri(y,w) = 1 if and only if either of the following conditions hold: 
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1. 4 out of the 5 constituent ciphertexts (except index j) encrypt the same 
message and are constructed using honestly generated secret keys. Also, 
Zi is a commitment to 1. That is, 

(a) Vz e [5 CTi = FE.Enc(MSK i ,m;r i ). 

(b) Vz e [5 ]/{j}, Si = Com(MSK i;Si ) and MSK* FE.Setup(l A ;pf) 

(c) Zi = Com(l; u\) 

(OR) 

2. 2 constituent ciphertexts (corresponding to indices ^1,^2) encrypt the 
same message and are constructed using honestly generated secret keys. 
Zct is a commitment to all the constituent ciphertexts, Z2 is a commit- 
ment to 0 and Z3 is a commitment to 1. That is, 

(a) Vi G {n,i 2 }, CT* = FE.Enc(MSK i ,m;r i ). 

(b) Vi G {ii, i2}, S* = Com(MSK*; si) and MSK* <— FE.Setup(l A ;p*) 

(c) Z CT = Com({CTj} i€ [5];a). 

(d) Z 2 = Com(0;zt2). 

(e) Z 3 = Com(l; zz 3 ). 

(OR) 

3. 4 out of 5 constituent ciphertexts (except for index k) encrypt the same 
message and are constructed using honestly generated secret keys. Zf is 
a commitment to a set of function secret keys K such that each con- 
stituent function secret key in K when decrypted with the corresponding 
ciphertext gives the same output . That is, 

(a) Vi G [5 ]/{£}, CTi = FE.Enc(MSK*,ra;r*). 

(b) Vi G [5]/{fc}, Si = Com(MSK*; s*) and MSKi <— FE.Setup(l A ;p*) 

(c) Zf = Com({Ki} i€[5] ;6). 

(d) 3x G Ay such that Vi G [5], FE.Dec(CTi, Ki) = x 

The output of the algorithm is the ciphertext CT = ({CTi}i G [ 5 ],7r). 

7 r is computed for statement 1 of relation R. 

Key Generation VFE.KeyGen(PP, MSK, /) : 

To generate the function secret key for a function /, the key generation 
algorithm does the following: 

1. Vi G [5], compute K{ = FE. KeyGen(MSKi, /; Vi). 

2. Compute a proof 7 <— Pro ve(y,w) for the statement that y G L\ using 
witness w where: 

y = ({ Kf}< e[ 5],PP), 

W = (/, MSK, {rf} ie [ 5 ],0 3 ,5,0). 

L 1 is defined corresponding to the relation Ri defined below. 

Relation Ri: 

Instance: y = ({Kf} ie[5] , PP). 

Witness: w = (f,MSK,{r i } ie [ 5 ],i 1 ,i 2 ,j,k) 

Ri(y,w) = 1 if and only if either of the following conditions hold: 

1. 4 out of 5 constituent function secret keys (except index j) are keys for 
the same function and are constructed using honestly generated secret 
keys. Also, Z2 is a commitment to 1. That is, 

(a) Vz e [5 K{ = FE.KeyGen(MSK i ,/;r i ). 
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(b) Vi G [5 ]/{?}, Si = Com(MSKi; Si) and MSK* <— FE.Setup(l A ;pi) 

(c) Z 2 = Com(l; u\) 

(OR) 

2. 4 out of 5 constituent function secret keys (except index k) are keys for the 
same function and are constructed using honestly generated secret keys. 
Zct is a commitment to a set of ciphertexts CT such that each constituent 
ciphertext in CT when decrypted with the corresponding function secret 
key gives the same output . That is, 

(a) Vi G [5 ]/{*}, K{ = FE.KeyGen(MSK i ,/;r i ). 

(b) Vi G [5]/{fc}, S* = Com(MSK^; and MSK^ FE.Setup(l A ;pi) 

(c) Zct = Com(CT; a). 

(d) 3x G X\ such that Vi G [5], FE.Dec(CT^, K{) = x 
(OR) 

3. 2 constituent function secret keys (corresponding to indices ii, i 2 ) are keys 
for the same function and are constructed using honestly generated secret 
keys. Zf is a commitment to all the constituent function secret keys, Zi 
is a commitment to 0 and Z3 is a commitment to 0. That is, 

(a) Vi G {ii,i 2 }, K{ = FE.KeyGen(MSK i , /; r*). 

(b) Vi G {ii,i 2 }, Si = Com(MSKi;Si) and MSKi FE.Setup(l A ;pi) 

(c) Zf = Com({Kp ie[5] ;&). 

(d) Zi = Com(0; u\). 

(e) Z 3 = Com(0 ;u 3 ). 

The output of the algorithm is the function secret key K? = ({ }ie [5] , T) • 

7 is computed for statement 1 of relation Ri. 

- Decryption VFE.Dec(PP, K*^, CT) : 

This algorithm decrypts the ciphertext CT = ({CT i}ie[5] , 7r ) using function 
secret key K*^ = ({Kf }i G [ 5 ],7) in the following way: 

1. Let y = ({CTi}i G [ 5 ], PP) be the statement corresponding to proof 7 r. If 
Verify (y, 7r) = 0, then stop and output T. Else, continue to the next step. 

2. Let yi = ({Kf }i G [ 5 ], PP) be the statement corresponding to proof 7. If 
Verify (2/1, 7) = 0, then stop and output _L. Else, continue to the next 
step. 

3. For i G [5], compute 777 = FE.Dec(CTi, K{). If at least 3 of the are 
equal (let’s say that value is 777), output m. Else, output _L. 

- VerifyCT VFE.VerifyCT(PP, CT) : 

Given a ciphertext CT = ({CTi}i G [ 5 ],7r), this algorithm checks whether the 
ciphertext was generated correctly using the master secret key correspond- 
ing to the public parameters PP. Let y = ({CT z}ie[5] , PP) be the statement 
corresponding to proof 7 r. If Verify^, tt) = 1, it outputs 1. Else, it outputs 0. 

- VerifyK VFE.VerifyK(PP, K) : 

Given a function secret key K = ( { [5] , 7) , this algorithm checks whether 
the key was generated correctly for some function using the master secret 
key corresponding to public parameters PP. Let y = ({K^}^ e [ 5 ], PP) be the 
statement corresponding to proof 7. If Verify (y, 7) = 1, it outputs 1. Else, it 
outputs 0. 
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Correctness: Correctness follows directly from the correctness of the underly- 
ing FE scheme, correctness of the commitment scheme and the completeness of 
the NIWI proof system. 

The proofs for verifiability and security can be found in the full version [5]. 

Verifiable Multi-Input Functional Encryption: We also study verifiability 
in the case of multi-input functional encryption. The construction (and proofs) 
of a verifiable multi-input functional encryption scheme are given in the full 
version [5]. 

6 Verifiable Indistinguishability Obfuscation 

In this section, we first we recall the notion of indistinguishability obfuscation 
that was first proposed by [6] and then define the notion of verifiable indis- 
tinguishability obfuscation. For indistinguishability obfuscation, intuitively, we 
require that for any two circuits Co and C\ that are “functionally equivalent” 
(i.e. for all inputs x in the domain, C${x) = Ci(x), the obfuscation of Co must be 
computationally indistinguishable from the obfuscation of C\ . Below, we present 
the formal definition following the syntax of [14]. 

Definition 5 (Indistinguishability Obfuscation). A uniform PPT machine i O is 
called an indistinguishability obfuscator for a circuit class {Ca}agn if the follow- 
ing conditions are satisfied: 

- Functionality: 

For every X G N, every C G C\ , every input x to C: 

Pr[(\0(C))(x) ^ C(x)] <= negl(\C\), 

where the probability is over the coins of\0. 

- Polynomial Slowdown: 

There exists a polynomial q such that for every A G N and every C £ C\, we 
have that \\0(C)\ <= q(\C\). 

- Indistinguishability: 

For all PPT distinguishers D ; there exists a negligible function a such that for 
every X G N, for all pairs of circuits Co, C\ G C\, we have that ifCo(x) = C\{x) 
for all inputs x, then 

\Pr[D(\O(C 0 ))} - PrmOiC.m <= a( A). 

Definition 6 ({L^C) — Restricted Verifiable Indistinguishability Obfuscation). 
Let C = {Ca}agn denote an ensemble where each C\ is a finite collection of 
circuits. Let L be any language in NP defined by a relation R satisfying the 
following two properties: 
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1. For any two circuits Co, C\ E C, if there exists a string w such that 
R(Co,Ci,w) = 1, then Co is equivalent to C\. 

2. For any circuit C E C, R(C , C, 0) = 1. 

Let X\ be the ensemble of inputs to circuits in C\. Let V = {Pa}agn be an 
ensemble where each V\ is a collection of predicates and each predicate P E V\ 
takes as input a circuit C E C\ and outputs a bit. A verifiable indistinguishability 
obfuscation scheme consists of the following algorithms: 

- viO(l A , C, P E V\) — ► C. vi O is a PPT algorithm that takes as input a security 
parameter X, a circuit C E C\ and a predicate P in V\. It outputs an obfuscated 
circuit C . 

- Eval(C, x,P E V\) — ► y. Evalp is a deterministic algorithm that takes as input 
an obfuscation C , an input x and a predicate P in V It outputs a string y. 

The scheme must satisfy the following properties: 

- Functionality: 

For every X E N, every C E C\, every P E V\ such that P(C) = 1 and every 
input x to C: 

Pr[Eval(viO(A, C, P),x, P) + C(x)\ = 0, 

where the probability is over the coins of V\G . 

- Polynomial Slowdown: 

There exists a polynomial q such that for every X E N, every C E C\ and 
every P E T\, we have that |viO(A,C, P)| <= q(\C\ + |P| +A). We also require 
that the running time of Eval on input (C, x, P) is polynomially bounded in 

\p\ + \ + \c\ 

- Indistinguishability: 

We define indistinguishability with respect to two adversaries A = (Al,^)- 
We place no restriction on the running time of A\. On input 1 A Ai outputs 
two equivalent circuits (Co, Ci) in C\, such that (Co,Ci) E L. For all PPT 
disting uishers A 2 , there exists a negligible function a such that for every X E 
N, for pairs of circuits (Co, Ci) and for all predicates P E V\, we have that if 
Co(x) = Ci(x) for all inputs x and P(Co) = P(Ci), then 

|Pr[A(viO(A,C 0 ,P))] -Pr[A(viO(A,C!,P))]| < negl(A) 

- Verifiability: 

In addition to the above algorithms , there exists an additional deterministic 
polynomial time algorithm Verify O that takes as input a string in {0, 1}* 
and a predicate P E V\. It outputs 1 or 0. We say that the obfuscator vi O 
is verifiable if: For any P E V\ and C E {0,1}* 7 if Verify 0(C, P) = l, 
then there exists a circuit C E C\ such that P(C ) = 1 and for all x E X\, 
Eval(C, x, P) = C{x). 
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6.1 Construction 

Let C = {C}a be the set of all polynomial sized circuits and let L eq be an NP 
language given by some relation R eq . 

Relation R eq : 

Instance: C' , D' 

Witness: 7 

R eq (C' , D' , 7r) = 1 implies that: 

1. C’ = D' G C\ for some A G N. That is, both circuits are equal. (OR) 

2. C' , D' G Cy, and there exists a witness 7 of size polydC'l, \D'\) proving that 
C’ is functionally equivalent to D' . 

We now construct an (L eqi C)— restricted verifiable indistinguishability obfusca- 
tion scheme. Let iO be a perfectly correct indistinguishability obfuscator and 
(Prove, Verify) be a NIWI for NP. Formally, we prove the following theorem: 

Theorem 7. Assuming NIWI is a witness indistinguishable proof system and i O 
is a secure indistinguishability obfuscator for C\, the proposed scheme vi O is a 
secure (L eq ,C) — restricted verifiable indistinguishability obfuscator. 

vi(9(l A , C, P): The obfuscator does the following. 

- Compute C l = i 0(C;ri) Mi G [3]. 

- Compute a NIWI proof 7 r for the following statement (P, C 1 , C 2 , C 3 ) G L 
using witness (1, 2, C, C, 77, 7*2, 0) where L is an NP language defined by the 
following relation Ri where 

Relation Ri 

Instance: y — (P, C 1 , C 2 , C 3 ) 

Witness: w = (i,j,C i ,Cj,r i ,r j ,'y) 

Ri(y,w) = 1 if and only if: 

1. C l = \0(Ci\ rf) and C j = i 0{Cj\rj) where i ^ j and ij G [3]. (AND) 

2. P {&) = P (C j ) = 1 (AND) 

3. R eq (Ci,Cj, 7 ) = 1. 

- Output ( C\C 2 ,C 3 , 7 r) as the obfuscation. 

Eva 1(0 = (C 1 , C 2 , C 3 , 7r), x, P) : To evaluate: 

- Verify the proof it. Output _L if the verification fails. 

- Otherwise, output the majority of 

We now investigate the properties of this scheme. 

Correctness: By completeness of NIWI and correctness of the obfuscator i O it 
is straightforward to see that our obfuscator is correct. 

Verifiability: We now present the algorithm VerifyO. It takes as input an 
obfuscation (C 1 , C 2 , C 3 , tt) and a predicate P. It outputs 1 if 7r verifies and 
0 otherwise. Note that if it verifies then there are two indices i, j G [3] such 
that C l (C J ) is an i O obfuscation of some circuit Ci (Cj) and it holds that 
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P (Ci) = P (Cj) = 1. Also, either Ci = Cj or Ci is equivalent to Cj (due to the 
soundness of NIWI). Hence, the evaluate algorithm always outputs Ci(x) on any 
input x due to perfect correctness of i O. 

Security Proof: Let P be a predicate and (Co,Ci) be any two equivalent cir- 
cuits in C\ such that P(Co) = P(Ci) = 1 and there exists a string 71 such that 
Re q (Co, Ci, 71) = 1 . Let (C 1 , C 2 , C 3 , 7r) be the challenge obfuscated circuit. We 
now define indistinguishable hybrids such that the first hybrid (Hybrido) corre- 
sponds to the real world security game where the challenger obfuscates Co and 
the final hybrid (Hybrid5) corresponds to the security game where the challenger 
obfuscates Ci. 

- Hybrido : In this hybrid, C l = iC(Co;?q) Vi G [ 3 ] and (1, 2, Co, Co, rq, r 2 , 0 ) 
is used as a witness to compute 7 r. 

- Hybrid 1 : This hybrid is same as the previous hybrid except that C 3 is com- 
puted as C 3 = iO(Ci;rs). 

- Hybrid 2 : This hybrid is same as the previous hybrid except that the witness 
used to compute 7 r is(l, 3 , Co, Ci, 7 q, 7*2,71) where 71 is the witness for the 
statement (Co,Ci) G L eq . 

- Hybrid 3 : This hybrid is identical to the previous hybrid except that C 2 is 
computed as C 2 = i 0 (Ci;r* 2 ). 

- Hybrid 4 : This hybrid is same as the previous hybrid except that the witness 
used to compute 7 r is ( 2 , 3 , Ci, Ci, 7 q, 7*2, 0 ). 

- Hybrid 5 : This hybrid is identical to the previous hybrid except that C 1 = 
iC(Ci; 7 q). This hybrid corresponds to the real world security game where the 
challenger obfuscates Ci. 

Now, we prove indistinguishability of the hybrids. 

Lemma 3. Assuming i O is a secure indistinguishability obfuscator for C\, 
Hybrido is computationally indistinguishable from Hybridi . 

Proof Note that the only difference between Hybrido and Hybridi is the way C 3 
is generated. In Hybrido, it is generated as an obfuscation of Co, while in Hybridi 
it is generated as an obfuscation of Ci . Since Co and Ci are equivalent the lemma 
now follows from the security of i O. 

Lemma 4 . Assuming NIWI is a witness indistinguishable proof system, Hybridi 
is computationally indistinguishable from Hybrid2- 

Proof Note that the only difference between Hybridi and Hybrid2 is the way in 
which 7 r is generated. In Hybridi it uses ( 1 , 2 , Co, Co, 7 q, 7*2, 0 ) as its witness while 
in Hybrid2 it uses ( 1 , 3 , Co, Ci, 7*1,7*2,71) as its witness where 71 is the witness 
for the instance (Co, Ci) satisfying the relation R eq . The lemma now follows due 
to the witness indistinguishability of NIWI. 

Lemma 5. Assuming \0 is a secure indistinguishability obfuscator for C\, 
Hybrid2 is computationally indistinguishable from Hybrids. 
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Proof. The only difference between the two hybrids is that C 2 is generated as 
an obfuscation of Co in Hybrid2 and as an obfuscation of Ci in Hybrids. Since Co 
and Ci are equivalent the lemma now follows from the security of i O. 

Lemma 6. Assuming NIWI is a witness indistinguishable proof system, Hybrids 
is computationally indistinguishable from Hybrid^ 

Proof Note that the only difference between Hybrids and Hybrid4 is the way 
7 r is generated. In Hybrids it uses ( 1 , 3 , Co, Ci, rq, 7*3, 71) as its witness while in 
Hybrid4 it uses (2, 3 , Ci, Ci, 7*2, 7*3, 0) as its witness where 71 is the witness for 
the instance (Co, Ci) satisfying the relation R eq . The lemma now follows due to 
the witness indistinguishability of NIWI. 

Lemma 7. Assuming i O is a secure indistinguishability obfuscator for C\, 
Hybrid4 is computationally indistinguishable from Hybrids. 

Proof. The only difference between the two hybrids is that C 1 is generated as 
an obfuscation of Co in Hybrid4 and as an obfuscation of Ci in Hybrids. Since Co 
and Ci are equivalent the lemma now follows from the security of i O. 
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Abstract. We propose a new generic framework for achieving fully secure 
attribute based encryption (ABE) in prime-order bilinear groups. Pre- 
vious generic frameworks by Wee (TCC’14) and Attrapadung (Euro- 
crypt T4) were given in composite- order bilinear groups. Both provide 
abstractions of dual-system encryption techniques introduced by Waters 
(Crypto’09). Our framework can be considered as a prime-order version of 
Attrapadung’s framework and works in a similar manner: it relies on a main 
component called pair encodings , and it generically compiles any secure 
pair encoding scheme for a predicate in consideration to a fully secure 
ABE scheme for that predicate. One feature of our new compiler is that 
although the resulting ABE schemes will be newly defined in prime-order 
groups, we require essentially the same security notions of pair encodings as 
before. Beside the security of pair encodings, our framework assumes only 
the Matrix Diffie- Heilman assumption (Escala et al. , Crypto’ 13), which 
includes the Decisional Linear assumption as a special case. 

Recently and independently, prime-order frameworks are proposed also 
by Chen et al. (Eurocrypt’ 15), and Agrawal and Chase (TCC’16-A). The 
main difference is that their frameworks can deal only with information- 
theoretic encodings, while ours can also deal with computational ones, 
which admit wider applications. We demonstrate our applications by 
obtaining the first fully secure prime-order realizations of ABE for regular 
languages, ABE for monotone span programs with short-ciphertext, short- 
key, or completely unbounded property, and ABE for branching programs 
with short-ciphertext, short-key, or unbounded property. 


Keywords: Attribute-based encryption • Full security • Prime-order 
groups 


1 Introduction 

Attribute based encryption (ABE), initiated by Sahai and Waters [40], is an 
emerging paradigm that extends beyond normal public-key encryption. In an 
ABE scheme for predicate f?:XxY^{0,l}, a ciphertext is associated with a 
ciphertext attribute, say, Y G Y, while a key is associated with a key attribute, 
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say, X G X, and the decryption is possible if and only if R(X , Y) = l. 1 In Key- 
Policy (KP) type, X is a set of Boolean functions (often called policies ), while ¥ 
is a set of inputs to functions, and we define R(f,x) = f(x). Ciphertext-Policy 
(CP) type is the dual of KP where the roles of X and Y are swapped (that 
is, policies are associated to ciphertexts). Besides direct applications of fine- 
grained access control [21], ABE is also known to imply verifiable computation 
outsourcing [38]. 

The standard security requirement for ABE is full security , where an adver- 
sary is allowed to adaptively query keys for any attribute X as long as R(X, Y ) = 
0, where Y is an adversarially chosen attribute for a challenge ciphertext. Dual 
system encryption techniques introduced by Waters [44] have been successful 
approaches for constructing fully secure ABE systems that are based on bilinear 
groups. Despite being versatile as they can be applied to ABE systems for many 
predicates, until only recently, however, there were no known generic frame- 
works that can use the techniques in a black-box and modular manner. Wee [46] 
and Attrapadung [3] recently proposed such generic frameworks that abstract 
the dual system techniques by decoupling what seem to be essential underlying 
primitives and characterizing their sufficient conditions so as to obtain fully- 
secure ABE automatically via generic constructions. However, their frameworks 
are inherently constructed over bilinear groups of composite- order. Although 
composite-order bilinear groups are more intuitive to work with, especially in 
the case of dual system techniques, prime- order bilinear groups are more prefer- 
able as they provide more efficient and compact instantiations. This has been 
motivated already in a line of research [18,22,24,28,29,34,36,41]. More con- 
cretely, group elements in composite-order groups are more than 12 times larger 
than those in prime-order groups for the same security level (3072 bits or 3248 
bits for composite-order vs 256 bits for prime-order in case of 128-bit security, 
according to NIST or ECRYPT II recommendations [22]). Regarding time per- 
formances, Guillevic [22] reported that bilinear pairings are 254 times slower in 
composite-order than in prime-order groups for the same 128-bit security. More- 
over, exponentiations are also more than 200 times slower [22, Table 6]. In this 
work, our goal is to propose a generic framework for dual-system encryption in 
prime-order groups. 

The generic frameworks of [3,46] work similarly but with the difference 
that the latter [3] captures also dual system techniques with computational 
approaches , which are generalized from techniques implicitly used in the ABE 
of Lewko and Waters [32]. (The former [46] only captures the traditional dual 
systems, which implicitly use information-theoretic approaches). Using com- 
putational approaches, the framework of [3] is able to obtain the first fully 
secure schemes for many ABE primitives for which only selectively secure con- 
structions were known before, including KP-ABE for regular languages [45], 


1 Traditionally, ABE refers to only ABE for Boolean formulae predicate [21]. In this 
paper, however, we use the term ABE for arbitrary predicate R. Indeed, it corre- 
sponds to the “public-index predicate encryption” class of functional encryption, as 
per [12]. 
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KP-ABE for Boolean formulae 2 with constant-size ciphertexts [9], and (com- 
pletely) unbounded KP-ABE for Boolean formulae [31,39]. Moreover, Attra- 
padung and Yamada [10] recently show that, within the framework of [3], we 
can generically convert ABE to its dual scheme, i.e., key-policy to ciphertext- 
policy type, and vice versa. They also show a conversion to its dual-policy [8] 
type, which is the conjunctive of KP and CP. Many instantiations were then 
obtained in [10], including the first CP- ABE for formulae with short keys. We 
therefore choose to build upon [3]. 


1.1 Our Contributions on Framework 

New Framework. We present a new generic framework for achieving fully 
secure ABE in prime- order groups. It is generic in the sense that it can be 
applied to ABE for arbitrary predicate. Our framework extends the framework 
of [3], which was constructed in composite-order groups, and works in a similar 
manner as follows. First, the main component is a primitive called pair encoding 
scheme defined for a predicate. Second, we provide a generic construction that 
compiles any secure pair encoding scheme for a predicate R to a fully secure ABE 
scheme for the same predicate R. The security requirement for the underlying 
encoding scheme is exactly the same as that in the framework of [3] ; in particu- 
lar, our framework can deal with both information-theoretic and computational 
encodings. On the other hand, we restrict the syntax of encodings into a class we 
call regular encodings , via some simple requirements. This confinement, however, 
seems natural and does not affect any concrete pair encoding schemes proposed 
so far [3,10,46]. Beside the security of pair encodings, our framework assumes 
only the Matrix Diffie- Heilman assumption [17], which includes the Decisional 
Linear assumption as a special case. 

Conceptually, since our framework uses the same security requirement for 
pair encodings as in the composite-order framework of [3], we can view it as 
an automatic way for translating ABE from composite-order to prime-order 
settings. 

Prime-order frameworks are recently and independently proposed by Chen, 
Gay, and Wee [14] and Agrawal and Chase [2], albeit they can deal only with 
information-theoretic encodings. We compare them later in Sect. 1.4. As a side 
result, we also simplify our scheme using a simpler basis from [14] in Sect. 8. 


1.2 Our Contributions on Instantiations 

New Instantiations (the First in Prime-order Settings). By using exactly 
the same encoding instantiations in [3,10], we automatically obtain fully secure 
ABE schemes, for the first time in prime- order groups , for various predicates: 

- KP-ABE and CP- ABE for regular languages, 


2 Or more precisely, ABE for monotone span programs, which implies ABE for Boolean 
formulae [21]. We will use both terms interchangeably. 
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Table 1 . Composite-order ABE, positioned by properties (for comparing to Table 2) 


Predicate 

Properties 

Unbounded 

KP 

CP 

DP 


Security Universe 

Input 

Multi-use 




ABE-PDS 

full 

- 

- 

A14 [3] 

AY15 [10] 

AY15 [10] 


selective large 

yes 

yes 

LW11 [32], 

sub 

sub 

Unbounded ABE-MSP 

full small 

yes 

yes 

sub 

LW12 [33] 

sub 

full large 

yes 

no 

sub 

sub 

sub 


full large 

yes 

yes 

A14 [3] 

AY15 [10] 

AY15 [10] 

Short-Cipher ABE-MSP 

selective large 

no 

yes 

sub 

sub 

open 

semi large 

no 

yes 

sub 

AC16 [2] 

open 


full large 

no 

yes 

A14 [3] 

open 

open 

Short-Key ABE-MSP 

selective large 

no 

yes 

sub 

sub 

open 

full large 

no 

yes 

open 

AY15 [10] 

open 


selective large 

no 

yes 

sub 

sub 

sub 

(Bounded) ABE-MSP 

full small 

no 

no 

LOS+10 [34], LOS+10 [34], AY15 [10] 
A14 [3], A14 [3], 





W14 [47] 

W14 [47] 



full large 

no 

no 

A14 [3], 

A14 [3] 

AY15 [10] 

ABE-RL 

selective small 

- 

- 

sub 

sub 

sub 

full large 

- 

- 

A14 [3] 

A14 [3] 

AY15 [10] 


Acronym: “ABE-PDS” = ABE for policy over doubly-spatial relations, “ABE-MSP” = ABE for monotone 
span programs, “ABE-RL” = ABE for regular languages, “ABE-BP” = ABE for branching programs. 
“KP” = key-policy. “CP” = ciphertext-policy. “DP” = dual-policy, “sub” = subsumed (no previous 
work but is subsumed by another system with stronger properties such as full security or prime-order), 
“open” = was open problem (before our work and subsequent work that uses ours). “-” = undefined. 
“Unbounded input” = unbounded size of attribute set size per ciphertext in KP-ABE-MSP, attribute 
set size per key in CP-ABE-MSP, and input string in ABE-BP. “Unbounded Multi-use” = unbounded 
multi-use of attributes in a policy in ABE-MSP, and in a branching program in ABE-BP. “semi” = 
semi- adaptive security. 


- KP-ABE for monotone span programs with constant-size ciphertexts, 

- CP- ABE for monotone span programs with constant-size keys, 

- Completely unbounded KP-ABE and CP- ABE for monotone span programs. 

The assumptions for respective encodings are the same as those in [3] (albeit 
with a minor syntactic change to prime-order groups); some are parameterized 
assumptions (or often called q-type), as in [3]. Moreover, via the dual-policy 
conversion of [10], we also obtain their respective dual-policy variants. 

We give their detailed comparisons in Tables 5, 6 in Sect. 7. Here, for high- 
level overview, we position our instantiations in Table 2, which show prime-order 
schemes by their properties. In Table 2, our instantiations that are the first such 
schemes for given predicates and properties are specified by New. Our new 
instantiations that are not the first of a kind are specified by New 7 . Tablet 
provides composite-order schemes for comparison. 
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Table 2. Prime-order ABE schemes, positioned by properties 


Predicate 

Properties 

Unbounded 

KP 

CP 

DP 


Security 

Universe 

Input 

Multi-use 




ABE-PDS 

full 

- 

- 

- 

Newi 

New2 

New 3 


selective large 

yes 

yes 

RW13 [40] 

RW13 [40] 

sub 

Unbounded ABE-MSP 

full 

small 

yes 

yes 

sub 

LW12 [33] 

sub 

full 

large 

yes 

no 

OT12 [38] 

OT12 [38] 

sub 


full 

large 

yes 

yes 

New4 

News 

New6 

Short-Cipher ABE-MSP 

selective large 

no 

yes 

ALP11 [9] 

sub 

sub 

semi 

large 

no 

yes 

CW14,T14 [17,43] AC16 [2] 

sub 


full 

large 

no 

yes 

New7 

AHY15 [7]* 

Newer 28 

Short-Key ABE-MSP 

selective large 

no 

yes 

BGG+14 [12] f 

sub 

sub 

full 

large 

no 

yes 

AHY15 [7]* 

News 

Newer 29 


selective large 

no 

yes 

GPSW06 [ 22 ] 

Wll [44] 

AI09 [ 8 ] 


full 

small 

no 

no 

CGW15 [15], 

CGW15 [15], Newn 

(Bounded) ABE-MSP 





Newg 

New ' 10 



full 

large 

no 

no 

OTIO [37], 

OTIO [37], 

Newi 4 






New ' 12 

New ' 13 


ABE-RL 

selective 

small 

- 

- 

W12 [46] 

sub 

sub 

full 

large 

- 

- 

Newis 

Newi 6 

Newi 7 

Unbounded ABE-BP 

full 

- 

yes 

yes 

Newis 

Newig 

New 2 o 

Short-Cipher ABE-BP 

full 

- 

no 

yes 

New 2 i 

Newer27 

Newer 3 o 

Short-Key ABE-BP 

selective 

- 

no 

yes 

GV15 [ 21 ] f 

sub 

sub 


full 

- 

no 

yes 

Newer 26 

New 22 

Newer 3 i 


selective 

- 

no 

yes 

GVW13[20] f 

sub 

sub 

(Bounded) ABE-BP 

full 

- 

no 

no 

CGW15 [15], 

CGW15 [15], New 25 






New ' 23 

New 24 



Acronym: “New,” = new instantiations from our framework that are the first such schemes for given 
predicates and properties. The subscript i is the scheme numbering. “Newer,” = newer instantiations 
(that are the first of a kind) obtained here using a subsequent work to our work, namely [7]. “New'” = 
new instantiations but not the first of a kind, f refers to a solution based on LWE. * refers to subsequent 
work that essentially uses our work as their building block. Also refer to the acronym of Table 1. 


First Realizations. We also obtain the first-ever realizations of ABE for some 
predicates, namely, 

- Unbounded KP-ABE and CP- ABE for branching programs (BP), 

- KP-ABE for branching programs with constant-size ciphertexts, 

- CP- ABE for branching programs with constant-size keys. 

Unbounded ABE-BP refers to a system that allows an encryptor to associate 
a ciphertext with an input string of any length (in the case of KP). All of 
our above ABE-BP schemes are the first such schemes for respective variants 
even among composite-order or selectively secure schemes. Comparing to the 
previous schemes, KP-ABE-BP of [14,19,25] are of bounded type and require 
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linear-size ciphertexts and keys 3 , while (selective) KP-ABE-BP of [20] achieves 
short keys. We obtain our above ABE-BP schemes by invoking the theorem 
stating a generic implication from ABE for monotone span programs (MSP) to 
ABE-BP (see Remark 6 for further discussion on this theorem). 

Update after Subsequent Work. Subsequent to our work, Attrapadung 
et al. [7] present various conversions for ABE. By applying their conversions 
to some of our instantiations, they obtain CP- ABE with short ciphertexts and 
KP-ABE with short keys for (non-) monotone span programs. Now, by applying 
the ABE-MSP-to-ABE-BP conversion back to their instantiations, we obtain 
further (fully secure) schemes not explicitly achievable before, namely: 

- KP-ABE for branching programs with constant-size keys, 

- CP- ABE for branching programs with constant-size ciphertexts. 

Moreover, we can combine KP-ABE and CP- ABE both with short keys to DP- 
ABE with short keys. The same goes for short ciphertexts. We mark the schemes 
after this update as Newer^ in Table 2. Interestingly, all of our results complete 
the whole Table 2, which had been otherwise filled with open problems before. 


1.3 Our Techniques 

Due to the lack of space, we defer a more detailed discussion on our techniques 
to the full version [4]. We provide only a summary here. 

Background on [3]. We first briefly review the framework of [3]. In the generic 
construction of [3], a ciphertext CT encrypting M, and a key SK take the forms: 

CT = (C,C 0 ) = G h (s ’ h) , Me( 5ll92 )“ s »), SK = g k(a ’ r ' h) 

where c and k are encodings of attributes Y and X associated to a ciphertext and 
a key, respectively. Here, #i, are generators of subgroups of order p\ of Gi, G 2 , 
which are asymmetric bilinear groups of composite order N = P 1 P 2 P 3 with bilin- 
ear map e : Gi x G 2 — > G t- The bold fonts denote vectors. Intuitively, a plays 
the role of a master key, h represents common variables (or called parameters). 
These define a public key PK = (g^, e(#i, g 2 ) a )- s,r represents randomness in 
the ciphertext and the key, respectively, with so being the first element in s. The 
pair (c, fe) form a pair encoding scheme for predicate R. Informally, the main 
theorem of [3] states that if the pair encoding is secure and subgroup decision 
assumptions hold, then the ABE scheme (with CT,SK as above) is fully secure. 

Our Approach. Towards translating to a new prime-order based framework, 
we identify a set of features consisting of element representations , procedures , 
properties , and assumptions that are required by the framework of [3]. We list 
up the first three categories in Sect. 4. 


3 Note that we consider only Boolean branching programs here as in [19], in contrast 
with [14,25], where arithmetic branching programs are also considered. 
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As for assumptions, our goal is to use the security definition of pair encoding 
“as is”, since this will allow us to instantly instantiate the encoding schemes 
already proposed and proved secure in [3] . If we can leave encoding “as is” , we 
will only have to replace subgroup decision assumptions provided by composite- 
order groups with some mechanisms from prime-order groups that mimic them. 

Candidate Techniques. There are two candidate tools for simulating subgroup 
decision in prime-order groups: Dual Pairing Vector Space (DPVS) [28,35,36] 
and Prime-order Dual System Group (PDSG) [15]. We argue (in the full ver- 
sion [4]) that DPVS would require modifying one of the encoding (in the pair 
encoding) to an “orthogonal form” in order to enable inner-product spaces, which 
seems essential in this approach. This, however, would violate our goal to use 
encoding “as is”. We thus turn to use the other tool: PDSG. Although PDSG 
was devised for specific predicates such as HIBE in the first place [15], it seems 
compatible to the pair encoding syntax in terms of element representations since, 
roughly speaking, it provides one-to-one translation of elements. (This itself is 
although implicit in [15]). Intuitively, each Zn element in s,r,/i is mapped to 
elements of vector spaces over Z p (such as vectors or matrices), and subgroup 
assumptions are emulated by some subspace assumptions. 

Difficulties and Our Solutions. We argue that the out-of-the-box formulation 
of PDSG [15] is, however, not sufficient for applying to the framework of [3], 
mainly due to the following four issues. 

First, out-of-the-box PDSG does not allow a direct exponentiation procedure 
that is required by [3], such as g^. This is since translated elements involve 
matrices, of which multiplication is not commutative. We solve this by properly 
re-ordering translated elements in multiplicative terms in encoding, and enabling 
exponentiation via left multiplication of matrices (in exponents). See Sect. 4. 

Second, and more importantly, subgroup decision-like assumptions provided 
by PDSG would guarantee indistinguishability for elements that have only one 
element of randomness in the encoding. On the other hand, pair encodings in 
the framework of [3] are formulated to deal with arbitrary number of randomness 
elements , that is, s, r can be of any length. We solve this by introducing a new 
technique that uses random self-reducibility of the Matrix-DH assumption. We 
also note that this technique becomes possible only after our re-formulation, 
designed for solving the first issue. We depict this in the proof of lemma 2 in 
Sect. 6. 

Third, the syntax of pair encodings [3] allows multiplication such as 
(and implicitly uses commutativity: h^h^> = hk'hk), when encodings are paired. 
However, these elements would translate to matrices, which do not commute. We 
solve this by restricting the syntax of pair encodings so that such multiplication 
is not allowed (and using only the associativity property [15]). It turns out that, 
however, all available pair encodings still satisfy these new restriction; hence, 
our new framework applies to them. We define this as Rule 1 of regularity in 
Sect. 3.1. 

The fourth issue is perhaps the most important since it is unique to our 
new framework. In order to achieve our goal of using computational security of 
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Table 3. High-level conceptual comparison among generic dual-system frameworks 


Framework 

Settings 

Applicable encodings 

Restrictions on 
encodings 

Additional features 

W14 [46] 

Composite 

Info. -theoretic 

- 

- 

A14 [3] 

Composite 

Info. -theoretic, 
computational 

- 

Tighter reduction 

CGW15 [14] 

Composite, 

prime 

Info. -theoretic 

One unit of 

randomness 

Weak attribute-hiding 

AC16 [2] 

Composite, 

prime 

Info. -theoretic 

Rule 1 of our 
Regularity 

Relaxed perfect security 

This work 

Prime 

Info. -theoretic, 
computational 

Regularity 

Tighter reduction 


encodings “as is” , we need to establish a reduction from the new “matrix- form” of 
encodings, exponentiated over prime-order group elements, to the original encod- 
ings, in the security proof. This was not a problem in the original composite-order 
framework of [3] since the original hybrid proof uses exactly the same form of 
original encodings. Also, it was not a problem for (prime-order) frameworks using 
information-theoretic encodings [2,14] since, intuitively, information-theoretic 
properties will preserve regardless of whether their elements are in the expo- 
nents. We resolve this issue, for the case of computational encodings, by identi- 
fying which terms will be needed in the aforementioned reduction and enforcing 
them to be given out explicitly in encodings by definition. We define this as 
Rule 2-4 of regularity in Sect. 3.1. We provide more intuition on this at the end 
of Sect. 4. 


1.4 Independent Works and Their Comparisons 

Independently, Chen et al. [14] recently proposed a generic dual-system frame- 
work in prime-order groups. The main difference is that our framework can 
deal with computationally secure encodings , while theirs can deal only with 
information-theoretic ones. As motivated in [3], computational approaches 
have an advantage in that they are applicable to ABE for predicates where 
information-theoretic theoretic argument seems insufficient. These include ABE 
with some unbounded properties, or constant-size ciphertexts (or keys). We com- 
pare some instantiations of [14] that are relevant to ours in Table 2. Another 
difference is that the syntax of encoding in [14] seems more restricted in the 
sense that it can deal with only one element of randomness, while our syntax 
can deal with arbitrary many elements. On one hand, one unit of randomness 
is shown to suffice for all known information-theoretic encodings in [14]. On the 
other hand, multi-unit randomness seems essential in more esoteric predicates 
such as ABE for regular languages (of which information-theoretic encodings 
are not known). An extension with weak attribute- hiding property is also given 
in [14] (although currently applicable to small predicate classes such as HIBE, 
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inner-product). Moreover, a simpler basis of PDSG is proposed in [14]. Although 
our main construction is based upon the original basis of [15], it is possible to 
use the simplified basis by [14]. We provide this simplification in Sect. 8. 

In another concurrent 4 and independent work, Agrawal and Chase [2] also 
presented a prime-order dual system framework. As in [14], their work consider 
only information-theoretic encodings, albeit with a useful extension that allows 
to relax perfect encodings, which yields CP- ABE with short ciphertexts. 

In the conceptual view, both frameworks [2,14] unify both composite-order 
and prime-order groups into one generic construction. Contrastingly, we focus 
solely on the prime-order generic construction. 5 We compare them in Table 3. A 
feature of our framework, inherited from [3], is that it enjoys tighter reduction, 
of which the cost does not depend on the number of post-challenge queries. 

Some technical difficulties we pointed out in Sect. 1.3 have been addressed 
in these frameworks [2,14]. For instance, the loss of commutativity is coped by 
restricting encodings (differently in [14], but similarly in [2]). Also, the random 
self-reducibility is implicitly utilized in [2]. On the other hand, the technique that 
is all unique to ours is our solution in accommodating computational encodings. 

We comment that although computational encodings enjoy much wider appli- 
cations than information-theoretic ones, they come with a drawback that some 
encodings, especially for esoteric predicates, often use parameterized (q-type) 
assumptions. Some plausible future research directions to reduce them to sim- 
pler assumptions may include extending the recent Deja-q method [13,47], or 
relaxing encodings analogously to [2], but in computational settings. 

Some recent subsequent works that use some of our instantiations include 
ABE with parameter tradeoffs [5] and ABE for range attributes [6]. 

2 Preliminaries 

2.1 Definitions of Attribute Based Encryption 

Predicate Family. We consider a predicate family R = {R K } Ke ^c, for some 
constant c E N, where a relation R K : x — > {0, 1} is a predicate function 
that maps a pair of key attribute in a space and ciphertext attribute in a 
space Y k to {0, 1}. The family index k = ( 711 , 712 , . . .) specifies the description of 
a predicate from the family. We will often neglect k for simplicity of exposition. 

Attribute Based Encryption Syntax. An ABE scheme for predicate family 
R consists of the following algorithms. Let M be the message space. 

• Setup(l A ,ft) — ► (PK, MSK): takes as input a security parameter 1 A and a 
family index k of predicate family i7, and outputs a master public key PK 
and a master secret key MSK. 

4 A preliminary version of our full version [4] has been made available before that 
of [2]. 

5 Nevertheless, since we use the same notion of pair encoding as in the composite- 
order framework of [3], it can be said that our framework together with [3] provide 
a unified framework albeit with two generic constructions. 
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• Encrypt(V, M, PK) — ► CT: takes as input a ciphertext attribute Y G Y K , a 
message M G M, and public key PK. It outputs a ciphertext CT. 

• KeyGen(X, MSK, PK) — > SK: takes as input a key attribute IgX k and the 
master key MSK. It outputs a secret key SK. 

• Decrypt(CT, SK) — ► M: given a ciphertext CT with its attribute Y and the 
decryption key SK with its attribute V, it outputs a message M or 1 . 

Correctness. Consider all indexes /c, all M G JVC, X G X«, Y G Y K such that 
R K (X,Y) = 1 . If Encrypt(F,M,PK) CT and KeyGenpf, MSK, PK) SK 
where (PK, MSK) is generated from Setup(l A ,ft), then Decrypt(CT, SK) — >• M. 

We use the standard security definition for ABE and refer to the full ver- 
sion [ 4 ]. 


2.2 Bilinear Groups, Notations, and Assumptions 

In our framework, for maximum generality and clarity, we consider asymmetric 
bilinear groups (Gi,G2,Gt) of prime order p, with an efficiently computable 
bilinear map e : Gi x G2 — > G t- The symmetric version of our framework can be 
obtained by just setting Gi = G2. We define a bilinear group generator S(A) that 
takes as input a security parameter A and outputs (Gi, G2, Gt, e,p). We recall 
that e has the bilinear property: e(< 7 “, #2) = ^{gi^92) ab for any g\ G Gi, <72 £ G2, 
a, b G Z and the non-degeneration property: e (<71,02) 7^ 1 F Gt whenever gi 7^ 
1 G Gi,p2 7^ 1 G G2. 

Notation for Matrix in the Exponents. Vectors will be treated as either 
row or column matrices. When unspecified, we shall let it be a row vector. Let 
G be a group. Let a = (ai, . . . , a n ) and b = (61, ... , b n ) G G n . We denote 
a b = (ai • 61, . . . , a n • b n ), where 6 - 5 is the group operation of G. For g £ G 
and c = (ci, . . . , c n ) G Z n , we denote g c = (p Cl , . . . , g Cn ). We denote by GL p?n 
the group of invertible matrices (the general linear group) in Z™ xn . Consider 
M GZj xn (the set of all d x n matrices in Z p ). We denote the transpose of M 
as M T . Denote M~ T = (Af T ) -1 . Denote by g M the matrix in G dxn of which 
its (i,j) entry is g Mi > j , where is the (i,j) entry of M. For Q G Z^ xd , we 
denote (g Q ) M = g QM . Note that from M and g Q G G^ xd , we can compute 
gQ M w ithout knowing Q, since its (i,j) entry is Ylk=i(d < ^ i,k ) Mk,j • The same 
can be said about g M and Q. For X G Z£ XCl and Y G Z£ XC2 , denote its pairing 
as: 


e(9*,92 ) = e(gi,g 2 ) YTx 


e Gy XCl 


Projection Maps. ( ) denotes the (d + 1) x d matrix where the first d rows 
comprise the identity matrix while the last row is zero. It functions as a left- 
projection map. That is, X ( ) G is the matrix consisting of all left d 

columns of X for any X G Z^ +1 ^ x ^ +1 \ Similarly, (?) is the (d+ 1 ) x 1 matrix 
where the last row is 1; it functions as a right-projection map. 
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Matrix-DH Assumptions [17]. We call a matrix distribution if it outputs 
(in poly time, with overwhelming probability) matrices in Q f the 

form: 


d 1 

df MO 
i\ c 1 




(i) 


such that M is an invertible matrix in Z dxd (i.e., M G GL P?C /) and c G Z } xd . 
We say that the V ^-Matrix Diffie- Heilman Assumption for S holds in Gi if for 
all ppt adversaries A, the advantage AdvJ d_MatDH (A) := 


Pr 


= lj - Pr \A(G,g'[,g 1 b)) = i 


( 2 ) 


is negligible in A, where the probability is taken over (Gi, G 2 , Gx, e ,p) S(A), 
9 i Gi, g2 ^ G2, T A y Z dxl , y A Z p , and the randomness of A. 
Denote G = (Gi , G 2 , Gx , e, p, g\ , g2 ) • 

Remark 1. We remark that the assumption is progressively weaker as d increases. 
In symmetric bilinear groups, we require that d > 2 (otherwise, it is trivially 
broken [17]), while in asymmetric bilinear groups, we can choose also d = 1. The 
most well-known special case of the D^-Matrix-DH Assumption is the Decision 
d-Linear Assumption, for which M are restricted to random diagonal matrices 
and c is fixed as the vector with all l’s. The SXDH assumption is a special case 
of the Matrix-DH when d = 1 (hence, operates in asymmetric bilinear groups). 

Our scheme will use arbitrary for maximal generality. One can directly 
tradeoff the weakness of assumption and the sizes of ciphertexts and keys by d. 


Random Self Reducibility of Matrix-DH Assumptions. The D^-Matrix- 
DH Assumption is random self reducible, as shown in [17]: the problem 
instance defined by (T, ( |) ) can be randomized to another instance defined 

by (T, ^,^). This is done by choosing 5 Z dxl ,5 4- Z p and setting 
t f^^\s t( s ) 

g^ V —g\ V 9\ V 0 , and observe that y = 0 iff y' = 0. We can gather each 
new instance (^, ^ into columns of a matrix and consider the m-fold D^-Matrix- 
DH Assumption for which the advantage is defined as Adv^ ,1)d " MatDH (A) := 


Pr 


0 h = lj - Pr b)) = 1 


(3) 


where the probability is taken over (Gi, G2, Gx, e,p) S(A), gi Gi, 02 G2, 

T A Dd, Y A Z dxrn , y A Z^ xm , and the randomness of A. Again, we denote 
G = (Gi, G2, Gx, e,p, < 71 , 02 )- Due to the random self-reducibility, the reduction 
to the m-fold variant is tight. 
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Proposition 1 ([IT]). For any integer m, for all ppt adversary A, there exists 
a ppt algorithm A! such that Adv^', ,I>d " MatDH (A) = AdvJ d_MatDH (A). 

3 Definition of Pair Encoding 

We recall the definition of pair encoding schemes as given in [ 3 ] . A pair encoding 
scheme for predicate family R consists of four deterministic algorithms given by 

P = (Param, Enel, Enc2, Pair) as follows: 

• Pa ram (ft) — > n. It takes as input an index ft and outputs an integer n, which 
specifies the number of common variables in Enel, Enc2. For the default 
notation, let h = (hi, . . . , h n ) denote the the list of common variables. 

• Encl(X) — > (fe = (fci, ..., fc mi ); 7712). It takes as inputs X E X K , and 

outputs a sequence of polynomials {hi}ze[i, mi ] with coefficients in Z p , and 
m2 £ N. We require that each polynomial ki is a linear combination of 
monomials cq r^, h/^*, where cq ri, . . . , r m2 ,h \, . . . , h n are variables. More 
precisely, it outputs a set of coefficients Pjjlieli.mffijefL.ma], 

{ 6 t,j,fe}i€[i,mi],je[i,m 2 ],fe€[i,n] that defines the following sequence of polyno- 
mials, where we denote r = (r\, . . . , r m2 ): 


k(a, r,h) = < 


/ \ 

/ 

\ 

> 

< ha +\ b ^ r i + 

52 bi >i 

,k^k^ j 

> 

\jE[l,m 2 ] / 

[1,7712] 

\ ke[l,n] 

) 



( 4 ) 




Enc2(F) — > (c = (ci, . . . , c Wl ); w 2 )- It takes as inputs T eY K , and outputs a 
sequence of polynomials {c^ [1,^1] with coefficients in Z p , and w 2 £ N. We 

require that each polynomial ci is a linear combination of monomials Sj , h&Sj, 
where so, si, . . . , s W2 , hi, . . . , h n are variables. Denote s = (sq> si, . . . , s W2 ). 
Indeed, it outputs {Q j ij}i£[i,wi\,jE[o,w2]i\.®i,j,k}i£[i,wi\,j£[o,w2\,k£[i,n\ which is 
a set of coefficients that defines the following sequence of polynomials: 


c(s, h) = < 


/ \ 

1 \ 


< I S :i J + 


> 

\je[o,^ 2 ] J 

je[o,w 2 ] 

\feE[l,n] / 



zG[ 1 , wi ] 


( 5 ) 


Pai r(X,Y) — > E. It takes as inputs X, F, and output E E Z r ff lXWl . 


Correctness. The correctness requirement is defined as follows. Let (fe; 777,2) <— 
Encl(X), (c;w 2 ) <- Enc2(F), and E Pa i r (X, Y). We have that if R(X,Y) = 1 , 
then kEcJ = oso, where the equality holds symbolically. 

Note that since kEcJ = X^e[i mi] je[ 1 ^1] EijkiCj, the correctness amounts 
to check if there is a linear combination of kiCj terms summed up to osq. 
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3.1 Regular Pair Encoding 

Towards proving the security of our framework in prime-order groups, we require 
new properties for pair encoding. We formalize them as regularity. This would 
generally confine the class of encoding schemes that the new framework can deal 
with from the previous framework by [3]. Nonetheless, the confinement seems 
natural since all the pair encoding schemes proposed so far [3, 10,46] turn out to 
be regular, and hence are not affected. Below, we use notation: [m\ = {1, . . . , m}. 

Definition 1 (Regular Pair Encoding). We call a pair encoding regular if 
the following hold: 

1. For all (i, i') G [mi] x [wi\ such that there is (j, k,j' , k') G [m 2 ] x [n\ x [uq] x [n\ 
where bij ^ 7^ 0 and a^j/ft 7^ 0; we require that Ei y = 0. 

2. If rj k, 6 then bij : k = 0 for all i G [mi], k G [n \ . 

3. If Sj qL c, 6 then aij^ = 0 for all i G [uq], k G [n\. 

4 . sq G c. Wlog , we always let c = (sq? • • •); ^at is, so is the first entry of c. 

Explaining the Definition. The first restriction basically states that the mul- 
tiplication of ( hkrj ) and ( h^Sj > ) will not be allowed when pairing. The reason 
to do so is that the parameter hk,hk' will be translated to matrices, and the 
matrix multiplication does not commute; hence, the multiplication procedure 
would not be mimicked correctly (from the composite-order setting) if it were 
to be allowed (see Eq. (9)). This restriction is quite natural since the product 
rjhk,hk'Sj / can be implemented by grouping hk" = and just using asso- 

ciativity ( rjhk")sj> = rj(hk"Sj / ) instead; therefore, the multiplication of (h^rj) 
and (. hk'Sjf ) will not be needed in the first place. 

The second restriction basically states that a term h^rj is allowed in the 
key encoding only if rj is given out explicitly in the key encoding. The third is 
similar but for the ciphertext encoding. 

These restrictions are also natural since intuitively to cancel out hj^rj (so 
that the bilinear combination would give only the term oso and no others) , one 
would need rj to multiply with, say h^Sj' (since we cannot do the multiplication 
concerning two parameters, as depicted above). The meaning of the fourth is 
clear: so must be given out in the encoding. 

These latter three restrictions will be used for the security proofs in hybrid 
games that are based on the security of encodings. We explain the intuition why 
we require them at the end of Sect. 4. 


3.2 Security Definitions for Pair Encodings 

The security notions of pair encoding schemes are given in [3] , with a refinement 
regarding the number of queries in [10]. We describe almost the same definitions 
here and remark slight differences from [3,10] below. 


For a polynomial u , we say that u G v = (v \, . . . , v q ), if u = n for some i G [q\. 


6 
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(Perfect Security). The pair encoding scheme P is perfectly master-key hid- 
ing (PMH) if the following holds. Suppose R(X,Y ) = 0. Let n <— Param(ft), 
(ft; m 2 ) Encl(X), (c; W 2 ) Enc2(T), then the following two distributions are 
identical: 

{c(s, ft), fc(0, r, ft)} and { c(s, ft), fe(a, r, ft)}, 

where the probability is taken over ft 4- Z™, Z p , r 4- Z™ 2 , s 4- Z^ W2+1 \ 

(Computational Security). We define two flavors for computational security 
notions: selectively and co- selectively secure master-key hiding (SMH, CMH) in a 
bilinear group generator S- We first define the following game template, denoted 
as Exp g P f° r P a ^ r encoding P, a flavor G G {CMH, SMH}, b G {0, 1}, 

and £ 1,^2 E N. It takes as input the security parameter A and does the experiment 
with the adversary A = (yii , -A 2 ) , and outputs b' (as a guess of b). Denote by st 
a state information by A. The game is defined as: 

E x Pg,G,6,yL,ti,t 2 (^) : (Gi,G2 ,Gt,c,p) <— S(A); g\ Gi, <72 G 2 , 

a Z p , n Para m(/s), ft 4- Z™ ; 

where each oracle O 1 , O 2 can be queried at most t\,t 2 times respectively , and is 
defined as follows. 

• Selective Security 

- OsMH,b,a,h( y ) ; Run ( c ;^ 2 ) Enc2(y); s 4- z£“’ 2+1) ; return [/ <- 

c(s,h) 

9 1 • 

- ^smh b a h(X) • If -R(X, Y) = 1 for some queried T, then return _L. 

Else, run (ft; m 2 ) Encl(X);r 4- Z™ 2 ; return V <— g^ hoL ' r ' h \ 

• Co-selective Security 

- Ocmh,WiP 0 : Run ( fe 5 m 2) <- Encl(X); r Z™ 2 ; return V <- 

k(ba,r,h ) 

92 

- O^mh b a h(X) • If -R(X, T) = 1 for some queried X, then return _L. 
Else, run (c;^) Enc2(T); s A Zp W2+1 ^; return U 

We define the advantage of A against the pair encoding scheme P in the 
security game G G {SMH, CMH} for bilinear group generator S with the bounded 
number of queries (£ 1 ,^ 2 ) as 

Adv^ 1,t2) ' G(P) (A) := |Pr[Exp g P G Or/l>tiit2 (A) = 1] - Pr[Exp 9iP)Gil >A >tl)t2 (A) = 1]| 

We say that P is (t 1 R 2 )- selectively master-key hiding in S if Adv^ 1,t2 ^" SMH( ^ P ^(A) 
is negligible for all polynomial time attackers A. Analogously, P is (ti,t 2 )-co- 
selectively master-key hiding in S if Adv^ 1,t2 ' ) ~ CMH( ^(A) is negligible for all poly- 
nomial time attackers A. 
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Poly-many Queries. We also consider the case where U is not a-priori bounded 
and hence the corresponding oracle can be queried polynomially many times. In 
such a case, we denote ti as poly. 

Remark 2. The original notions considered in [3] are (1, poly)-SMH, (1, 1)-CMH 
for selective and co-selective master-key hiding security, respectively. The refine- 
ment with (G,^) is done recently in [10]. An advantage of this refinement is 
that we can have a “dual” conversion that converts between (1,1)-CMH and 
(1, 1)-SMH for dual predicate [10]. 

Remark 3. The definition of computational security for encoding here is slightly 
different from that in [3, 10] in that here we define it in asymmetric and prime- 
order groups, while it was defined in symmetric and prime- order subgroup of 
composite- order groups in [3,10]. We use asymmetric groups for the purpose of 
generality, one can obtain schemes in symmetric groups by just setting Gi = 
G 2 . Hence, we can use all the proposed encodings in [3,10] by working on the 
symmetric group version of our framework. For the latter issue, the difference of 
definitions between prime-order groups and prime-order subgroups are merely 
syntactic. This is since although the original definition was defined in prime-order 
subgroups, the hardness of factorization was not assumed (i.e., generators of each 
subgroup or even factors of composites N can be given out to the adversary). 
Hence, the encoding schemes in [3,10] are secure in our definition under the 
security proofs in their present forms. 

4 Approach for Translation to Prime-Order Groups 

Before describing our prime-order framework, we intuitively describe how we 
translate elements, procedures, and properties from the composite-order group 
setting to the prime-order group setting, following the intuition overview 
in Sect. 1.3. 

• Generators. In composite-order groups (Ci,C 2 ,Ct) of order N = P1P2P3 , 
we consider generators c\ G Ci jPl , C\ G Ci jP2 , C 2 G C 2 , PlJ £2 G C 2 , P2 , where 
Ci iPj is the subgroup of Q of order pj. In prime-order groups (Gi, G 2 , Gt) with 
generators g\ G Gi,^ G G2, we use the following elements to mimic generators 
ci,ci,C 2 ,C 2 , respectively: 


ft) 

e <G^ +1)xd , 

gf(°) e G^ d+1)xl 

ft) 

G hr 2 , 

g f (?) eG^ +1)xl 


where we let (£?, Z) A $ d where the distribution S d does as follows: sample 
B 4 - GL p ^ + i, D 4 - GL p? d and set Z := B~ T D where D := 0) G GLp^+i- 

• Variables. The role of parameter (in h) in the composite-order setting will 
be played by a matrix H & G ^ d + 1 ) x ( d + 1 ) The ro l e Q f randomness Sj,rj (in s, r) 
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to be exponentiated over c \ , C 2 in the composite-order setting for a ciphertext 
and a key will be played by vectors Sj,rj G Z^* 1 , respectively, in the prime- 
order setting. The role of randomness Sj , fj (in s,r) to be exponentiated over 
Cl, C2 will be used as it is (a scalar in Z p ) in the prime-order setting. 

• Exponentiation by parameter. To mimic exponentiation c^ fc , c^ fc , c 2 ‘ k , c 2 k 
in the composite-order setting, we do the following in the prime-order setting: 



gf(l) hk € G^ +l)Xl , 


J2 z( ?)Sg< w)x1 . 

• Exponentiation by randomness. To mimic exponentiation c* 5 , c^ , c 2 , c 2 
in the composite-order setting, we do the following in the prime-order setting: 

9 f (»>*'= 9 f ( »%<«>*', 





• Exponentiation by randomness over parameter. To mimic (c^ fe ) Sj , 

, (c 2 k ) rj , (c 2 k ) r \ in the composite-order setting, we do as follows: 


n HkB ( *oh _ n HkB ( 0 ) p r (d+l)xl B (i) 

9 i — 9i £ ^i ? #i — 9i 

o 

hkrj 


e 


(d+1) x 1 


52 


(o d h _ 0 ) c ,p(d+l)xl z(oy hkfj _ z {hufi) 


— 9 2 


92 


= 92 


G G. 


(d+1) x 1 


• Evaluating Pair Encoding with Vectors/Matrices. We can evaluate the 
ciphertext attribute encoding c(s,/i), defined in Eq.(5), with each Sj being 
substituted by a vector Xj G Zp d+1 ^ xl and each h & being substituted by 
a matrix H fc e Z^ +1)x(d+1) . Let X = (as 0 ,. . . ,*«*) e z^-i) *(“»+») and 
H= (Hi,..., H„). We define 



/ 

/ \ 

/ \ 

> 

c(X,H) := < 

I ai d x j 1 + 


> 


ye[o,w 2 ] / 

je[o,w 2 ] 1 

\ k£[l,n] / 




> 


(6) 


Similarly for the key attribute encoding k(a,r,h), defined in Eq. (4), we replace 
each rj with a vector y 2 G Zp d+1 ^ xl and a with a G Z ^ +1 ^ xl . Let = 
(yi, • • • ,y m2 ) e z£ d+1)xm2 . We define 
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k(a,Y,E) := < 


bi.OL + I Y bijUj 
K je[l,m 2 \ 


\ 


Y Kj,kHkVj 


je[l,m 2 ] 
\ ke[l,n] 


) 


zG[l,mi] 


( 7 ) 


• Associativity. In the composite-order setting, we have that e(t?l kS3 ,t^) = 
e(t^,t 2 fcri ), for any t\ G Ci ,£2 G C 2 . In the prime-order setting, we have 


e (di 


HuB 




(8) 


as ({rj n)z T )(« fc B(ip) = ((r-7 M* t »*)(b(£)). 

• Unavailable Commutativity. We also give an intuition why commutativ- 
ity does not preserve to prime-order settings. In the composite-order setting, 
we allow for any t\ G Ci,t 2 G C 2 , e(i?l kS3 , t^ k ' r% ) = e(ti k ' Sj , t^ 1 ). However, 
when translating to our prime-order setting using our rules so far, an analogous 
mechanism would not hold as we can see that: 


H kB ( S J) H 

e(2i ,9 2 


/ H * 


,92 


'(")■ 


( 9 ) 


as ((rT fi)z T H k ,^j ) z T h (^h k , b )) , due to the fact that 

the matrix multiplication is not commutative. This is exactly why we will not use 
this commutativity-based computation in our framework by disallowing exactly 
this kind of multiplication to occur. We enable this with the first rule of regular 
encoding , which exactly prevents multiplying h k Sj with h^ry. 

• Parameter-Hiding. In composite-order groups, we have that: given 
c \ k , C 2 , ci , ci , C 2 , C 2 , Pi , P 2 ; hj . c mod P 2 is information-theoretically hidden (due 
to the Chinese Remainder Theorem). In prime-order settings, we have Lemma 1. 


Lemma 1. Let (B,Z) § d- For any H k G ^+ 1 ) x ( d + 1 )^ we j iave given 

H k B (^ d ) and Hj Z (^ d ) ; along with B , Z , the quantity of the entry at {d + 
l,d+ 1) of the matrix B~ 1 H k B is information-theoretically hidden. 

Proof. Write B x H k B = (Zl ™ 2 ) where M i G > M 2 G > M 3 G Z p Xd , 
and S G Z p . We have 


^(o d ) 


B / Ml M 2 W Id 
13 \ Ms 6 ) \ 0 

rT d-T 




if fc T Z(^)=if fc T B- T (6o)(D) =jB 


-T 


f M 1 T 



§ 

H 

1 

oc 

1 

U 2 t 

<5 7 

Vo/ 

1 

t 

to H 

b* 


where in the second line, we use the fact that B H}B = 


/ m x t m 3 t \ 

V M 2 t (5 ) • 


We 


~ V M 2 ' (5 

can see that both H k B ( ) , ifjT Z ( J Q d ) do not contain information on (5. □ 
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• Using Security of Encodings in Hybrid Games. In the composite-order 
setting, intuitively, we embed the security of encodings as it is in one hybrid 
game in the proof of the scheme. That is, we simply invoke a trivial implication: 

*k(Q,r,h) ^ ~k(a,r,h) *k(0,r,h) ^ ~k(a,r,h) 

c 2 c 2 ^ c 2 ~c c 2 

where we refer the left-hand side as the security of encoding and the right-hand 
side as the hybrid in the proof of the scheme. Also, denotes computational 
indistinguishability (informally). In the prime-order setting, contrastingly, we 
will need to prove the following reduction: (stated informally here) 

k(0,r,h) ~ k(a,r,h ) ^ k(a,ZR, H) 

92 ~c 9 2 ^ 9 2 9 2 

where the left-hand side refers to the same security of encodings as before, so 
that we can achieve our goal of using security of encoding “as is” 7 Now, however, 
the right-hand side, which refers to one hybrid in our scheme 7 8 , is of a different 
form, as it contains the matrix-based definition of encodings in Eq. (7). To this 
end, we will relate both sides as follows. First, we implicitly define a from A, 
and R from r . 9 Second, we invoke the parameter-hiding property to implicitly 
replace each H \ with H & + B ^ 1 Our novelty here then lies in 

identifying the following sufficient condition: (stated informally here) 

gk(ac,ZR,w) can ^ fully simulated by and ( 92 J ) bi,j,k (f° r all h 7 fc), 

where A, r = (r i, . . . , f m2 ), h = (hi, . . . , h n ) are unknown, and bij : k is defined 
by the encoding (Eq.(4)). We note that this is quite surprising in the first place, 

since we might expect that only WQl qq su fhce to simulate 

(intuitively due to one-to-one translation of elements into matrix forms). Now, 
to establish the reduction, we require the availability of the latter term (gf ) bi ^,k ? 
which was not a-priori guaranteed. We simply resolve this by observing that it is 
only available if either fj is given out in the definition of k(a, f, h) or bij ^ = 0. 
This is why we thus define this to be exactly one of the rules for regular encodings 
(Rule 2 of Definition 1). The case for the encoding c can be argued analogously. 

5 Our Generic Construction for Fully Secure ABE 

We are now ready to describe our generic construction in prime-order groups. 
It is obtained by translating the composite-order scheme of [3] , recapped also in 
the full version [4], to the prime-order setting using the above rules of Sect. 4. 

7 The only difference is that now it is defined in prime-order groups, instead of prime- 
order subgroups of composite-order groups. 

8 Looking ahead, it corresponds to the hybrid game between type 1 and 2 keys (c/. 
Eqs.(20), (21)). 

9 Details can be found in the proof for the hybrid between the games Gi,i and Gi, 2 , 
deferred to [4]. 
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We use the distribution defined in Sect. 4. From a pair encoding scheme 
P for a predicate R , we construct an ABE scheme for R , denoted ABE(P), as 
follows. 


• Setup(l A , k): Run (Gi, G2 , Gt, e,p) S(A). Pick generators g\ 4- Gi and 
g 2 4- G 2 . Run n <- Param(K). Pick H = (H u ...,H n ) 4- (z£ ,+1)x( * fl) ) n 
and a 4- z£ ,+1)xl . Sample (B, Z) 4- § d . Note that B,Z e Z ^ +1)x(d+1) . 
Output 


PK = (e( 5l , 52 ) aTB (o ! ) ~~ Vo 


/(F 

i/1 ) i/l ) 


MSK = 


9 2 


V2 5 #2 




( 10 ) 


• Encrypt(F, M, PK): Upon input F G Y, run (c;^) <— Enc2(F). Ran- 
domly pick 4- Zf 1 . Let 5 := (( s 0 ° ),( ),...,( s ” 2 )) € 

r^(d+i)x( w 2 + 1 ) ' Q u ^p U ^ the ciphertext as CT = (C, Co): 


C = 9l 


[bs, h) 


n (d-\- 1) x 1 \ w\ 


Cq — e(gi,g2) a o ) ■ M s Gt- 


(11) 


KeyGen(X, MSK): Upon input X G X, run (fe;m 2 ) <— Encl(X). Randomly 
pick n, ...,r m2 4- Zf 1 . Let B := (( r 0 1 ) , • • • , (O) 2 )) e z/ 1)xm2 . Output 


SK = fl f («•**•“) g(G ( (i+ i)xi ri _ (12) 

• Decrypt(CT, SK): Obtain F, X from CT, SK. Suppose R(X, F) = 1. Run E *— 
Pair(X, F). Compute the mask 

eQ?i,«? 2 r TB (o) - n e(C[j],SK[i]/u (13) 


where we denote by C\j] G G^ +1 ^ xl the j-th vector in C, and SK[z] G 
jj(d+i)xi ^-th vec t or [ n 51^ Finally, remove this mask from Co to get M. 


Remark on Computability. We note that C can be computed from PK since 



S 

( 

V ( 

\ 

> 

c(BS, H) = < 

I 5^ a i,jR ( 0 ) 

+ 

y; dij'kHkB ( a 0 j 

) 

> 


\je [o,w 2 ] 

/ 

je[o,tp 2 ] 

\ fcG[l,n] 




( 14 ) 


i£[l,wi] 
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and thanks to the identity relation (X ( ^ ) ) y = X ( q ) for any X G 
j(d+i)x(d+i) , y ^ Zp Xl . Similarly, SK can be computed from MSK since 


fc(a, ZR , H) = 


ha+[ Y, i?) 

je[l,m 2 ] 


V 

,je[l,m 2 ] 

\ feG[l,n] / > 


.(15) 


iG[l,mi] 


Correctness. We would like to prove that if R(X , F) = 1 then 

a T S ( s 0 ° ) = E E ■ ( k ( a > Zi? ’ H ) W) T ' H ) [?']• 

This is implied from the correctness of the pair encoding which states that: 
if R(X,Y) = 1, then as 0 = Eielhm^jeli^] E hJ ' k(a,r,h)\i\ ■ c(s,h)[j}. Intu- 
itively, since we translate to the prime-order setting by substituting variables and 
procedures while preserving their properties as in Sect. 4, this relation should also 
translate to the above equation. In particular, we use associativity but not use 
commutativity, as clarified in Sect. 4. We verify the correctness more formally in 
the full version [4]. 


6 Security Theorems and Proofs 

We obtain three security theorems for the generic construction. The first one is 
the main theorem and is for the case when the pair encoding is (1, poly)-SMH 
and (1, 1)-CMH, where we achieve tighter reduction cost, 0(qi). The other two 
are for the case of PMH and the pair of (1, 1)-SMH, (1, 1)-CMH, where we obtain 
normal reduction cost, 0(q a n). We postpone the latter two to [4]. 

Theorem 1. Suppose that a pair encoding scheme P for predicate R is (1, poly)- 
selectively and (l,l)-co- selectively master-key hiding in S, and the Matrix- DH 
Assumption holds in S- Then the construction ABE(P) in 9 is fully secure. More 
precisely, for any PPT adversary A, let q\ denote the number of queries in phase 
1, there exist PPT algorithms 2>3, whose running times are the same as 

A plus some polynomial times, such that for any X, 

Adv^ BE (A) < (291 + 3)Adv® rf - MatDH (A) + qiAdv^ 1 ; 1) " CMH (A) + Adv^ poly) ' SMH (A). 

Semi-functional Algorithms. We define semi- functional algorithms which will 
be used in the security proof. These are also translated from semi-functional 
algorithms from the framework of [3] (also recapped in [4]). 
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• SFSetup(l A , k) — > (PK, MSK, PK, MSKbase, MSK aux ) : This is exactly the same 
as Setup albeit it additionally outputs also PK, MSKbase? MSK aux defined as 


PK 


e(gi,92) c 





>Si 


9 1 


MSKbase — 92 


Z(°l) 


MSK aux = g 2 


H n Z (l) 


9 2 


(16) 

(17) 


• SFEncrypt(Y, M, PK, PK) -► CT: Run (c;w 2 ) <- Enc2(y). Pick S as in 
Encrypt. Pick s 0 , si, . . . , s W2 <^~ Z p . Let S := (( i° 0 ),( 3° ),•••»( 3° 2 )) € 
Z ( d + 1 ) x ( w 2+ 1 )_ Output the ciphertext as CT = (C, Co): 


c = = 5 e(B(S+S),e) e ((g^+pxl^ 

Co = e(fli,<ft)“ TB (*o) -M. eG T . 


(18) 


• SFKeyGen(X, MSK, M?K baS e, MSK aux , t e {0, 1 , 2 , 3 },/? e Z p ) -> SK: Run 
(fe; m2) Encl(X). Pick R as in KeyGen. Pick 4 - Z p . R := 

) , . . . , (^r^ 2 ^ G Z p d+1 ^ xm2 Output the secret key SK: 


SK 


r fe) 

[cx,ZR, e) 

1 







#2 









fe! 

[a,ZR,m) 

i+fe 

( 0 > 

ZR, El) 

fe! 

{<*, 


Z(R+R),W) 

92 





= 92 



< 

fe! 

[a, ZR, El) 

l+fc 

(*(")• 

ZR, El) 

fe! 

[<*+ z ( 

0 N 

c/F 

),Z(R+R), El) 

92 




= 92 


fe! 


l+fe 

P(8). 

0 , 0 ) 

fe! 

[ a +Z( 

/ 0 

,9, 

) , ZR, El) 

< 92 





= 92 




if t = 0(19) 
if t = 1(20) 
if t = 2(21) 
if t = 3(22) 


We call t the type of semi-functional keys. Note that 

- In computing type 0,3, MSK aux is not required as input (and no R 
needed) . 

- In computing type 0,1, /? is not required as input. 


Proof (of Theorem 1). We use a sequence of games in the following order: 


Greal G 0 G M G z _i, 3 G*,i G i;2 G;, 3 Gg lj3 Gq 1 + 1 Gq 1+ 2 G qi+3 G final 



MatDH MatDH CMH MatDH MatDH SMH MatDH = 


where each game is defined as follows. 10 G rea i is the actual security game. Each of 
the following game is defined exactly as its previous game in the sequence except 
the specified modification as follows. For notational purpose, let Go, 3 := Gq. 


10 


For formality and ease of viewing, we depict these game definitions in Fig. 1 in [4]. 
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- Go: We modify the challenge ciphertext to be semi-functional type. 

- G where i G [l,#i], t G {1,2,3}: We modify the i-th queried key to be 
semi-functional of type-t. We use fresh /3 for each key (for type t = 2, 3). 

- G gi +t where t G {1, 2, 3}: We modify all keys in phase 2 to be semi- functional 
of type-t at once. We use the same (3 for all these keys (for type t = 2, 3). 

~ G final: We modify the challenge to encrypt a random message. 

In the final game, the advantage of A is trivially 0. We prove the indistin- 
guishability between all these adjacent games (under the underlying assumptions 
as written in the diagram). Due to the lack of space, we defer most of them to [4] 
and show only the proof of the indistinguishability between G rea i and Go under 
MatDH here below (Lemma 2). Other MatDH-based transitions can be done 
similarly. On the other hand, the transitions based on the security of encodings 
(namely, CMH and SMH), although are a bit more involved, will basically follow 
the intuition explained at the end of Sect. 4. In particular, we will be able to 
establish the reduction to the security of encodings thanks to the restriction for 
regular encodings (Rule 2-4) and the parameter-hiding lemma. From these, we 
obtain Theorem 1. □ 

Lemma 2 (G rea i to Go). For any adversary A against ABE, there exists an algo- 
rithm 2> that breaks the Vd-Matrix-DH with |G real Adv* BE (A) - G 0 Adv* BE (A)| < 
Adv^ d " MatDH (A). (Denote GjAdv^ BE (A) as the advantage of A in the game G j.) 

t( v ~) 

Proof (of Lemma 2). 2> obtains an input (G,#^,^ Vyy ) from the R^-Matrix 
DH Assumption where either y = 0 or y 4- Z p , and T 4- y 4- Z^ xl . 

Setup. R runs Setup except that it uses G from its input, and that it will set 
(B,Z) in an implicit manner as follows. R chooses B 4- GL p? ^ + i, J A GL 
and sets 


B = BT , 


Z = B 


- t Z:=0B- T )4 J 


-M~ t c t 


where we recall that T = (^ °) from Eq. (1). We can see that (B,Z) are 
properly distributed as from as follows. 

- B is properly distributed due to uniformly random B,T G GL^+i- 

- Z is properly distributed as we observe that D = B t Z is 

D = B T Z = ( T t B t )(B~ t Z ) = T t Z 

d 1 d 1 d 1 

_ d(M T c T \ (J -M~ t c t \ _ d(M T J 0\ 

“ i\ o i J \o i J - i\ o \y 

where the last equality holds since (M T )(—M~ T c T ) + (c T )(l) = 0 (for the 
upper right block) . We can see that D is properly distributed due to uniformly 
random M T , J G GL p ^. 
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z( Id ) b~ t (J\ 

® can then compute gf = gf T and g 2 V 0 = g 2 V 0 . Here, the first term 

is computable from gf , while in the second term, the unknown last column of 
Z vanishes through the left projection map, (D). From these two terms, ® can 
compute PK, MSK. The public key PK is given to A. 

Phase 1,2.® answer all key queries to A using KeyGen (with the known MSK). 


Challenge. The adversary A outputs Mo, Mi E Gt and a target Y*. ® runs 
(c;u> 2 ) Enc2(T*) as usual. Using random self reducibility , ® extends the 

Matrix-DH Assumption to (w 2 + l)-fold and obtains (gf , #i T ( $ )) where either 


y = 0 or y 

and uses g\ 


ylx(W2 + l) 




with T A Dw, Y 


$_ ^dx(«;2+l) 


’(«) 


<p 


® chooses b 4- {0, 1} 


to compute CM = (C*,Co) as 


c 


C* = g i 



CZ = e( gi ,g 2 ) aTBT (To) . Mb , 


where we let ( |° ) be the first column of ( ^ ) . This can be done since ® possesses 
a,H, B. From this setting, we have 


- If y = 0, then CT* is exactly a normal ciphertext as in Eq. (11) with S = ( ^ ). 

- If y Zp X ^ then qj* i s semi-functional as in Eq. (18) with S+S = ( ^ ) . 


Guess. The algorithm ® has properly simulated G rea i if y = 0 and Go if y M 7L p . 
Hence, ® can use the output of A to break the Matrix DH Assumption. □ 


7 Concrete Predicates and Our New Instantiations 

In this section, we briefly describe the definitions of considering predicates and 
our new instantiations for them. Regarding the instantiations, their specifications 
are completely defined in Table 4, where we provide what pair encoding scheme 
to be instantiated for each scheme. 

Dual, Conjunctive, and Dual-policy. We first define basic operations on 
predicates. For a predicate R :X x Y—>{0,1}, its dual predicate is defined by 
R : X x Y -► {0, 1} where X = Y, Y = X and R(X, Y ) := R(Y, X). Let R l :X 1 x 
Yi — > {0, 1}, i ?2 • X 2 x ¥2 — > {0, 1} be two predicates. We define the conjunctive 
predicate of Ri, R 2 as [R 1 AR 2 ] : Xx¥ ^ {0,1} where X = Xi XX 2 , Y = Yi x ¥2 
and [RiARa]((X 1 ,X 2 ),(Y 1 ,Y 2 )) = 1 iff Ri(W,M) = 1 and R 2 (X 2 ,Y 2 ) = 1. For 
predicate R, we define its dual-policy predicate (DP) [8,10] as the conjunctive of 
itself and its dual predicate, R. Generic dual and conjunctive conversions (and 
hence also dual-policy conversion) for pair encodings are recently given in [10]. 
We mostly use this conjunctive conversion to obtain dual-policy variants. It is 
indicated by ‘+’ in Table 4. 

ABE for Policy over Doubly-Spatial Relation (ABE-PDS). This predi- 
cate was defined in [3] as a generalization that captures doubly-spatial encryp- 
tion [23] and ABE for monotone span programs (and hence Boolean formulae) 
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Table 4. Our instantiations 


Instantiation 

Scheme 

Obtained from what encoding 

Newi 

KP-ABE-PDS 

[ 3 , Scheme 6] 

New2 

CP-ABE-PDS 

[10, Scheme 2] 

New3 

DP-ABE-PDS 

[ 3 , Scheme 6] + [10, Scheme 2] 

New4 

Completely unbounded KP-ABE-MSP 

[ 3 , Scheme 4 ] 

News 

Completely unbounded CP-ABE-MSP 

[10, Scheme 3 ] 

New6 

Completely unbounded DP-ABE-MSP 

[10, Scheme 4 ] 

New7 

KP-ABE-MSP with constant-size 
ciphertexts 

[ 3 , Scheme 5 ] 

News 

CP-ABE-MSP with constant-size keys 

[10, Scheme 5 ] 

Newg 

KP-ABE-MSP with small universe 

[ 3 , Scheme 9 ] 

New'i 0 

CP-ABE-MSP with small universe 

[ 3 , Scheme 11] 

Newn 

DP-ABE-MSP with small universe 

[ 3 , Scheme 9 ] + [ 3 , Scheme 11] 

New' 12 

KP-ABE-MSP with large universe 

[ 3 , Scheme 12] 

New'i 3 

CP-ABE-MSP with large universe 

[ 3 , Scheme 13 ] 

Newi4 

DP-ABE-MSP with large universe 

[ 3 , Scheme 12] + [ 3 , Scheme 13 ] 

Newis 

KP-ABE-RL 

[ 3 , Scheme 3 ] 

Newi6 

CP-ABE-RL 

[ 3 , Scheme 7 ] 

Newi7 

DP-ABE-RL 

[ 3 , Scheme 3 ] + [ 3 , Scheme 7 ] 

Newis 

Unbounded KP-ABE-BP 

New4 Sz Theorem 2 

Newig 

Unbounded CP-ABE-BP 

News Sz Theorem 2 

New 2 o 

Unbounded DP-ABE-BP 

New6 Sz Theorem 2 

New2i 

KP-ABE-BP with constant-size 
ciphertexts 

New7 Sz Theorem 2 

New22 

CP-ABE-BP with constant-size keys 

News Sz Theorem 2 

New' 23 

Bounded KP-ABE-BP 

Newg Sz Theorem 2 

New' 24 

Bounded CP-ABE-BP 

NewJo & Theorem 2 

New 2 5 

Bounded DP-ABE-BP 

Newn Sz Theorem 2 

Newer 26 

KP-ABE-BP with constant-size keys 

KP-ABE-MSP with short keys of [ 7 ] 

Sz Theorem 2 

Newer 27 

CP-ABE-BP with constant-size 
ciphertexts 

CP-ABE-MSP with short ciphertexts 
of [ 7 ] Sz Theorem 2 

Newer 28 

DP-ABE-MSP with constant-size 
ciphertexts 

CP-ABE-MSP with short ciphertexts 
of [ 7 ] + New7 

Newer 29 

DP-ABE-MSP with constant-size keys 

KP-ABE-MSP with short keys of [ 7 ] 

+ News 

Newer 3 o 

DP-ABE-BP with constant-size 
ciphertexts 

New28 Sz Theorem 2 

Newer 3i 

DP-ABE-BP with constant-size keys 

New29 Sz Theorem 2 


‘+’ refers to the conjunctive conjunction given in [10]. 
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into one primitive. We refer the definition to [3]. By using exactly the same 
encodings as in [3,10], we automatically obtain the first fully-secure prime-order 
KP-ABE-PDS, CP-ABE-PDS, DP-ABE-PDS schemes (Newi-New 3 ). 

ABE for Monotone Span Programs (ABE-MSP). Let IX be the universe 
of attributes. If |1X| is of super-polynomial size, it is called large universe [21,39], 
otherwise, it is small universe. In ABE-MSP [21], a policy is specified by a 
monotone span program (A, p) where A is an integer matrix of dimension mxk 
for some m, fc, and p is a map p : [1, m\ — > IX. For a set of attributes S C IX, let 
A | s be the sub-matrix of A that takes all the rows j such that p(j ) G S. We 
say that (A, p) accepts S if (1, 0, . . . , 0) G rowspan(Als'). ABE-MSP is the most 
popular predicate studied in the literature since it is known to imply ABE for 
Boolean formulae [21]. Let t := |5|. Some schemes specifies bounds on maximum 
allowed sizes of £, m, k (we denote these bounds as T, M, K). Some may restrict 
the maximum number, denoted by R , of attribute multi-use in one policy (that 
is, the number of distinct i for the same p(i)). We call a large-universe scheme 
without any bounds a completely unbounded ABE scheme. 

By using the same encodings as in [3,10], we obtain the first fully- 
secure, prime-order ABE-MSP with various properties: completely unbounded 
KP/CP/DP-ABE, and short-ciphertext KP-ABE, short-key CP-ABE (New 4 - 
Newg). By using encodings in [3] for bounded schemes, we also obtain some 
bounded schemes Newg-New^; these latter encodings are perfectly master-key 
hiding, hence the resulting schemes rely solely on the Matrix-DH assumption. 
Furthermore, we also observe that, by using also new encodings in [7] (which is 
then a subsequent work based on our work), we further obtain the first DP- ABE 
with short ciphertexts (Newels), or short keys (Newe^g). 

For concreteness, we explicitly give the description for one of our instantia- 
tions, New 4 , in the full version [4]. 

Performances of Our ABE-MSP Schemes. We compare performances of 
our KP- ABE-MSP, CP- ABE-MSP to others in the literature in Tables 5 and 6, 
respectively. For clarity of comparison, we augment schemes in the literature 
which were proposed for one-use, to multi-use (with bound R ) by using the 
transformation in [33]. Available pair encodings in [3,10] were proved secure in 
symmetric groups, hence to be able to use them as they are, we will evaluate our 
construction at d = 2, which yields the most efficient instantiations in symmetric 
settings. In such a case, schemes can rely on DLIN (See also Remark 5). 

The numbers of group elements in our schemes for SK, CT are 3 times 
as large as their composite-order counterparts in A14, AY15 [3,10]. But since 
composite-order elements are 12 times larger than prime-order ones [22], we 
achieve improvements of 25 % size reduction. More importantly, time perfor- 
mance is significantly improved. We recall that pairing is 250 times slower 
in composite-order groups than in prime-order ones [22]. In unbounded ABE 
(New 4 , News), the dominant operation is pairing, and the numbers of pairings 
in decryption are 3 times as large as their composite-order counterparts in [3, 10]. 
As a result, our decryption is about 80 times faster. In constant-size ABE (New 7 , 
Newg), the numbers of pairing are constant, and exponentiation may dominate 


e-order schemes Composite-order 
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Table 5. Performance by each KP-ABE for monotone span programs 


Scheme 

PK 

|SK| 

CT 

Decryption complexity 

Sec. 

Assumptions 

Reduction 





Pairing 

ExpG 

ExpGt 



cost 

LW11 [32] 

5 

4m 

3f + 1 

4m 

0 

m 

sel. 

SD 

0(q a n) 

A14 

8 

3 m + 3 

2t + 4 

3m + 3 

0 

m 

full 

SD, 

0(qi) 

[3, Scheme 4] 








(l,f)-EDHE3, 

1 









(1, m, fc)-EDHE4 

0(qi) 

A14 

T + 8 

Tm + 3m 

6 

6 

Tm + 3m 

0 

full 

SD, 

0(qi) 

[3, Scheme 5] 


+3 






(T + 1, 1)-EDHE3, 

1 









(T + 1, m, fc)-EDHE4 

G(q 1 ) 

CW14 [17] 

U + 1 

Um + m 

2 

2m 

U 

m 

semi 

3DHsub 

o(u) 









SD 

0(1) 

L+10 [34] 

UR+ 1 

2m 

tR + 1 

2m 

0 

m 

full 

SD 

0(q a n) 

A14 

UR+ 1 

m+1 

tR + 1 

2 

2m 

0 

full 

SD 

0(q a n) 

[3, Scheme 9] 










W14 [47] 

UR+1 

m + 1 

tR+1 

2 

2m 

0 

full 

SD 

0(q a 11 ) 

A14 

16 (M + TR) 2 

m + 1 

tR + 1 

2 

2m 

0 

full 

SD 

0(q a 11 ) 

[3, Scheme 12] 

x log (UR) 









KL15 [28] 

2log(UR) + l 

3m 

3 tR 

3m 

0 

m 

full 

DLIN, 

0(URq a n) 









SD 

0(q a \\) 

RW13 [40] 

4 

3m 

2t + l 

3m 

0 

m 

sel. 

+RW2 

1 

OT12 [38] 

99 

14m + 5 

14 tR + 5 

14m + 5 

0 

m 

full 

DLIN 

0(t 2 R? q a \\) 

New4 

42 

9m + 9 

6t + 12 

9m + 9 

0 

m 

full 

DLIN, 

0(qi) 









(1, f)-EDHE3p, 

1 









(1, m, fc)-EDHE4p 

0(qi) 

ALP11 [9] 

T+ 1 

Tm + m 

3 

3 

Tm + m 

0 

sel. 

T-DBDHE 

1 

T14 [43] 

12T 2 + 15 

6 Tm + 6T 

17 

17 

6 Tm + 6 T 

0 

semi 

DLIN 

0(T) 

New7 

6T + 42 

3 Tm + 9m 

18 

18 

3Tm + 9m 

0 

full 

DLIN, 

0(qi) 



+9 






(T + 1, l)-EDHE3p, 

1 









(T + 1, m, fc)-EDHE4p 

0(qi) 

GPSW06 [22] 

T + 3 

2m 

t + 1 

2m 

0 

m 

sel. 

DBDH 

1 

CGW15 [15] 

6UR + 6 

3m + 3 

3 tR + 3 

6 

6m 

0 

full 

DLIN 

0(q a u) 

Newg 

6UR + 6 

3m + 3 

3 tR + 3 

6 

6m 

0 

full 

DLIN 

0(q a 11 ) 

OTIO [37] 

21TR+15 

7m + 5 

7tR + 5 

7m + 5 

0 

m 

full 

DLIN 

0(q aU ) 

New' 12 

96 (M + TR) 2 

3m + 3 

3tR + 3 

6 

6m 

0 

full 

DLIN 

0(q a n) 


x log (UR) 









KL15 [28] 

24 log 2 (UR) 

3m log UR 3 tR log UR 3m log U R 

0 

m 

full 

DLIN 

0(URq aU ) 


+48 log (UR) 

+6 m 

+6t_R 

+6m 






Variables: 


— t is the attribute set size; T is the maximum size for t (if bounded) . 

— m x k is the dimension of the matrix for the span program (the policy); M, K are the maximum sizes for m, k (if bounded). 

— U is the size of the attribute universe (if bounded small- universe). 

— R is the maximum number of attribute multi-use in one policy (if bounded) . 

— qi is the number of key queries in phase 1 (before the challenge). q a n is the number of all key queries. 

2 | PK| , | SK| , | CT | depict the number of source group elements (Gi or G 2 ) in public key, secrete key, and ciphertext, respectively. 
Composite-order group elements are about 12 times larger than prime-order group elements [23]. We omit target group 
elements (G t): in PK, all the schemes above have at most 3 elements; in CT, all schemes contain 1 element. 

s In Decryption complexity, ‘Pairing’ = the number of pairings, ‘ExpG’ = the number of exponentiations in source groups (Gi 
or G 2 ), ‘ExpGt’ = the number of exponentiations in the target group (G t). 

4 Sec. is for security. ‘sel.’= selective; ‘full’= full security. ‘semi’= semi-adaptive security [17,43] (an intermediate of selective/full). 

3 We refer assumptions to corresponding papers. Particularly, SD refers to some subgroup decision assumptions in composite- 
order groups [31,34]. 

3 The reduction cost refers to the security factor loss to the corresponding assumption in the same line in the table. The 
security of each scheme relies on all assumptions for it combined. 
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Table 6. Performance by each CP- ABE for monotone span programs 


Scheme 

|PK| 

|SK| 

|CT| 

Decryption complexity 

Sec. 

Assumptions 

Reduction 





Pairing 

ExpG 

ExpG'/- 



cost 

LW12 [33] 

U + 3 

t -\~ 3 

2m + 2 

2m + 2 

0 

m 

full 

SD, 

0(«aU) 









3DHsub, 

0(qi) 









max{m, fc}-SPBDHE 

o(®0 

AY15 

10 

2t + 6 

3m + 5 

3m + 5 

0 

m 

full 

SD, 

0(qi) 

[10, Scheme 3] 








(1, f)-EDHE3, 

0(qx) 









(l,m,fc)-EDHE4dual 

1 

AY15 

T+10 

8 

Tm + 3m 

8 

Tm + 3m 

0 

full 

SD, 

0(qi) 

[10, Scheme 5] 



+5 





(T + 1, 1)-EDHE3, 

0(qi) 









(T+ l,m,lfc)-EDHE4dual 

1 

L+10 [34] 

UR + 2 

tR + 2 

2m + 1 

2m + 1 

0 

m 

full 

SD 

O(gall) 

A14 

UR + 2 

tR -f- 2 

m + 2 

3 

2m 

0 

full 

SD 

0(<7all) 

[3, Scheme 11] 










W14 [47] 

UR + 2 

tR + 2 

m + 2 

3 

2m 

0 

full 

SD 

0(9all) 

A14 

16 (M + TR) 2 

tR + 2 

m + 2 

3 

2m 

0 

full 

SD 

0(q,u) 

[3, Scheme 13] 

x log(EAR) 









AC16 [2] 

M(K + T) 

M 2 (T+ 1) 

2 

2 

M 2 (K + T) 

0 

semi 

SD 

0((M + K)q an ) 


+M 

+M(K + t-T ) 








RW13 [40] 

5 

2t + 2 

3m + 1 

3m + 1 

0 

m 

sel. 

max{m, A;}-RW1 

1 

LW12 [33] 

24 U + 12 

6t + 6 

6m + 6 

6m + 9 

0 

m 

full 

DLIN, 

0(q,n) 









3DH, 

0(qi) 









max{m, &}-SPBDHEp 

ofe) 

1 OT12 [38] 

99 

UtR + 5 

14m + 5 

14m + 5 

0 

m 

full 

DLIN 

0(t 2 R 2 q a ii ) 

News 

54 

6f + 18 

9m + 15 

9m + 15 

0 

m 

full 

DLIN, 

O(qi) 









(l,t)-EDHE3p, 

0(qi) 

I 








(1, m, fc)-EDHE4dualp 

1 

News 

6T + 54 

24 

3 Tm + 9m 

24 

3 Tm + 9m 

0 

full 

DLIN, 

0(qi) 




+15 





(T + 1, l)-EDHE3p, 

0(qi) 









(T + 1, m, fc)-EDHE4dualp 

1 

Wll [44] 

U + 2 

t + 2 

2m + 1 

2m + 1 

0 

m 

sel. 

max{m, A;}-PDBDH 

1 

CGW15 [15] 

6 UR + 12 

3tR + 6 

3m + 3 

6 

6m 

0 

full 

DLIN 

Ofeau) 

Newi 0 

6 UR + 12 

3 tR + 6 

3m + 6 

9 

6m 

0 

full 

DLIN 

Ofell) 

OT10 [37] 

21 TR + 15 

7LR + 5 

7m + 5 

7m + 5 

0 

m 

full 

DLIN 

0(9«u) 

New) 3 

96(M + TR) 2 

3tR + 6 

3m + 6 

9 

6m 

0 

full 

DLIN 

0(q a n) 


_x log (UR) 









AC16 [2] 

6 M(K + T ) 

3M 2 (T + 1) 

6 

6 

3 M 2 (K + T) 

0 

semi 

DLIN 

0((M + A) g a ii) 


+6 M 

+3 M(K + t-T ) 









1 qi is the number of queries in phase 2 (after the challenge). 

2 We refer for the remaining parameters to the note under Table 5. 


(depending on ra, T), but the improvement is similar, since exponentiation (in 
Gi,G 2 ) can be more than 200 times faster in prime-order groups [22, Table 6]. 

Remark 4 - The underlying pair encodings of our schemes New 4 , New 7 are those 
proposed in [3, Sect. 7.1, 7.2], of which security rely on parameterized assump- 
tions, namely, EDHE3, EDHE4, also given in [3]. We indeed use prime-order 
group versions, hence denoted as EDHE3p, EDHE4p, instead of prime-order 
subgroup in composite- order group as defined in [3]. These are defined exactly 
the same as the original except only that the group generator G outputs a prime- 
order group instead of a composite-order group (see [3, Defininition6, 7]). For 
self-containment, we recapture them in the full version [4]. This modification is 
merely syntactic, see Remark 3. 

Remark 5. As mentioned above, we use d = 2 so that the security and assump- 
tions for available pair encoding schemes can be argued in the present form. On 
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the other hand, if we are willing to modify the assumptions and security proofs of 
pair encodings in [3,10] to asymmetric groups, we can also instantiate at d = 1, 
where we can rely on the SXDH assumption (for framework). This yields even 
more efficient construction. 

The modification for assumptions (such as EDHE3p, EDHE4p) to asymmet- 
ric settings can be done straightforwardly by defining all elements in both groups 
Gi, G 2 (instead of G in symmetric settings). The proof can be modified by using 
Gi for all elements of ciphertexts, and G 2 for all elements of keys, as defined in 
our construction. To optimize the size of assumptions (which is otherwise two 
times larger than the original), we can use automated tools of [1]. 

ABE for Regular Languages (ABE-RL). In ABE-RL [45], a policy is a 
deterministic finite automata (DFA) M, and an input to policy is a string re, 
and i?(M, re) = 1 if the automata M accepts the string re. We defer the detailed 
definition to [3,4]. We obtain the first fully-secure prime-order KP-ABE, CP- 
ABE, DP- ABE for regular languages (Newi 5 -Newi 7 ). 

ABE for Branching Programs (ABE-BP). In ABE-BP [19], a policy is 
associated to a branching program T, which is a directed acyclic graph in which 
every non-terminal node has exactly two outgoing edges labeled (i,0) and (i, 1) 
for some i E N. For an edge j, denote its label as lj. Moreover, there is a 
distinguished terminal node called accept node. We can also assume wlog that 
there is exactly one start node. We can assume wlog that there is at most only 
one edge connecting any two nodes in r (See [19]). 

An input to policy is a binary string w. Every input binary string w induces 
a subgraph r w that contains exactly all the edges labeled (i, Wi) for i E [1, |re|], 
where we write w = (wi , . . . ,w\ w \) as the binary representation of w. We say 
that r accepts w if there is a path from the start node to the accept node in 
r w . If the allow length of w is bounded, we say that it is a bounded ABE-BP, 
otherwise, it is an unbounded scheme. In the latter, a label (i, b) has no bound 
on i. 

We invoke the following theorem, which holds unconditionally. 

Theorem 2. Large-universe ABE-MSP implies ABE-BP. 

Remark 6. Karchmer and Wigderson proved in 1993 [26] that SL C PSP (Sym- 
metric Logspace C Poly-size Span Program). Thus, the ABE-MSP-to- ABE- 
BP implication can be inferred from this. (We thank an anonymous reviewer 
for pointing this out.) Nevertheless, to the best of our knowledge, there is no 
explicit use of this theorem in the context of ABE, as ABE-MSP and ABE-BP 
were often studied separately. For self-containment and independent interest, we 
offer our alternative proof for this ABE-MSP-to- ABE-BP implication in the full 
version [4]. 

Our proof for this implication in [4] is constructive and the conversion pre- 
serves efficiency and the unbounded property (if satisfied) of the original ABE- 
MSP. Therefore, by using our instantiated ABE-MSP, we obtain the first schemes 
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for the following schemes of ABE-BP: unbounded, short-ciphertext, short-key for 
all KP/CP/DP variants of ABE-BP (See Table 4). Our schemes are the first such 
schemes for each given property, not to mention that they are fully-secure and 
prime-order schemes. (This is with the only exception to the selectively - secure 
short-key KP- ABE-BP of [20]). 


8 Generic Construction from Simpler Basis 


Our main construction in Sect. 5 is based upon the original basis of PDSG in [15], 
where both £?, B~ T are required for setup. Chen et al. [14] proposed a simpler 
basis where the inverse matrix is not required. This substantially simplifies the 
proofs for subgroup decision-like assumptions provided by PDSG. In this section, 
we provide a simplification of our scheme using the basis from [14]. 

Simpler Basis from CGW [14]. Let be an efficiently samplable distribu- 
tion of pair (A, a- 1 ) over Z^ J+1 ' )xd x Zp d+1 ^ xl so that (a ± ) T A = 0 and a 1 - ^ 0. 
A useful property of W d is the Basis Lemma [14], which we also recap in [4]. 

Our Simplified Construction. From a pair encoding scheme P, our simplified 
generic construction, denoted SimplerABE(P), can be described as follows. The 
correctness, the security theorem, and the security proof are similar to our main 
construction and are deferred to [4]. 

• Setup(l A , ft): Run (Gi, G 2 , Gt, e,p) 4- S(A). Pick generators g\ 4- Gi and 
g 2 4- G 2 . Run n <- Param(«;). Pick H = (Hi,...,H n ) 4- (Z^ +1)x(d+1) )". 
Sample (A, a- 1 ) 4- and 4- W ( [. Choose a 4- Zp d+1 ^ xl . Output 


PK = (e( 9l , g 2 ) aT A , g A ,g ^ A ,..., " A ) , 
MSK = ( g£, g2,g^ lB ,...,g^ nB ^j. 


Encrypt(y, M, PK): Upon input Y G Y, run (c;w 2 ) <— Enc2(U). Randomly 


pick S := (so, s s W2 ) 

(C, Co): 


z: 


dx(w 2 + 1 ) 

ip 


Output the ciphertext as CT = 


C = g c(A s ,n) g (G^ +1)xl )"\ 

C 0 = e( gi ,g 2 ) aTAso -M G G T - 


(24) 


• KeyGen(X, MSK): Upon input X E X, run (fe;m 2) Encl(X). Randomly 

pick R := (n, . . . , r m2 ) Z^ xm2 . Output 

SK3=5 q«,BH,M) G (Gj, d+1)xl ) mi . (25) 

• Decrypt(CT, SK): Obtain Y, X from CT, SK. Suppose R(X, Y) = 1. Run E 
Pair (X,Y). Compute e( gi , g 2 ) aT As ° = H ielhmi] j e[hwl] e (C[j],SK[i\) E ^ . 
Finally, remove this mask from Co to get M. 


620 N. Attrapadung 


References 

1. Abe, M., Groth, J., Ohkubo, M., Tango, T.: Converting cryptographic schemes 
from symmetric to asymmetric bilinear groups. In: Garay, J.A., Gennaro, R. (eds.) 
CRYPTO 2014. LNCS, vol. 8616, pp. 241-260. Springer, Heidelberg (2014). doi:10. 
1007/978-3- 662-44371-2_14 

2. Agrawal, S., Chase, M.: A study of pair encodings: predicate encryption in prime 
order groups. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, 
pp. 259-288. Springer, Heidelberg (2016). doi: 10. 1007/978-3-662-49099-0-10 

3. Attrapadung, N.: Dual system encryption via doubly selective security: frame- 
work, fully secure functional encryption for regular languages, and more. In: 
Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557- 
577. Springer, Heidelberg (2014). doi:10. 1007/978-3-642-55220-5.31. Full version 
available at Cryptology ePrint Archive: Report 2014/428 

4. Attrapadung, N.: Dual system encryption framework in prime-order groups via 
computational pair encodings. Full version of this paper. Cryptology ePrint 
Archive: Report 2015/390 (2015) 

5. Attrapadung, N., Hanaoka, G., Matsumoto, T., Teruya, T., Yamada, S.: Attribute 
based encryption with direct efficiency tradeoff. In: Manulis, M., Sadeghi, A.- 

R. , Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 249-266. Springer, 
Heidelberg (2016). doi:10.1007/978-3-319-39555-5_14 

6. Attrapadung, N., Hanaoka, G., Ogawa, K., Ohtake, G., Watanabe, H., Yamada, 

S. : Attribute-based encryption for range attributes. In: Zikas, V., Prisco, R. (eds.) 
SCN 2016. LNCS, vol. 9841, pp. 42-61. Springer, Heidelberg (2016). doi: 10. 1007/ 
978-3-319-44618-9.3 

7. Attrapadung, N., Hanaoka, G., Yamada, S.: Conversions among several classes of 
predicate encryption and applications to ABE with various compactness tradeoffs. 
In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 575-601. 
Springer, Heidelberg (2015). doi: 10. 1007/978-3-662-48797-6.24 

8. Attrapadung, N., Imai, H.: Dual-policy attribute based encryption. In: Abdalla, 
M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 
5536, pp. 168-185. Springer, Heidelberg (2009). doi:10. 1007/978-3-642-01957-9.11 

9. Attrapadung, N., Libert, B., Panafieu, E.: Expressive key-policy attribute-based 
encryption with constant-size ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., 
Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 90-108. Springer, Heidelberg 
(2011). doi: 10. 1007/978- 3- 642- 19379-8.6 

10. Attrapadung, N., Yamada, S.: Duality in ABE: converting attribute based encryp- 
tion for dual predicate and dual policy via computational encodings. In: Nyberg, 
K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 87-105. Springer, Heidelberg 
(2015). doi:10. 1007/978-3-319- 16715-2.5. Full version available at Cryptology 
ePrint Archive: Report 2015/157 

11. Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., 
Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, 
arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, 
E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533-556. Springer, Heidelberg 
(2014). doi: 10. 1007/978- 3- 642- 55220- 5.30 

12. Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. 
In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253-273. Springer, Heidelberg 
(2011). doi: 10. 1007/978- 3- 642- 19571-6.16 


Dual System Encryption Framework in Prime-Order Groups 621 


13. Chase, M., Meiklejohn, S.: Deja Q: using dual systems to revisit q-type assump- 
tions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, 
pp. 622-639. Springer, Heidelberg (2014). doi:10. 1007/978-3-642-55220-5-34 

14. Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups 
via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 
2015. LNCS, vol. 9057, pp. 595-624. Springer, Heidelberg (2015). doi:10.1007/ 
978-3-662-46803-6-20 

15. Chen, J., Wee, H.: Fully, (Almost) tightly secure ibe and dual system groups. In: 
Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435-460. 
Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-l_25 

16. Chen, J., Wee, H.: Semi-adaptive attribute-based encryption and improved delega- 
tion for boolean formula. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 
8642, pp. 277-297. Springer, Heidelberg (2014). doi:10. 1007/978-3-319-10879-7-16 

17. Escala, A., Herold, G., Kiltz, E., Rafols, C., Villar, J.: An algebraic framework 
for Diffie- Heilman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 
2013. LNCS, vol. 8043, pp. 129-147. Springer, Heidelberg (2013). doi:10.1007/ 
978-3-642-40084-U8 

18. Freeman, D.M.: Converting pairing-based cryptosystems from composite-order 
groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 
6110, pp. 44-61. Springer, Heidelberg (2010). doi:10. 1007/978-3-642-13190-5-3 

19. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for cir- 
cuits. In: STOC 2013 (2013) 

20. Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for 
branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. 
LNCS, vol. 9452, pp. 550-574. Springer, Heidelberg (2015). doi:10.1007/ 
978-3-662-48797-6-23 

21. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine- 
grained access control of encrypted data. In: ACM CCS 2006, pp. 89-98 (2006) 

22. Guillevic, A.: Comparing the pairing efficiency over composite-order and prime- 
order elliptic curves. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, 
R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 357-372. Springer, Heidelberg (2013). 
doi: 10. 1007/978- 3- 642-38980- 1_22 

23. Hamburg, M.: Spatial Encryption. Cryptology. ePrint Archive: Report 2011/389 

24. Herold, G., Hesse, J., Hofheinz, D., Rafols, C., Rupp, A.: Polynomial spaces: 
a new framework for composite-to-prime-order transformations. In: Garay, J.A., 
Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 261-279. Springer, Hei- 
delberg (2014). doi: 10. 1007/978-3-662-44371- 2_15 

25. Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, 
J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 
8572, pp. 650-662. Springer, Heidelberg (2014). doi:10. 1007/978-3-662-43948-7-54 

26. Karchmer, M., Wigderson, A.: On span programs. In: Structure in Complexity 
Theory Conference (1993) 

27. Kowalczyk, L., Lewko, A.B.: Bilinear entropy expansion from the decisional lin- 
ear assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 
9216, pp. 524-541. Springer, Heidelberg (2015). doi:10. 1007/978-3-662-48000-7-26. 
Report 2014/754 (retrieved version: Sep. 4, 2015) 

28. Lewko, A.: Tools for simulating features of composite order bilinear groups in 
the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 
2012. LNCS, vol. 7237, pp. 318-335. Springer, Heidelberg (2012). doi:10.1007/ 
978-3-642-29011-4-20 


622 N. Attrapadung 


29. Lewko, A., Meiklejohn, S.: A profitable sub-prime loan: obtaining the advan- 
tages of composite order in prime-order bilinear groups. In: Katz, J. (ed.) PKC 
2015. LNCS, vol. 9020, pp. 377-398. Springer, Heidelberg (2015). doi:10.1007/ 
978-3- 662-46447-2_17 

30. Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure 
HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, 
pp. 455-479. Springer, Heidelberg (2010). doi:10.1007/978-3-642-11799-2_27 

31. Lewko, A., Waters, B.: Unbounded HIBE and attribute-based encryption. In: 
Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547-567. Springer, 
Heidelberg (2011). doi:10.1007/978-3-642-20465-4_30 

32. Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achiev- 
ing full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) 
CRYPTO 2012. LNCS, vol. 7417, pp. 180-198. Springer, Heidelberg (2012). doi:10. 
1 007/978- 3- 642- 32009- 5_1 2 

33. Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure 
functional encryption: attribute-based encryption and (hierarchical) inner prod- 
uct encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 
62-91. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_4 

34. Meiklejohn, S., Shacham, H., Freeman, D.M.: Limitations on transformations from 
composite-order to prime-order groups: the case of round-optimal blind signatures. 
In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 519-538. Springer, 
Heidelberg (2010). doi:10.1007/978-3-642-17373-8_30 

35. Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. 
In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214-231. Springer, 
Heidelberg (2009). doi:10.1007/978-3-642-10366-7_13 

36. Okamoto, T., Takashima, K.: Fully secure functional encryption with general 
relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 
2010. LNCS, vol. 6223, pp. 191-208. Springer, Heidelberg (2010). doi:10.1007/ 
978-3-642-14623-7-11 

37. Okamoto, T., Takashima, K.: Fully secure unbounded inner-product and attribute- 
based encryption. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 
7658, pp. 349-366. Springer, Heidelberg (2012). doi:10. 1007/978-3-642-34961-4-22 

38. Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: 
verifiable computation from attribute-based encryption. In: Cramer, R. (ed.) TCC 
2012. LNCS, vol. 7194, pp. 422-439. Springer, Heidelberg (2012). doi:10.1007/ 
978-3-642-28914-9.24 

39. Rouselakis, Y., Waters, B..: Practical constructions and new proof methods for 
large universe attribute-based encryption. In: ACM CCS 2013, pp. 463-474 (2013) 

40. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EURO- 
CRYPT 2005. LNCS, vol. 3494, pp. 457-473. Springer, Heidelberg (2005). doi:10. 
1007/11426639-27 

41. Seo, J.H., Cheon, J.H.: Beyond the limitation of prime-order bilinear groups, and 
round optimal blind signatures. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, 
pp. 133-150. Springer, Heidelberg (2012). doi:10. 1007/978-3-642- 28914-9-8 

42. Takashima, K.: Expressive attribute-based encryption with constant-size cipher- 
texts from the decisional linear assumption. In: Abdalla, M., Prisco, R. (eds.) SCN 
2014. LNCS, vol. 8642, pp. 298-317. Springer, Heidelberg (2014). doi:10.1007/ 
978-3-319-10879-7-17 


Dual System Encryption Framework in Prime-Order Groups 623 


43. Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, 
and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, 
A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53-70. Springer, Heidelberg (2011). 
doi: 10. 1007/978-3-642- 19379-8-4 

44. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under 
simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619- 
636. Springer, Heidelberg (2009). doi:10. 1007/978-3-642-03356-8-36 

45. Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., 
Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218-235. Springer, 
Heidelberg (2012). doi:10. 1007/978-3-642-32009-5-14 

46. Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) 
TCC 2014. LNCS, vol. 8349, pp. 616-637. Springer, Heidelberg (2014). doi: 10. 
1007/978- 3- 642- 54242- 8_26 

47. Wee, H.: Deja Q: encore! un petit IBE. In: Kushilevitz, E., Malkin, T. (eds.) TCC 
2016. LNCS, vol. 9563, pp. 237-258. Springer, Heidelberg (2016). doi:10.1007/ 
978-3-662-49099-0-9 


Efficient IBE with Tight Reduction to Standard 
Assumption in the Multi-challenge Setting 


Junqing Gong 1 , Xiaolei Dong 2(EI) , Jie Clien 3 ‘ 4 - 5(E) , and Zhenfu Cao 2(EI) 

1 Department of Computer Science and Engineering, 

Shanghai Jiao Tong University, Shanghai, China 
gongjunqing@126 . com 

2 Shanghai Key Lab for Trustworthy Computing, 

East China Normal University, Shanghai, China 
{dongxiaolei ,zf cao}@sei . ecnu.edu.cn 
3 School of Computer Science and Software Engineering, 

East China Normal University, Shanghai, China 
S080001@e . ntu . edu . sg 

4 Ecole Normale Superieure de Lyon, Laboratoire LIP, Lyon, France 
5 College of Information Science and Technology, 

Jinan University, Guangzhou, China 
http: //www. jchen. top 


Abstract. In 2015, Hofheinz et al. [PKC, 2015] extended Chen and 
Wee’s almost-tight reduction technique for identity based encryptions 
(IBE) [CRYPTO, 2013] to the multi-instance, multi-ciphertext (MIMC, 
or multi-challenge) setting, where the adversary is allowed to obtain mul- 
tiple challenge ciphertexts from multiple IBE instances, and gave the first 
almost-tightly secure IBE in this setting using composite-order bilinear 
groups. Several prime-order realizations were proposed lately. However 
there seems to be a dilemma of high system performance (involving 
ciphertext /key size and encryption/decryption cost) or weak/standard 
security assumptions. A natural question is: can we achieve high perfor- 
mance without relying on stronger/non-standard assumptions? 

In this paper, we answer the question in the affirmative by describing a 
prime-order IBE scheme with the same performance as the most efficient 
solutions so far but whose security still relies on the standard /c-linear (k- 
Lin) assumption. Our technical start point is Blazy et aV s almost-tightly 
secure IBE [CRYPTO, 2014]. We revisit their concrete IBE scheme and 
associate it with the framework of nested dual system group. This allows 
us to extend Blazy et aV s almost-tightly secure IBE to the MIMC set- 
ting using Gong et aV s method [PKC, 2016]. We emphasize that, when 
instantiating our construction by the Symmetric external Diffie- Heilman 
assumption (SXDH = 1-Lin), we obtain the most efficient concrete IBE 
scheme with almost-tight reduction in the MIMC setting, whose perfor- 
mance is even comparable to the most efficient IBE in the classical model 
(i.e., the single-instance, single-ciphertext setting). Besides pursuing high 
performance, our IBE scheme also achieves a weaker form of anonymity 
pointed out by Attrapadung et al. [AsiaCrypt, 2015]. 
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1 Introduction 

1.1 Background and Motivation 

The notion of identity based encryption (IBE) was proposed by Shamir [32] in 
1984 and realized by Boneh and Franklin [7] in 2001 using bilinear groups. In an 
IBE system, an authority publishes a set of public parameters and issues secret 
keys for users according to their identities, the encryption requires the public 
parameters and receiver’s identity (for example, his/her e-mail address). As an 
advantage over traditional PKI-based cryptosystems, users in an IBE system 
only need to authenticate and store the system-level public parameter once and 
for all, while users’ identities are always self-explained and thus easy to validate. 

Since Boneh and Franklin’s work [7], a series of constructions [5,6,13,33] 
appeared making trade-off between several features such as security model, 
strength of complexity assumption, and public key size. In 2009, Waters [34] 
proposed a novel proof technique, called dual system encryption , and showed 
the first adaptively secure IBE scheme with constant-size public key and poly- 
nomially related to the k - linear {k- Lin) assumption, a standard assumption, in 
the standard model. Nowadays the dual system technique has become a regular 
and powerful tool for achieving adaptive security of attribute based encryptions 
(ABE) and inner-product encryption (IPE) (and more general primitives) in the 
standard model [21,22,26-28]. More importantly, under the framework of dual 
system encryption, we have obtained a clean, deep, and uniform understanding 
on the construction of a branch of encryption systems, including IBE, ABE, IPE 
and so on [1,2,8,35]. 

The classical adaptive security model for IBE [7] requires that the challenge 
ciphertext for the challenge identity reveals nothing even when the adversary has 
held secret keys for other identities. The dual system technique [34] generally 
works as follows. There are two forms of secret keys and ciphertexts, normal and 
semi- functional form. The normal ciphertexts/keys are used in the real system, 
while the semi-functional ciphertexts/keys are often constructed by introducing 
extra entropy into normal ones and will only be used for the security proof. 
We say normal object is in the normal space and the extra entropy is in the 
semi-functional space and require that they are independent in some sense. The 
proof follows the hybrid argument method. One first transforms the challenge 
ciphertext from normal to its semi- functional form. Next, one converts secret keys 
from normal to semi-functional form in an one-by-one fashion. Finally, one can 
immediately prove the security utilizing the extra entropy we have introduced 
in the semi-functional space. 

Tight Security. Clearly, the reduction described above suffers from a security 
loss proportional to the number of secret keys the adversary held. Due to the 
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generality of such a loss, a natural question is whether such a security loss is 
inherent for IBE in the standard model under standard assumptions? In practical 
point of view, a tightly secure IBE allows practitioners to implement this system 
in a smaller group, which always leads to shorter ciphertexts/keys and faster 
encryption/decryption operations in the real world. 

Fortunately, Chen and Wee [9] answered the question in the negative. They 
proposed the first almost-tightly secure IBE in the standard model based on the 
k- Lin assumption. Here the so-called almost-tight means the security loss is pro- 
portional to the security parameter instead of the amount of secret keys revealed 
to the adversary. Technically, they combined the high-level idea of dual system 
encryption with the proof technique of Naor and Reingold [25]. In the next year, 
Blazy et al. showed an almost-tightly secure IBE with higher space and time 
efficiency. In fact, they proved that an adaptively secure IBE can be generically 
constructed from affine message authentication code (MAC) and Groth-Sahai 
non-interactive zero-knowledge (NIZK) proof [15], and offered us a realization of 
affine MAC based on Naor and Reingold’s proof technique [25]. Roughly speak- 
ing, their high-level strategy is still identical to Chen and Wee’s [9]. 

Let us take a look at Chen and Wee’s idea [9]. Essentially, they borrowed 
the proof strategy from Naor and Reingold [25] in order to introduce entropy 
into semi-functional space more quickly. After converting normal ciphertext to 
semi-functional form, one may conceptually introduce a truly random function 
RF to all secret keys and challenge ciphertext whose domain is just {e}, i.e., 
unrelated to the identity. Relying on the binary encoding of the identities in 
secret keys, one can increase the dependency of RF on the identity, from 0-bit 
prefix to 1-bit prefix, 2-bit prefix, ..., and finally the entire identity. They called 
such a property nested hiding. At this moment, RF(id) is revealed to adversary 
through secret key for ID while RF(id*) for the challenge identity ID* is still 
unpredictable since adversary is not allowed to hold its secret key. This feature 
is sufficient for proving the security. It is worth noting that for an identity space 
{0, l} n , we just need n steps to construct such a random function RF and just 
arise 0{n) security loss. 

Multi-instance, Multi-ciphertext Setting. The classical security model for 
IBE [7] requires that the single challenge ciphertext from the single challenge 
identity should leak nothing about the corresponding message even with secret 
keys for adversarially-chosen identities. In 2015, Hofheinz et al. [18] considered 
a more realistic security model, called adaptive security in the multi-instance, 
multi- ciphertext setting (MIMC, or multi-challenge setting), which ensures the 
security of multiple challenge ciphertexts for multiple challenge identities in mul- 
tiple IBE instances. In general, an IBE scheme secure in the classical single- 
instance, single-ciphertext (SISC) model must be secure in the MIMC setting. 
However the implication is not tightness-preserving. Assuming the number of 
IBE instances and challenge ciphertexts per instance are fi and Q, the general 
reduction from MIMC to SISC will arise a multiplicative security loss 0(Q/jl). 

Hofheniz et al. [18] extended Chen and Wee’s tight reduction technique [9] 
and gave the first almost-tight secure IBE in the MIMC setting. Technically, 
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the 77 th nested hiding step in Chen and Wee’s proof procedure requires that 
the 77 th bit of all challenge identities should be identical. It is the case in the 
SISC setting but is not necessarily hold in the MIMC setting. To overcome 
this difficulty, they introduced another semi-functional space. Now the original 
semi-functional space may be called A-semi-functional space and the new-comer 
may be named ^-semi-functional space. They also employed two independent 
random functions RF and RF for them, respectively, acting the same role of RF 
in Chen and Wee’s proof. As the preparation for the 77 th nested hiding, they 
transfer the entropy in A-semi-functional space to ^-semi-functional space for 
all challenge ciphertexts whose identity has 1 on its 77 th bit. At this moment, 
we reach the configuration that, in every semi- functional spaces, the challenge 
identities indeed share the same 77 th bit, and nested hiding can be done as Chen 
and Wee did but in each of two semi-functional spaces independently. 

However their construction was built in composite-order bilinear groups. 
Attrapadung et al [3] and Gong et al [14] gave prime-order solutions indepen- 
dently. Attrapadung et al. [3] provided a generic framework building almost-tight 
secure IBE from broadcast encoding which is compatible with both composite- 
order and prime-order bilinear groups. Utilizing the power of broadcast encoding, 
they proposed not only ordinary IBE scheme but also IBE with other features 
such as sublinear-size master public key. Gong et al. [14] followed the line of 
extended nested dual system groups (ENDSG) [18] and proposed two construc- 
tions from more general assumptions, the second of which is an improved version 
based on the first one. In this paper, we do not consider additional feature and 
name Attrapadung et a/.’s basic IBE in the prime-order group (i.e., [3] as 

AFIY, while name Gong et a/.’s two constructions [14] as GCDCT and GCDCT+. 

Motivation. Among existing prime-order IBE constructions with almost-tight 
reduction in the MIMC model, there is a trade-off between the efficiency and 
strength of complexity assumption. On one hand, GCDCT was proven secure 
based on the k- Lin assumption but less efficient in terms of both ciphertext/key 
size and encryption/decryption cost. On the other hand, GCDCT+ and AFIY 
were more efficient but relied on the ^-linear assumption with auxiliary input 
(&-LinAI) in asymmetric bilinear groups and the decisional linear assumption 
(sDLIN) in symmetric bilinear groups, respectively, which are stronger and less 
general than the &-Lin assumption. Therefore it is still an interesting and non- 
trivial problem to find a solution with some real improvements instead of just a 
trade-off. More concretely, we ask the following question: 


Question: Can we find a tightly secure IBE scheme in the MIMC setting, 
which is (at least) as efficient as GCDCT+ and AHY but still proven secure 
under the standard k- Lin assumption as GCDCT? 
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1.2 Our Main Result 

In this paper, we answer the question in the affirmative by proposing an IBE 
scheme using prime-order bilinear groups in the MIMC setting. The adaptive 
security of the construction is almost- tightly based on the k - Lin assumption as 
GCDCT. At the same time, its performance is better than GCDCT and is identical 
to GCDCT+ and AHY for corresponding parameter. 

We compare existing almost-tightly secure IBE in prime-order groups with 
ours in detail in Table 1 . The comparison involves the complexity assump- 
tion, the sizes of master public key, secret keys and ciphertexts, and encryp- 
tion/decryption cost. As a base line, we also investigate almost-tightly secure 
prime-order IBE by Chen and Wee [9], denoted by CW, and Blazy et al. [4], 
denoted by BKP, both of which are adaptively secure in the SISC setting. 

- All schemes take {0, l} n as identity space. 

- “DLIN” and “sDLIN” in Column “Sec.” stand for decisional linear assumption 
in asymmetric and symmetric bilinear groups, respectively. 

- Column |mpk|, |sk|, and |ct| present numbers of group elements in master 
public keys, secret keys and ciphertexts, respectively. Here G refers to the 
source group of symmetric bilinear groups; G i, G 2 are those of asymmetric 
bilinear groups; Gt stands for the target group for both cases. 

- Column Tehc and Xb ec give numbers of costly operations required during 
encryption and decryption procedures. Ed, E and Et refer to exponentiation 


Table 1. Comparison among almost-tight IBE schemes in the prime-order group. 


Scheme 

Sec. 

MPK 

|SK| 

CT 


Tehc 

Tbec 

MIMC 

G i/G 

Gt 

G 2 /G 

Gi/G 

Gt 

Ei/E 

Et 

p 


k- Lin 

2fc 2 (2n + 1) 

k 

4k 

4 k 

1 

4 k 2 

k 

4k 


CW 

DLIN 

16n + 8 

2 

8 

8 

1 

16 

2 

8 

X 


SXDH 

4n + 2 

1 

4 

4 

1 

4 

1 

4 



k- Lin 

k 2 (2n + 1) + k 

k 

2k + 1 

2k + 1 

1 

2 k 2 + 1 

k 

2/c + l 


BKP 

DLIN 

8 n + 6 

2 

5 

5 

1 

9 

2 

5 

X 


SXDH 

2 Ti 2 

1 

3 

3 

1 

3 

1 

3 



k- Lin 

3k 2 (2n + 1) 

k 

6k 

6k 

1 

6k 2 

k 

6k 


GCDCT 

DLIN 

24n + 12 

2 

12 

12 

1 

24 

2 

12 

X 


SXDH 

6n + 3 

1 

6 

6 

1 

6 

1 

6 


GCDCT+ 

/c-LinAI 

2fc 2 (2n + 1) 

k 

4 k 

4 k 

1 

4k 2 

k 

4k 

X 

XDLIN 

16n + 8 

2 

8 

8 

1 

16 

2 

8 


AHY 

sDLIN 

16n + 8 

2 

8 

8 

1 

16 

2 

8 

X 


k- Lin 

k 2 (2n + 3) 

k 

4 k 

4 k 

1 

4 k 2 

k 

4k 


Ours 

DLIN 

8n -f- 12 

2 

8 

8 

1 

16 

2 

8 

X 


SXDH 

2n + 3 

1 

4 

4 

1 

4 

1 

4 
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on the first source group of asymmetric bilinear groups, the only source group 
of symmetric bilinear groups, and target group in both cases, respectively. P 
is for pairing operation for both cases. 

Benefit of Standard k- Lin. Compared with k- Lin, the /c-LinAI assumption 
(used by GCDCT+) is not well-understood 1 and the sDLIN assumption (used 
by AHY) is stronger especially in the case of AHY 2 . Without doubt k - Lin is the 
best choice. However we want to emphasize that achieving the same performance 
(as GCDCT+ and AHY) under the k-L'm assumption is not just advantageous to 
theorist, since we can indeed derive a strictly more efficient instantiation than all 
previous solutions. We note that, AHY is based on the sDLIN assumption and 
no related generalization was given, while the /c-LinAI assumption, on which 
GCDCT+ is built, is not well-defined 3 for k = 1. In contrast, our construction 
can be naturally instantiated by k = 1 and yield an IBE scheme based on SXDH 
(see Sect. 6), whose performance is shown in the last row (in gray) of the table. 
Clearly, it has the shortest secret key /ciphertext and the most efficient encryp- 
tion/decryption algorithm. Compared with BKP under the SXDH assumption, 
the cost we pay for stronger and more practical MIMC security is quite small: 
just one more group element is added to secret keys and ciphertexts, and just 
one more exponentiation and pairing operation are added to encryption and 
decryption procedure, respectively. 

(Weak) Anonymity. Apart from the concern on performance, our main 
construction achieves anonymity as BKP and AHY. However the notion here 
is weaker than the standard anonymity, which was first pointed out by 
Attrapadung et al [3] . All of them are proven to be anonymous under the restric- 
tion that all secret keys for the same identity must be created using the same 
random coin. It’s reported in [3] that this can be fulfilled by generating the 
random coin using a PRF from each identity. A subtlety here is the newly intro- 
duced PRF itself should be tightly secure otherwise our effort pursuing tight 
security will finally come to nothing. In the paper we continue working in this 
restricted model and neglect this subtlety to keep a clean exposition. 


1.3 Our Method 

All of AHY, GCDCT, and GCDCT+ are extended from Chen and Wee’s construc- 
tion [9] or its recent development by Chen et al. [8]. However, from Tablet, we 
can see that BKP, Blazy et aV s almost-tightly secure IBE in the SISC model [4], 
is more efficient in terms of both space and time efficiency. Therefore our idea is 

1 The /c-LinAI assumption is an extended (and stronger) version of k- Lin. However 
only its generic security has been investigated in [14]. 

2 One may convert AHY into an asymmetric bilinear group and the security now relies 
on the XDLIN assumption, which is stronger than 2-Lin. Furthermore it’s of course 
stronger than k- Lin for k > 2. 

3 The improvement technique behind GCDCT+ does not work for the special case 
k — 1 since two semi-functional spaces are 1-dimension and too small to compress. 
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to extend BKP to the MIMC setting and we hope that the resulting construction 
inherits its high performance and could become a solution to the problem we 
posed in Sect. 1.1. 

Although Blazy et al. essentially followed the dual system technique, their 
concrete realization relied on the Groth-Sahai NIZK proof system [15], which is 
very different from constructions in [8,9], the common bases of AHY, GCDCT, 
and GCDCT+. The existing extension strategy seemingly can not be directly 
applied to updating BKP to the MIMC setting. 

To circumvent the difficulty, we reconsider BKP and observe a surprising 
connection between BKP and Chen et aZ.’s (non-tight) IBE [8]. This allows us 
to study and manipulate BKP in the framework of nested dual system groups 
(NDSG) [9] which is much easier to understand and also more feasible to extend 
towards the MIMC setting [14,18] with existing techniques. We provide the 
reader with a technical overview in Sect. 3 covering our basic observation and 
sketching our two technical results which formally treat the observation. 


1.4 Related Work 

In 2013, Jutla and Roy [19] investigated the notion of quasi-adpative NIZK 
(QANIZK) and developed an IBE scheme from their SXDH based QANIZK. 
Both this work and Blazy et aZ.’s work [4] realized the dual system technique 
using NIZK proof and the idea is actually quite similar. Blazy et al. focused on 
generic frameworks from affine MAC to IBE, while Jutla and Roy considered 
many other applications of newly proposed QANIZK. A series of work [29-31] 
extended Jutla and Roy’s IBE constructions to more complex functionality. 

Since being introduced in 2013, Chen and Wee’s technique of almost-tight 
reduction [9] has been applied to other primitives such as public key encryp- 
tion against chosen-ciphertext attack and a signature [23] and QANIZK with 
unbounded simulation soundness [24]. Recently, Hofheinz [16,17] proposed a 
series of novel techniques based on Chen and Wee’s [9] and achieved constant- 
size parameters and better efficiency for public key encryptions with chosen- 
ciphertext security and signatures. In the pairing-free setting, Gay et al. [12] 
provided more efficient CCA secure PKE with tight reduction and applied their 
basic idea to NIZK proof system. 

Roadmap. We review necessary preliminary background in Sect. 2. Section 3 is 
an overview with more technical detail. Sections 4 and 5 present our two techni- 
cal results. We show our main result (from k-L'm assumption) and its concrete 
instantiation under SXDH assumption in Sect. 6. 

2 Preliminaries 

Notation. We use a <— A to denote the process of uniformly sampling an 
element from set A and assigning it to variable a. We employ {xi}i e i to denote 
a family (or list) of objects with index set I. The abbreviation { xi } will be 
used when index set is clear in the context. Let G be a group of order p. Given 
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two vectors a = (ai, . . . , b n ) G G n and b = (61 , . . . , b n ) G G n , we let a • b = 
(ai&i, . . . , a n b n ) G G n . For c = (ci, . . . , c n ) G Z p and g G G, we define g c = 
(g Cl , . . . , g Cn ) G G n . For any matrix A G Z™ xn with m > n, we use A to 
refer to the square matrix consisting of the first n rows of A and let A be 
the sub- matrix consisting of the remaining m — n rows. For any square matrix 
A G Z™ xm , we define A* = (A T ) _1 . We use (A|B) to denote the matrix formed 
by concatenating columns of matrix A and B in order. 


2.1 Prime-Order Bilinear Group 

Let GrpGen be a prime-order bilinear group generator which takes as input secu- 
rity parameter 1 A and outputs group description Q = (Gi, G2, Gt,P, e, g\, #2)- 
Here Gi, G2 and Gt are finite cyclic groups of prime order p and \p\ = 0(A). 
e : Gi x G2 — > Gt is an admissible (non-degenerated and efficiently computable) 
bilinear map. gi, g 2 and #t = ^(^1,^2) are respective generators of Gi, G2, Gt- 
We employ the implicit representation of group elements [ 11 ]. For any a G Z p and 
any 5 G { 1 , 2 ,T}, we define [a\ s = g“ G G s . For any matrix A = (a$j) G Z™ xn , 
we define [A] s = ([a^j] s ) G Gf ixn and let e([A] 1 , [B] 2 ) = [A T B] T when A T B is 
well-defined. 

The security of our construction relies on the Matrix Decisional Diffie- 
Hellman (MDDH) Assumption introduced in [11]. 

Definition 1 (Matrix Distribution [11]). For any £,k E N with £> k, we let 

be a matrix distribution over all full- rank matrices in Z^ x/c . Furthermore, 
we assume the first k rows of the output matrix form an invertible matrix. 

Assumption 1 Matrix DifRe-Hellman Assumption [11]). Let T>£^ 

be a matrix distribution and s G { 1 , 2 ,T}. For any p.p.t. adversary A against 
GrpGen, the following advantage function is negligible in A. 

AdvT*(A) = |Pr [A(g, [A]„ [Au]J = 1] - Pr [A(Q, [A]„ [v]J = 1 ]| 

where Q <— GrpGen(l A ), A u <— Z^, v <— Z£. 

The matrix distribution T>k+ i,/c will extensively appear in the paper. For sim- 
plicity, we take V as its abbreviation. As in [8] , we let V k output an additional 
vector a x G Z^ +1 satisfying A T a^ = 0 and a x 7^ 0 . The notable k-Linear 
(fc-Lin) Assumption is a special case of the Tfc-MDDH assumption with 


A = 



e zi k+1)xk 

and a -1 = 

AT\ 


\1 • 

ak 

•• l) 

P 


h 1 

V-1 / 


where ai, . . . , <— Z p . We describe a lemma similar to that shown in [ 8 ]. 
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Lemma 1 . With probability 1 — 1/p over (A,a x ) <— T>k and b <— Z k+1 , we have 

b ^ Span(A) and ba^ ^ 0. 

We will heavily use the uniform matrix distribution which uniformly 
samples a matrix over Zp Xk . Similarly, we let Uk be the short form of Uk+ i,k- 
A direct observation is “Pfc-MDDH => £4-MDDH” with constant security loss, 
since any D&-MDDH instance can be disguised as a £4-MDDH instance using a 
random square matrix (c.f. [11,12]). Besides, we have the following lemma. 

Lemma 2 (Uk => Ut ,k,e>k[ i 2 ]). For any p.p.t. adversary A , there exists an 
adversary B with T (B) ~ T(A) + k 2 i • poly (A) and 

Ad#*' mddh (A) < Adv^- MDDH (A). 

The observation and the lemma lead to the fact that W^fc-MDDH with i > k 
is constantly implied by the well-known &-Lin assumption. In the paper, we 
utilize the following structural lemma [12]. 

Lemma 3. For a fixed full-rank A E Z? kxk , with probability at least 1 — 2k/ p 
over A, A <— U^k.k, we have Span ((A| A| A)) = Z^ k , in which case it holds that 

Span(A x ) = Ker((A|A) T ) ® Ker((A|A) T ). 

and A T A* G lj p xk is invertible if A* forms a basis of Ker((A|A) T ) . 

For Q G N, we recall the Q-fold %^-MDDH assumption [11] as follows. One 
may view it as Q independent instances of the basic W^fc-MDDH problem. 

Assumption 2 (Q-fold W^-MDDH [11]). Let Un^ be the uniform matrix 
distribution and s E {1,2,T}. For any p.p.t. adversary A against GrpGen, the 
following advantage function is negligible in A. 

Ad Aq (A) = |Pr [A(Q, [A]„ [AU] J = 1] - Pr [A(Q, [A] s , [V] s ) = 1] | 

where Q <- GrpGen(l A ), A 4 - U tM , U <- 1 kxQ , V <- Z£ x< 3. 

It would be direct to prove “%^-MDDH => Q-fold W^fc-MDDH” with a 
security loss Q. The Random Self-reducibility Lemma by Escala et al. [11] (see 
below) provided us with a tighter reduction, the security loss solely depends on 
the property of matrix A instead of Q. Namely one can deal with unbounded 
number of instances simultaneously with constant security loss for a fixed A. 

Lemma 4 (Random Self-reducibility [11]). Assume Q > i — k. For any 

uniform matrix distribution Ui : k and any p.p.t. adversary A, there exists an 
adversary B such that 

Ad Aq (A) <V-k)- Adv^' fc (A) + l/(p - 1) 
and T (B) ~ T(A) + £ 2 k • poly(A) where poly(A) is independent ofT(A). 


Efficient IBE with Tight Reduction to Standard Assumption 633 


2.2 Identity Based Encryption 


Algorithms. An Identity Based Encryption (IBE) in the multi- instance set- 
ting [3,14,18] consists of five p.p.t. algorithms: 

- Param(l A , SYS) — >• GP. The parameter generation algorithm takes as input a 
security parameter A G Z + and a system-level parameter SYS, and outputs a 
global parameter GP. 

- Setup(GP) — ► (mpk,msk). The setup algorithm takes as input a global para- 
meter GP, and outputs a master public/secret key pair (mpk,msk). 

- KeyGen(MPK, msk, id) —> sk id . The key generation algorithm takes as input 
a master public key mpk, a master secret key MSK and an identity ID, and 
outputs a secret key sk id . 

- Enc(MPK, ID, m) — > ct id . The encryption algorithm takes as input a master 
public key mpk, an identity ID and a message M, outputs a ciphertext CT id . 

- Dec(MPK, SK, ct) — ► M. The decryption algorithm takes as input a master 
public key mpk, a secret key SK and a ciphertext CT, outputs message Mori. 

If the IBE scheme in question is in the classical single-instance setting, we 
may merge the first two algorithms into a single Setup algorithm for clarity. 
The merged Setup algorithm takes 1 A and SYS as inputs and creates a master 
public/secret key pair (mpk, msk). 

Correctness. For any parameter A G N, any SYS, any GP G [Param(l A , sys)], 
any (mpk, msk) G [Setup(GP)], any identity ID and any message M, it holds that 


Pr 


Dec(MPK, SK, ct) = M 


SK KeyGen(MPK,MSK,ro) 
CT Enc(MPK, ID, m) 


> 1 - 2 _i7(A) . 


Security Definition. We investigate both ciphertext indistinguishability and 
anonymity under chosen identity and plaintext attacks in the multi-instance, 
multi-ciphertext setting. We define the advantage function 




p <— .4,0, GP <— Param(l A , sys), f3 <— {0, 1} 

1 

o 

Pr 

0^ 

II 

ca 

(MPKi, MSKi), . . . , (MPK^J, msk^) <— Setup(GP) 



/ 3 ' <— ° KeyGen ( M p Kl , . . . , mpk m ) 

Z 


where oracles 0| nc and 0 KeyGen work as follows 

- 0 | nc : Given (^, id? , mJJ, mJ), return Enc(MPK,j, id£, m£) and update 

Qc = QcU{(45,ID5),(tI,IDl)}. 

- 0 KeyGen : Given (t, id), return KeyGen(MPK t , MSK t , id) and update Qk = Qk U 
{(gid)}. 

An identity based encryption scheme is adaptively secure and anonymous in the 
multi-instance, multi-ciphertext setting if for all p.p.t. adversary A the advantage 
function Adv^ E (A) is negligible in A and Qk H Qc = 0. 
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As a special case, the adaptive security and anonymity in the single-instance, 
single-ciphertext setting can be derived by setting two restrictions: (1) There is 
only one master public/secret key pair, i.e. , we set /a = 1 and all submitted 

to oracles are restricted to be 1. (2) There is only one challenge ciphertext, i.e., 
A can send only one query to oracle Oj| nc . 

3 A Technical Overview 

3.1 Revisiting BKP 

A Short Overview of BKP. Let (Gi, G 2 , Gt,P, e, < 71 , < 72 ) GrpGen(l A ), let’s 
review BKP, i.e., IBE[MACnrP\], 'Dk] h 1 [4], which is derived from the affine 
MAC based on Naor-Reingold PRF. The affine MAC can be described as follows. 


SKmac 

: xi j0 , 

Xl,l, • • • 5 x n? 0 ? x n p, X 

TAG m 

: W 2 ’ 

[E?=l X lm[i] t + X ^0. 


Here <— Z k for (i,b) G [n\ x {0,1} and x <— Z p , random coin t G Zp 
is uniformly sampled for each tag and m[i\ represents the ith bit of message 
m G {0, l} n . It’s beneficial to define randomized verification key for m* as 

VK m * I ‘ p \fi ' x \ T 

where h Z p . Blazy et al. can prove that a verification key for m* is pseudo- 
random for any p.p.t adversary holding tags for mi, . . . ,m q 7 ^ m* under k-Lm 
assumption with 0(n) security loss. 

In a nutshell, the IBE scheme is obtained as follows: master secret key MSK 
is SKmac; master public key mpk consists of perfectly hiding commitments to 
SKmac; a secret key SK for ID G {0, l} n is composed of a tag TAG for ID and a 
Groth-Sahai NIZK proof [15] showing that TAG is correct under SKmac; a cipher- 
text under ID and decryption algorithm are derived from verification method of 
the NIZK proof system. A more detailed description is given below. 


MPK : 

: [A]i, [Zi,o ] 15 [Zi j i] 1 , . . . , [Z n fi\ v [Z nA \ v [z\ % 

(commitment to SKmac) 

SK id : 

■■ [ko] 2 , [ki ] 2 = [ icr=i x ^i D [i] k o + 2 

(MAC tag tag for id) 


I k 2 ] 2 = [ EILi VT, D [i] k o + y T ] 2 

(proving validity of tag) 

CT id : 

: [As]i, [Er=i z i,i D[i]s]„ Nt'M 



Here A is commitment key, Z ^ = (Y^|x^)A is a commitment to x^ 

with random coin Y^ Z kxk for (i, b) G [£\ x {0,1}, and z = (y\x)A is a 
commitment to x with random coin y Zj x/c . To prove the security of BKP, 
one first transform the challenge ciphertext CT id * into the form 


h 

■ e k+l] v [J27= 1 iD*[i]S + 

^ ‘ J2i= 1 X Z,ID* [z] 

, [zs + 

1 

h • x 
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in which the boxed terms in fact form a verification key of ID*. Then we may 
rewrite the proof part [k 2 ] 2 of SK id as 

k 2 = A • ( 1 Z^ m [i]ko + z T — &iA T ). 

Here we use the following relation 

^i,b = {^i,b A 4=^ Y ib = ^i,6AA 5 (^, &) G [fl\ X {0, 1} 

z = (y|x)A <t=> y = zA — x A A . 


From the standpoint of NIZK proof system, we have replaced the real proof with 
a simulated proof. An observation is that we do not need Y^ (resp. y) and Z ^ 
(resp. z) and (resp. x) are distributed independently by the property of per- 
fectly hiding commitment. In this case we can reduce the adaptive security and 
anonymity of BKP to the property of underlying affine MAC we just mentioned. 

BKP in the Dual-system Lens. Although Blazy et aids proof [4] is in the 
framework of dual system encryption [9,34], from their exposition, it’s seemingly 
difficult to identify normal space and semi-functional space, which may guide 
us to a better understanding and has been formulated via dual system group 
(DSG) [10] and NDSG [9] (as well as ENDSG [14,18]). Fortunately, ciphertexts 
and keys used in the proof (c.f. paragraph A Short Overview of BKP) give 
us the following (informal) observations: 

- the commitments Z and z lie in the normal space; 

- the values being committed to, and x, lie in the semi-functional space. 

Now we try to put the structure into the real system instead of in the proof. 
For simplicity, we ignore the master secret (i.e., z, y and x). From the relation 
in the previous paragraph, we readily have the following representation: 



f A* — A*A t \ 

yOlx/c 1 J 



V (i,b) e [n] x {0,1}. 


We find that the transformation matrix above actually forms the dual basis 
of (A|efc+i) = (a 0 ]* 1 ) • A simple substitution results in secret keys (without 
master secret) in the following form: 


[k°] 2 ’ 


k 2 " 


h_ 

to 

1 

1 


y](A|e fe+1 )* 


_i= 1 



As we have observed, Y^ is not needed when creating secret keys and ciphertexts 
in the real system and Z ^ and x^ are distributed independently. Therefore we 
may sample them directly instead of through Y^. In particular, we sample 
<— Zp X( ' /c+1 ^ ) for all (i, b) G [n\ x {0, 1} and define Z ^ and x^ such that 


* 



w j b = (A|e fc+ i) 
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or equivalently define Z ^ = W^A and = W^e^i. This allows us to 
simplify BKP (without considering master secret key and payload) as follows: 


MPK 

: [A] 1; [W^oAl^WyAlj, 

[Wn.oAJj, [W n) 1 A]j 

ct id 

= [As],, [E”=iW i , ro[i ]As ] 1 

G G\ +1 X G\ 

sk id 

:[ko] 2 , [EkW[ IDli] k 0 ] 9 

G G k 2 X G\ +1 


which is surprisingly close to Chen et aZ.’s structure [8]. 

Remark 1. The structure presented here also appeared in a quasi-adaptive NIZK 
(QA-NIZK) recently proposed by Gay et al. [12]. They obtained this structure 
from their pairing- free designated- verifier QA-NIZK. In fact, we can alternatively 
derive their QA-NIZK from the basic QA-NIZK with no support to simulation 
soundness in [20] (see their Introduction) and a randomized PRF underlying 
the above structure (following the semi-general method of reaching unbounded 
simulation soundness in [20]). 

3.2 Technical Result 1: Generalizing NDSG 

The similarity between Chen et aZ.’s structure [8] and simplified BKP suggests 
that one may study simplified BKP under the framework of NDSG [9]. How- 
ever Chen and Wee’s NDSG [9] is not sufficient for our purpose and a series of 
adjustments are seemingly necessary. 

Informally, NDSG defines an abstract bilinear group (G,H, Gr,e) equipped 
with a collection of algorithms sampling group elements. In the generic construc- 
tion of IBE, a ciphertext (excluding the payload) consists of elements from G 
while a secret key is composed of elements in H. However both ciphertexts and 
keys in the above observation involve elements from two distinct groups, i.e., 
G\ +1 and G\ for ct id and G\ and G^ +1 for sk id . We generalize Chen and Wee’s 
NDSG [9] in the following aspects: 

- replace G with Go and G; 

- replace H with H 0 and H; 

- replace e with e and eo which map G x Ho and Go x 1 to G t, respectively. 

The first two points are straightforward while the last one is motivated by the 
decryption procedure where only two vectors of the same dimensions, i.e., either 
k or k + 1 dimension, can be paired together and the results should he in Gt in 
both case. Of course, more fine-tunings are required for other portions of NDSG 
(including making SampH private as in [14], see Sect. 4 for more detail). 

Furthermore, following Chen et al. [8], we also upgrade NDSG (with all above 
generalization) to support weak anonymity. In particular, we define an additional 
requirement, called G-uniformity, which is a combination of H-hiding and a 
weakened G-uniformity in [8]. This allows us to implement its computational 
version (we will discuss it later) in a tighter fashion. 

It’s not hard to verify that our generalized NDSG implies an almost-tightly 
secure IBE in the SISC setting with weaker anonymity [3]. Motivated by our 
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simplified BKP, we can provide a prime-order instantiation of our generalized 
NDSG. All computational requirements (i.e., left-subgroup and nested-hiding 
indistinguishability) are proved under the k- Lin assumption based on [4,8]. 


3.3 Technical Result 2: Towards MIMC Setting 

All previous informal discussion and formal treatment are preparations for mov- 
ing from SISC towards MIMC settings. Having a generalized NDSG with a 
prime-order instantiation, we can now apply the extension technique proposed 
in [14,18]. This finally results in a generalized extended NDSG (ENDSG) [14,18] 
and its prime-order instantiation, which immediately gives us an almost-tightly 
secure and weakly anonymous IBE in the MIMC setting, i.e., our main result 
(c.f. Sects. 1.2 and 6). 

Apart from regular extension procedure [14,18] introducing new algorithms 
and requirements, we also update the G-uniformity (in our generalized NDSG) 
to its computational version. It’s direct to check that the computational 
G-uniformity gives to our generalized ENDSG the power of reaching weak 
anonymity [3] in the MIMC setting. 

The prime-order instantiation of generalized ENDSG and its proofs are 
obtained from those for the generalized NDSG following the extension strategy 
by Gong et al [14] and its recent refinement from Gay et al. [12]. In particular, 
the most important extensions must be: 


- We let the bases of normal, A-semi-functional, and ^-semi-functional space 
be A, A, and A, respectively, all of which are sampled from uniform matrix 
distribution over Z^ x k . The size of matrix W randomizing bases are extended 
from fcx(fc + l)tofcx3fc accordingly. 

- Random functions RF^ and RF^ map an binary string (say, the Tbit prefix of 
an identity) to a random element in Span (A*) and Span (A*), respectively. 
Here we let A* (resp. A*) be a basis of Ker((A|A) T ) (resp. Ker((A|A) T ) ) 
following Gay et aV s method [12]. 


This prime-order instantiation derives an IBE (i.e., our main result) with cipher- 
texts of size (3 k + |~fcj)|C?i| = 4fc|Gi| and secret keys of size ( k + 3fc) |C?2 1 = 
4fc|G f 2 1 - We highlight that, with the above extension, 


- all W i;6 A are still of size k x k (see the first boxed term); 

- the random coin r for key is still k dimensional (see the second boxed term). 


Namely not all components in ciphertexts and secret keys swell in our extension 
procedure which seemingly benefits from Blazy et al. 1 s structure [4]. More impor- 
tantly, we gain this feature without relying on the technique presented in [14] 
which compresses both two semi-functional spaces and thus has to turn to a 
non-standard assumption. 
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3.4 Discussion and Perspective 

Besides acting as the cornerstone of Technical Result 2, we believe Technical 
Result 1 may be of independent interest due to its clean description and proofs. 
For instance, it allows us to explain why BKP can be more efficient than CW, 
which is not quite obvious before. As a matter of fact, through Technical Result 
1, we can compare CW with BKP in the same framework and perceive two 
differences between them which make BKP more efficient. 

Firstly, the secret keys in CW contain a structure supporting parameter- 
hiding which is not found in BKP’s secret keys. It is previously used to achieve 
right subgroup indistinguishability in Chen and Wee’s prime-order instantiation 
of DSG [10] but is actually not needed when proving almost-tight adaptive secu- 
rity using Chen and Wee’s technique [9]. 

Secondly, the proof of nested-hiding indistinguishability is stronger such that 
corresponding structure on the key side in BKP are much simpler than in CW. We 
highlight this point in our proof (in Sect. 4.3) via a lemma (Lemma 5) extracted 
from Blazy et aV s proof. We specially describe it in the same flavor as Chen 
and Wee’s Many Tuple Lemma [9]. One can think of it as a stronger version of 
Many Tuple Lemma [9] since it just involves a secret vector instead of a matrix 
which costs less space to hide. 

4 Blazy-Kiltz-Pan Almost-Tightly Secure IBE, Revisited 

4.1 Generalized Nested Dual System Group 

Keeping our informal discussion in Sect. 3 in mind, we generalize the notion of 
nested dual system group (NDSG) [9] in this section. The formal definition is 
followed by remarks illustrating main differences with the original one. 

Algorithms. Our generalized NDSG consists of five p.p.t. algorithms as follows: 

- SampP(l A ,n): Output (pp, Sp) where: 

-PP contains group (Go, G, H 0 , H, Gt) and admissible bilinear maps 

eo : Go x HI — > Gt and e : G x Mo — * Gt, 

an efficient linear map /a defined on M, and public parameters for SampG; 
- SP contains h* G M and secret parameters for Sam pH, SampG. 

- SampGT: Im(/i) — > Gt- 

- SampG(pp): Output g = (g 0 ; g u . . . , g n ) G G 0 x G n . 

- SampH(pp, sp): Output h = (h 0 ; hi , . . . , h n ) G M 0 x H n . 

- SampG(pp, sp): Output g = (g 0 ; g x , . . . , g n ) G G 0 x G n . 

We employ SampG 0 (resp., SampG 0 ) to indicate the first element go G Go (resp., 
'go H Go) in the output of SampG (resp., SampG). We simply view the outputs of 
the last three algorithms as vectors but use a semicolon to emphasize the first 
element and all remaining ones belong to distinct groups. 
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Correctness. For all A, n G Z + and all (pp,Sp) G [SampP(l A , n)], we require: 

(projective) For all h G El and coin 5, SampGT (g(h); s) = eo(SampG 0 (PP; s),h). 
(associative) For all (go; gi, . .., g n ) G [SampG(pp)] and (ho; h\, . .., h n ) G 
[SampH(pp,SP)], eo(g 0 ,hi) = e(guh Q ) for all i G [n\. 


Security. For all A , rz G Z + and (pp,sp) SampP(l A ,n), we require: 

(orthogonality) g(h*) = 1 . 

(non-degeneracy) With overwhelming probability when 'go SampG 0 (PP, SP), 
the value eo(< 7 o? h*) a is uniformly distributed over G t where a Z orc j(e)- 

(H-subgroup) The output of SampH(pp, sp) is uniformly distributed over some 
subgroup of Ho x H n . 

(left subgroup indistinguishability) For any p.p.t. adversary A, the follow- 
ing advantage function is negligible in A. 


Adv 


JfC,?) = |Pr[.4(pp, {h-Ojgjqj. 


= 1] - Pr[A(PP, {h j} 


l 3fje[q\ ■ 


g g 


= 1] 


where g <— SampG(pp), g SampG(pp, sp), h j SampH(pp, sp). 
(nested-hiding indistinguishability) For all g G [n\ and any p.p.t. adversary 
A, the following advantage function is negligible in A. 


Adv™ M (A ,q) = |Pr[.A(ATo) = 1 ] - Pr [A(D,T 0 = 1 ]| , 
where D = (pp, h* , g_„ {h' } ieM ), 


To = {hj} 


j£[q\ ’ 


Ti = { V (l Ho ;(Vp e ”) } 


j€[q] 


and g <— SampG(pp, sp), hj, h' <— SampH(pp, sp), 7 j <— ^ ord ( m) 9 g-77 refers to 
(go; • • • ? #77-1, . . . , g n ), e^ is an n-dimension identity vector with a 1 

on the 7th position. We can define Adv^ H (A, q) = max r?G [ n ] {Adv^ H( ^(A, g)}. 

(G-uniformity) The statistical distance between the following two distributions 
is bounded by 


| pp > V, {hj • (le 0 ; 

{pp ; h* , {hj • (l Ho ; (ft*)^)h e[g] 



where hj SampH(pp, sp), g SampG(pp), g SampG(pp, sp), Vj <— 
Z or d (Hrp 9 f in is a vector of n l’s. 

One can construct an IBE scheme from generalized NDSG following Chen 
and Wee’s generic construction [ 9 ]. The master public/secret key pair is 


mpk = (pp,/x(msk 0 )) and msk = (msk 0 ,sp). 
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where (pp, Sp) <— SampP(l A , 2 n) and MSK 0 <— H. A secret key for ID is 

sk id = (Ko = ho, Ki = MSKo • n ieW h 2 i-uy[i\) e Ho x H. 

where (ho; hi, , h 2 n ) SampH(pp, sp). A ciphertext for M under ID is 

CT ID = (Co = go, Ci = n,e[n] 92i-m[i\, C 2 = g' T • M ) G Go x G x Gt- 

where (go', gi, . . . ,g 2 n) SampG(pp;s) and g' T = SampGT(/i(MSKo); s) for ran- 
dom coin s. The message can be recovered by M = C 2 • e(Ci,Ko)/eo(Co,Ki). 

Remark 2 (group structure). We generalized SampG, SampG and Sam pH such 
that elements they outputs may come from two different groups. Of course, the 
new groups Go and H 0 are generated via SampP and described in PP. Motivated 
by the decryption procedure (see the graph below), we require two bilinear maps 
eo and e, denoted by dash line and solid line, respectively, in the graph. 

ct id i Co G Go Ci G G C 2 G Gt 

SK m : Kq G H 0 "ifiGl 

It’s worth noting that both maps share the same range Gt, which helps us to 
preserve the associative property and thus the correctness of IBE scheme. 

Remark 3 (private SampH,). We make the algorithm SampH private as in [14]. 
One should run SampH with SP besides PP. Therefore left subgroup and nested- 
hiding indistinguishability are modified accordingly [14] since adversary now can- 
not run SampH by itself. 

Remark 4 ( G -uniformity and anonymity). The G-uniformity property is used to 
achieve the anonymity. Our definition could be viewed as a direct combination of 
H-hiding and G-uniformity described by Chen et al. in [8] with a tiny relaxation. 
In particular, we require the last n elements in g • g to be hidden by one random 
element from G instead of n i.i.d. random elements in G as in [8]. One can check 
that our definition is sufficiently strong to prove the weak anonymity [3] (c.f. 
Sect. 2.2) of our generic IBE scheme. 

4.2 A Prime-Order Instantiation Motivated by BKP 

We provide an instantiation of our generalized NDSG in the prime-order bilinear 
group. This formulates our (informal) observation in Sect. 3.1. 

- SampP(l A ,n): Run Q = (Ci, G 2 , Gt,P, e, gi, < 72 ) GrpGen(l A ). Define 

G 0 = G\ +l , G = Gf, H 0 = G 2 , H = G k 2 +1 

and bilinear map eo and e are natural extensions of e (given in Q) to (k + 1)- 
dim and &-dim, respectively. Sample (A, a- 1 ) <— V & and b <— Z^ +1 . For each 
k G Z£+\ define g : G k 2 +1 ^ G\ by 

MM 2 ) = e ([ A ]i> M 2 ) = [A T k] r . 
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Let h* = [a- 1 ^ e G k 2 +1 . Pick W, <- Z* x(fc+1) for all i e [n] and output 
pp=([A] 1) [W 1 A] 1 , [WnA],), sp=(a x , b, W 1} W n ). 

- SampGT([p] T ): Sample s Z k and output [s T p] T G Gt for p G Zj. 

- SampG(pp): Sample s <— Z k and output 

([As],; [WiAsjj, [W n As],) e G k+1 x ( G k ) n . 

- SampH(pp, sp): Sample r Z k and output 

(M 2 ; [W^r] 2) [Wjr] 2 ) € G k x (G k+1 ) n . 

- SampG(pp, sp): Sample s' <— Z v and output 

( [bs] , ; [WibS],, [WnbS],) e G * +1 x (Gf)". 

We only describe formal proof for nested-hiding indistinguishability for the 
lack of space. The remaining requirements can be proved following [8,12]. 

4.3 Nested-Hiding Indistinguishability 

We may rewrite the advantage function Adv^ H ^(A, q) using 


PP= ([A]„ [WiA],, [W n A],) ; 

h * = [a x ] 2 ; 

g=(Nil [Wibs] 1 ,...,[W n bs] 1 ), s <— Z p ; 


b = (k] 2 ; [W^] 2 , [W„ T r'] 2 ), 


T 


and the challenge term {h j • ( 1 m 0 5 (h*) ljGr1 )} may be written as 


(W 2 ; • • • , [Wjr -j + a J_ 7j] 2 , . . . , [Wjr,] 2 ), 


Z 


k 

pi 


where either 7 ^ Z p or 7 ^ = 0 . 

Before we proceed, we first prove a lemma implicitly used in Blazy et aV s 
proof [4], which looks like the Many Tuple Lemma by Chen and Wee [9]. 

Lemma 5. Given Q G N, group G of prime order p, [M] G G( /c + 1 ) x/c and 
[T] = [ti| - - - |t Q ] G G^ k ^ xQ (Here [•] is the implicit representation on G.) 
where either 1 1 <— Span(M) or t i <— K +1 > one can efficiently compute 


[Z], [vZ], {[tj], fo]}j e[ Qj 


where Z s Z kxk is full-rank , v G Zf xk is a secret row vector, Tj Z k , either 
Tj = vTj (when tj <— Span(M ) ) or Tj <— Z p (when tj <— Z^ 1 ^. 
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Proof. Given Q, G, [M], [T] = [t 1 1 • * • |t q], the algorithm works as follows: 

Programming [Z] and [vZ]. Define Z = M. Pick m = (mi, . . . ,777^,777^+1) <— 
Zp x(/C+1) and implicitly define v G such that 


vZ = vM = mM. 


One can compute [Z] and [vZ] using [M] and m. 
Generating Q tuples. For all j G [Q], we compute 


+] = [tj-] and [tj] = [mt+ 


Here tj indicates the first k entries of tj. 

Observe that: if tj = Mu j for some u j G ZjJ;, we have that Tj = Muj and 
Tj = mMuj = vMuj = vTj; if tj <— Z^ +1 , we can see that 


1 \ 

Vmi • • • TOfc TOjfc+i/ 

is uniformly distributed over Z^ +1 . This readily proves the lemma. □ 

We now prove the following lemma for all 77 G [n\. 

Lemma 6. For any p.p.t. adversary A , there exists an adversary B such that 

Adv 7 (? 7 ) (A ,q) < Advg+A) 

where T (B) ~ T(A) + k 2 • q • poly(A,77,) and poly (A, 72) zs independent ofJ(A). 

Proof. Given [M] 2 G G ( fc+1 ) x/c and [T] 2 = [t 1 1 - • • |t g ] 2 G where tj <— 

Span(M) or tj <— Z^ +1 , 23 proceeds as follows: 

Generating q tuples. We invoke the algorithm described in Lemma 5 on input 
(<?,G 2 ,[M] 2 ,[T] 2 ) and obtain ([Z] 2 , [vZ] 2 , {[T+, [Tj} 2 } je[q] ). 

Simulating pp and h* . Sample (A, a- 1 ) <— £>& and define h* = [a ± ] 2 . Sample 
W, Z kx(k+1) for all ie[n]\ {+. Pick W„ <- Z kx{k+1) and implicitly set 

W„ = W I) +v T a ±T . 

Therefore we can simulate all entries in PP with the observation 
W^A = (W„ + v T a- LT ) A = W^A, 
where the secret vector v has been eliminated by the fact A T a- L = 0. 
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Simulating g _ ?7 . Sample b <- Z£ +1 . We can directly simulate g_^ since we 
know W i for all i G [n\ \ {rj}. Note that we do not know where there is 
a secret vector v, but it is not needed here. 

Simulating h' . Sample r j Z^ and implicitly define 

Tj = Zr j for all j G [q \ . 

We are ready to produce [r'-] and [W^r'-] for i G [n] \ {r]}. Observe that 

Wjr' = (W„ + v T a ±T ) T Zf j = WjZf,- + a 1 (vZ) f r 

The entry [Wjr'-] 2 can be simulated with W^, a^, r j and [Z] 2 , [vZ] 2 . 
Simulating the challenge. For all j G [q\, we produce the challenge as 

(fo] 2 , [W Jrj ] 2 , [W T v r j + a x r,] 2 , [W T n r 3 ] 2 ). 

Here we implicitly set Tj = Tj. Observe that, when tj <— Span(M), we have 
Tj = wTj , the challenge is identical to {hj}, i.e., 7 j = 0; when tj <— Z^ +1 , we have 
Tj <— Z p , the challenge is identical to {h j • (1h 0 ; (/i*) 7je?7 )} where 7 j = Tj — vTj 
is uniformly distributed over Z p . This proves the lemma. □ 

5 Towards Tight Security in MIMC Setting 

5.1 A Generalization of Extended Nested Dual System Group 

Applying Gong et aUs idea of extending NDSG [14], a variant of Hofheinz 
et aUs method [18], to our generalization described in Sect. 4.1, we obtain a 
generalization of extended nested dual system group (ENDSG). 

Algorithms. Our ENDSG consists of eight p.p.t. algorithms defined as follows: 

- SampP(l A ,n): Output (pp, Sp) where: 

- PP contains group description (Go, G, Ho, H, Gx) and two admissible 
bilinear maps 


eo : Go x HI — > Gx and e : G x HIq — > G x, 

an efficient linear map fi defined on HI, and public parameters for SampG; 
- SP contains secret parameters for Sam pH, SampG, SampG, Sam pH , and 

SampH . 

- SampGT: Im(/i) — > Gx- 

- SampG(pp): Output g = (50; 51, . . . , g n ) e G 0 x G”. 

- SampH(pp, sp): Output h = (ft 0 ; hi, h n ) € H 0 x H”. 

- SampG(pp, sp): Output g = (g 0 \ gi, g n ) eG 0 x G n . 

- SampG(pp, sp): Output g = (g 0 : g u g n ) e G 0 x G". 

- SampH (pp,sp): Output h* e EE. 
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- SampH (pp,sp): Output h* G H. 

We employ SampG 0 (resp., SampG 0 , SampG 0 ) to indicate the first element go G 
Go (resp., 'go G Go, go G Go) in the output of SampG (resp., SampG, SampG). 

Correctness and Security. The correctness requirement is exactly the same 
as our generalized NDSG including projective and associative (c.f. Sect. 4.1). For 
all A , n G Z + and (pp, Sp) SampP(l A ,n), the security requirement involves: 

(orthogonality) For all h* G [SampH*(pp, sp)] and all h* G [SampH (pp, sp)], 
(1) /i(h*) = p,{h*) = 1; (2)eo(jjo,h*) = 1 for all g 0 G [SampG 0 (PP, sp)]; (3) 

e 0 (go , h* ) = 1 for all g 0 G [SampG 0 (pp, sp)]. 

(H-subgroup) The output of SampH (pp, sp) is uniformly distributed over some 

subgroup of Ho x H n , while those of SampH (pp, sp) and SampH (pp, sp) are 
uniformly distributed over some subgroup of H, respectively. 

(left subgroup indistinguishability 1) For any p.p.t. adversary A, the fol- 
lowing advantage function is negligible in A. 

AdvJf(A ,q,q') := \Pv[A(D,T 0 ) = 1] - Pr [A(D,T{) = 1]|, 

where D = (pp, ), 


To = {gj} je[?] , Ti = {g, • 


S 3 • g 3 


3t[q\ 


and g j SampG(pp), g j SampG(pp, sp), g j SampG(pp, sp), h j 

SampH(pp, sp). 

(left subgroup indistinguishability 2) For any p.p.t. adversary A, the fol- 
lowing advantage function is negligible in A. 

Adv^ S2 (A, q, q') = |Pr [A(D,T 0 ) = 1] - Pr [A(D,T{) = 1] | , 
where D = (pp, {h* ■ h*} je[q+ql] , {gj • % • %} je[q] > )> 

To = {gi • g 3 ■ f|7|},- 


j€[qV 


Ti = {gj • gj} 


Oije[q] 5 


and h* 


SampH (pp,sp), hj <— SampH (pp, sp), gj,g' SampG(pp), 

gj,g' <- SampG (pp,sp), gj,g' <- SampG(pp, sp), hj <- SampH(pp, sp). 

(left subgroup indistinguishability 3) For any p.p.t. adversary A, the fol- 
lowing advantage function is negligible in A. 

Adv^ S3 (A ,q,q') = |Pr[^(£>,T 0 ) = 1] - Pr[A(D, TO = 1]|, 

where D = (pp, {h* ■ h*} je[q+q , y {gj • %} je[q] > W] )> 

To = {gj -[tTI-gj}, 


j £[<?]’ 


Ti = {gj • gi}. 


j€[q] ■ 


and h* 


SampH (pp,sp), h* <— SampH (pp,sp), gj,g' <— SampG(pp), 


gj, g' <— SampG(pp, sp), g j <— SampG(pp, sp), hj <— SampH(pp, sp). 
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(nested-hiding indistinguishability) For all 77 G [ |_ri/2j ] and any p.p.t. adver- 
sary A, the following advantage function is negligible in A. 

Adv™ M (A ,q,q f ) = |Pr (A(D,T 0 ) = 1] - Pv(A(D, T a ) = 1] | , 

where D = (pp, {hj,hj } - e ^ q+q ,y t (gj)— ( 2*7 — 1) » (Sj)- 2 r]} , {hj}je[q'])> 

To = { h j}je[ 5 ']) T i = { h j 


(1® 0 ; (h**)* 2 "- 1 ) ■ (lno; (h**) e2v ) 




and g j <— SampG(pp, sp), g j SampG(pp, sp), hj,hj* <— SampH (pp, sp), 
hj,hj* SampH (pp,sp), hj,h' SampH(pp, sp). We may further define 
Adv5 H (A,g,g') = max J)e[Lri/ 2j]{AdvT (,7) (A,9,g')}- 

(non-degeneracy) For any p.p.t. adversary A, the following advantage function 
is negligible in A. 

Adv* D (A ,q,q',q") = |Pr (A(D,T 0 ) = 1] - Pv(A(D, T a ) = 1] | , 


where D = (pp, {h* ■ h*, h j} je[q ,y {g j,f = (do •••)},• 


f JG[ ql,j'e[q"] 


). 


To = {eo(?o 


J J I ie[g],j / e[g // ] - 


Ti = {eo(?o,i,i',y*)- R jd ' } 


je[q],j'e[q"] 


and g jjt <— SampG(pp, sp), h* <— SampH (pp, sp), hj,hj* <— SampH (pp, 
sp), h j SampH(pp, sp), and Rjj> Gt- 

(G-uniformity) For any p.p.t. adversary A, the following advantage function 
is negligible in A. 

AdvJ uni (A, q, q') = |Pr[^(D,T 0 ) = 1] -Pr[^(Z?,Ti) = 1] | , 
where D = (pp, {h 7 - • (l Ho ; h* hj , . . . ,h* nJ ), h*, h*} je[ql] ), 


To = (g j • g j}je[ q ], H = {gj • g j • (i Go ; (g'j) ln ) } 


hell] 


and hj SampH(pp, sp), g j SampG(pp), g j SampG(pp, sp), h* 

SampH (pp,sp), ... , <- SampH (pp, sp), p'- <- G. 

The generic IBE in the multi-instance setting is similar to the IBE scheme in 
Sect. 4.1 except that we take (pp, sp) <— SampP(l A , 2 n) as the global parameter 
GP and master secret msKq G H will be picked for each instance (in algorithm 

Setup). 


5.2 An Instantiation in the Prime-Order Group 

The generalized ENDSG described above can be implemented by extending the 
construction in Sect. 4.2. In particular, we follow the extension technique by 
Gong et al. [14] and Gay et al. [12] (c.f. Sect. 3.3). 
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- SampP(l A ,n): Run Q = (Gi, G 2 , Gt,P, e, g\, gf) <— GrpGen(l A ). Define 

G 0 = Gf , G = Gf H 0 = G k , H = G'f 

and bilinear map eo and e are natural extension of e (given in Q) to 3k- 
dim and fc-dim, respectively. Sample A, A, A <— Usk,k and randomly pick 
A*, A* G l? kxk as respective bases of Ker((A|A) T ) and Ker((A|A) T ). For 
each k G define fi : G| fe — > G\ by /i([k] 2 ) = e([A] 1 , [k] 2 ) = [A T k] T . 
Sample W i <— Z kx3k for all i G [n] and output 

pp= ([A] 1 ,[W 1 A] 1 ,...,[W n A] 1 ), sp= (A,A,A*,A*,W 1 ,...,W„). 

- SampGT([p] r ): Sample s <— Z k and output [s T p] T for pGZj. 

- SampG(pp): Sample s <— Z k and output 

([As] i; [W.As],, [W„As]j) G Gf x (G k ) n . 

- SampH(pp, sp): Sample r <— Z k and output 

(w 2 ; [Wjv] 2 , [Wjr] 2 ) G G k x ( Gf) n . 

- SampG(pp, sp): Sample s <— Z k and output 

([As] i; [W„As]j) G Gf x (< G k ) n . 

- SampG(pp, sp): Sample s <— Z k and output 

([Ai] i; [W.Ai],, [WnAiy G Gf x (G k ) n . 

- SampH (pp,sp): Sample r G Z k and output [A*r ] 2 G G 3k • 

- SampH (pp,sp): Sample r G Z k and output [A*r ] 2 G G 3k • 

For the lack of space, we only show that our instantiation satisfies Left 
Subgroup Indistinguishability 2 and 3 , Nested-hiding Indistinguish ability and G- 
uniformity in the next several subsections. 

5.3 Left Subgroup Indistinguishability 2 and 3 

We rewrite the advantage function Adv^ S2 (/y g, q') using 


PP = ([A] 1 , [ W i A] x , ..., [W n A] 1 ) ; 
h*.h*=[A.*v j +A.*v j ] 2 ,v j ,v j ^I k - 
8rS'-sf- (s' |,: :W |S 'i,. [W^f), s' • 

- (>-,l 2 : \Wj rj ] 2 , [W>,] 2 ), rj 


S j ■ g, ~ ( 'As ; - + As ; J W, (Asy + Aa d )] 1 , 


Zf; 

-Zp! 

• • j [W n (Asj + Asj )] f , 


g j ■ g j ■ Sj = (yf; [WiSj] 1 , . . . , [WnSj-JJ, s j <- Zf. 
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Note that the distribution here is identical to the original one except that A, A, 
A fail to span the entire space Z 3k whose probability is bounded by 2 k/p (c.f. 
Lemma 3). We prove the following lemma. 

Lemma 7. For any p.p.t. adversary A , there exists an adversary B such that 
Adv^ S2 (A, q, q') < Adv^y (A) + 2~ n ^ 

where T (£>) « T (A) + k 2 • (q + q') • poly(A, n) and poly (A, n) is independent of 
T(A). 

Proof Given [A^ G G^ kxk and [T] = [t 1 1 • • * \t q ] 1 G G 3/cxgr , B works as follows: 

Simulating pp. Sample A <— Usk,k and W* Z kx3k for all i G [n\. We can 
then simulate PP directly. 

Simulating hj • hj. Calculate A ± G Z 3kx2k from A G Z 3kxk and one may 

simulate A* • h* by sampling h* • hj Span([A ± ] 2 ) by Lemma 3. 
Simulating g' • g' • g' and hj. We can simply simulate each g' • g' • g' (resp. 
hj) using Wj for all i G [n] and a freshly chosen s' <— Z 3k for all j G [q\ (resp. 
r j G Zp for all j G [q']). 

Simulating the Challenge. Sample s j Z^ for all j G [g]. We simulate the 

challenge as 

([As j + Cj; [Wi(Asj + tj)] 1; . . . , [W n (Asj + tj)]^ for all j E [q]. 

Observe that: when tj <— Span(A) for all j G [q\, the challenge equals {gj • gj}; 
when tj Z 3k for all j G [q], the challenge is identical to {gj • gj • gj} (we 
described above). This proves the lemma. □ 

We can prove a similar lemma for Adv^ S3 (&, q, q'). The proof is almost the 
same as above with the exception that B controls A and A this time, and embeds 
g-fold 773/c^-MDDH instance through A. More concretely, one may simulate PP, 
{hj • /i*}, {hj} and the challenge with A and A as before, while the simulation 
of {g' • g' } needs the help of A. 


5.4 Nested-Hiding Indistinguishability 

For all rj G [ |_n /2j ] , we rewrite the advantage function Adv^ H( ^(A, q, q') using 


PP = 

= ([A],, 

[W 1 A] 1 , 

[W n A]j); 




* 

II 

= At: 

] 2 > 

h* = [at 

k 

r' - Z k 

g 3 ~- 

= ([As,-] 

V [WiAsjt, 

. . . , [W n Asj] 1 

). 

Sj <- 

7/ k ' 

g 3 = 

= ([A-Sj] 

v [WiAsjlp 

. . . , [W n Asj] 1 

). 

Sj <- 

77 k - 

h T 

= ([«&; 

[wR'] 2 , ••• 

. [W>'] 2 ), r' 




648 J. Gong et al. 


and the challenge term h j • (le 0 ; (h**) e2T?_1 ) • (le 0 ; (h**) e2r? ) equals 

([ r j] 2 ; [W^r j] 2 , + A*fj] 2 , [W 2 Tr i + A^] 2 , [W>,] 2 ) 

where Yj <— Z k , either r j , ry <— Z^ or iy = ry = 0/, . We prove the lemma below. 
Lemma 8. For any p.p.t. adversary A, there exists an adversary B such that 
Adv N / M (\,q,qj < Adv^; fc (A) 

where T (£>) w T(*4.) + k 2 • (g + g') • poly(A, n) and poly(A, n) zs independent of 

T(Al). 

Before we prove the lemma, we describe and prove an extension of Lemma 5. 

Lemma 9. Given Q G N, group G of prime order p, [M] G G 3kxk and [T] = 
[t 1 1 • • • |tg] G G 3kx ® where either t* <— Span(M) orti z?, one can efficiently 
compute 

[z], [VoZ], [V a Z], {[tj], [r 0 j], [ T i 

where Z G Z kxk is full-rank, Vo, Vi G Z kxk are secret matrices, Tj <— Z k and 
either Toy = Vo Tj, r iy = Vi Tj (when tj Span(M) y ) or Toy,Tiy <— z* 
(when tj <— Z 3k ). 

Proof Given Q, G, [M], [T] = [ti| • • • |tg], the algorithm works as follows: 

Programming [Z], [VoZ], [ViZ]. Define Z = M. Randomly pick M 0 ,Mi <— 
Z kx3k and implicitly define Vo, Vi £Z kxk such that 

V 0 Z = V 0 M = M 0 M and ViZ = ViM = M X M. 

One can generate [Z] along with [VoZ], [ViZ] using [M] and M 0 ,Mi. 
Generating Q tuples. For all j G [Q], we compute 

l T j] = I*j]> [ T o,i] = [Motj], [tij] = [Mit ,]. 

Here tj indicates the first k entries of tj. 

Observe that: if tj = Muj for some u j <— Z k , we have that Tj = Muj and 

Toy = M 0 Muj = VoMuj = Vo Tj, t iy = Mi Mu y = V i Mu y = Vir^; 
if t we can see that 



is uniformly distributed over Z 3k where the left-most k columns of Ikx 3 k form 
an identity matrix and remaining columns are zero vectors. □ 

We are ready to prove Lemma 8 by extending the strategy proving Lemma 6. 

Proof Given [M] 2 G G^ xk and [T] 2 = [ti| • • • |t g /] 2 G G^f xq where either 
tj <— Span(M) or tj <— Z 3k , B proceeds as follows: 
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Generating q' tuples. We invoke the algorithm described in Lemma 9 on input 
(g',G2, [M] 2 , [T] 2 ) and obtain 


( [Z] 2 ’ [V 0 Z] 2 , [ViZ] 2 , { \ t ~ j ] 2 5 [ T 0,j]25 [ T 1 ,j] 2 }je[g']) ■ 

Simulating pp. Sample A, A, A <— Usk,k and randomly pick A* and A*, the 
respective bases of Ker((A|A) T ) and Ker((A|A) T ). Select W2 ? 7 -i,W2 ?7 <— 
Z kx3k and define 

W 2t) -1 = W 2t) -1 + V! T • (A*) T and W 2f) = W 2t? + Vj • (A*) T . 

Then we sample Z kx3k for all i G [n\ \ { 2 r] — 1 , 2 r]}. We can simulate 

PP using the following observation: 

W 2 ,_iA = (W 2lJ _i + V[ • (A*) T ) A = W 2 „_iA, 

W 2i) A = (W 2j) + V 0 T • (A*) T ) A = W 2 j? A. 

Simulating h* and h*. It is direct to simulate all h* and h * using A* and A*. 
Simulating (gj)_( 2 r 7 _i) and (g j)- 2 rr We can simulate (gj)_( 2 ? 7 _i) following 
the fact that 


w 2 „a = (W 2 „ + • (A*) t ) a = w 2 „a. 

Similarly, we can also simulate (g 7 -)_2 ?7 because 

Wj,_iA = (W 2H + V[ • (A*) T ) A = W 2 j? A. 

Although AV 2^—i A and W2r)A contain secret matrices and are unknown to 
B due to Lemma 3 , they are not necessary in our simulation. 

Simulating h' . Sample fj <— Z k and implicitly define r' = Zr j for all j G [q']. 
We can simply produce [r'-j 2 and [W J r '■] 2 for i G [n\ \ {2rj — 1, 2r]} while the 
remaining two entries are simulated following the fact 

W 2 V ir ' = (W 2 ,_ 1 + V[ • (A*) T ) T Zf i = Wj^Zfj + A* • (ViZ) • fj, 
Wj„r ' = (W 2 , + V 0 T • (A*) T ) T Zf i = Wj„Zr j + A* • (V 0 Z) • r,-, 

because [Z] 2 , [VoZ ] 2 and [ViZ ] 2 are known to B. 

Simulating the challenge. For all j G [</'], we compute the challenge as 

([ r j] 2 ’ \Wi Tj} 2 , • • • , [Wj„_ i Tj + A*r 1; j] 2 , [W J v Tj + A *t 0J ] 2 , [W^rj] 2 ). 

Observe that, when tj Span(M), we have that r oj = Vo Tj and r ij = ViTj, 
the challenge is identical to {hj}, i.e. , Tj — Tj = 0 &; when tj Z 3k , we have 
TojjTij Zp, the challenge is identical to {hj-(ln 0 ; (^**) e 2 r 7 _ 1 H le 0 ; (/i**) e2r7 )} 
where Tj = tij — ViTj and Tj = Toy — VoTj are uniformly distributed over 
Z k . This proves the lemma. □ 
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5.5 G-Uniformity 

We rewrite the advantage function Adv^" um (A ,q,q') using 

pp = ([A],, [WiAJi, . . . , [W n A} 1 ); h* = [A*fj] 2 ; h* = [A*r,-] 2 

where Yj , Yj Z k and hj • (1 h 0 ; h*j, ... , h* n -) equals 

( [ r j ] 2 5 + [wjrj + A*r n> j] 2 ), . . . , t nJ <- Z*; 

and the challenge term g j • g j • (1g 0 5 Wj) ln ) equals 

( [Asj + Asj] x ; [Wi(Asj + As,) + s'] v . . . , [W n (As J - + A%) 

where Sj , Sj <— Z k , either s'- <— Z k or s'- = 0/e. We prove the following lemma 
using essentially the same method as in [3]. 

Lemma 10. For any p.p.t. adversary A , there exists an adversary B such that 
Adv«- uni (A,g,gO<Adv^' fe (A) 

where T (B) ~ T (A) + k 2 • (q + q') • poly(A,n) and poly(A,n) is independent of 

TGA). 

We describe a simple extension of Lemma 5 without proof which is basically 
identical to Generalized Many-Tuple Lemma in [14]. 

Lemma 11. Given Q E N, group G of prime order p, [M] E G 2/cx/c an y _ 
[t 1 1 • • • |t q] E G 2kx ® where either tf Span(M) orti «— K k > one can efficiently 
compute [Z], [VZ] and Q tuples ([Tj], \ T ’j]) ja[Q] w ^ lere Z G Zp Xfe is full-rank, 
v € z* x * zs a secret matrix, Tj <— Z k , either t'j = Wj (when tj <— Span(M ) ) 
or Tj Z^ (when tj <— Z 2/c ,). 

We are ready to prove Lemma 10. 

Proof. Given [M^ E G 2kxk and [T] x = [ti| • • • |t g ] 1 E G^ /cX9 where either tj <— 
Span(M) or tj <— Z 2/c , 6 proceeds as follows: 

Generating q tuples. We invoke the algorithm described in Lemma 11 on input 
(QjGi, [M] x , [T],) and obtainJ^Z],, [VZ],, {[r,-],, [r^}.^). 

Simulating pp. Sample A, A, A <— U^k,k and randomly pick A* and A*, the 
respective bases of Ker((A|A) T ) and Ker((A|A) T ). For all i E [n], pick 
W ^ ^ Zj x3/c and implicitly define 

Wi = W i +V-(A*) T 

where V = V((A*) T A)- 1 G Zp Xk . We can simulate PP from the observation 
W;A = (Wi + V • (A*) T ) A = WjA. 
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Simulating h* and /i*. It is direct to simulate all h* and h* using A* and A*. 
Simulating h j • (1 m 0 5 • • • , fo*j). Observe that 

W, T rj + A*r ij = W z T r J - + A*(V T r i + r*j) for all i G [n\J G [q'\. 

We can alternatively simulate h j • (Imo ; hiji • • • , h * j ) as rj + A*r^j for 
all i G [n],j G [ q '] where rj, rjj Z k without secret matrix V. 

Simulating the challenge. Observe that 

W^A = (Wi + V • (A*) T ) A = W*A + V. 

We can sample s j <— Z k and simulate the challenge as 

( [A.Sj + A Tj \ t , [Wi Aaj + Wi At, + r' ] x , . . . , [W n As,- + W n A Tj + r' ] J . 

Observe that, when tj Span(M), we have t' = Wj, the challenge is identical 
to {gj • gj}; when tj Z^, we have t' <— Z^, the challenge is identical to 
{gj ' Ej • (1g 0 5 ( 9j) ln )} where s' = r' — Vrj is uniformly distributed over Z k . 
This proves the lemma. □ 


6 Concrete Constructions 

We present our main result in Fig. 1 whose adaptive security and anonymity in 
the MIMC setting is almost-tightly based on the k - Lin assumption. 

Figure 2 presents a concrete instantiation of our main result based on SXDH 
(1-Lin) assumption by setting k = 1. Our description below only involves vectors 
and scalars. 


Param(l A , n) 

A <— U3k,k 

for (i, b) G [n\ x {0, 1} do 
W i>b <- Z kx3k , Z t , b = W ijb A e Z kxk 
GP=([A] 1> {[Z i , 6 ] 1 ,[W,, i ] 2 }) 

return GP 

Setup(GP) 

a <- Zf 

mpk = ([A^dZi.blJ, [A T a] T ) 
msk= ([a] 2 ,{[W i>6 ] 2 }) 

return MPK, MSK 


KeyGen(MPK, MSK, id) 

SK = (M2’ [ a + X™= 1 e G\ k 

return SK 


Enc(MPK, ID, m) 



key = [s T A T a] T G Gt 
return CT = (ct', key • m) 

Dec(MPK, sk = (k 0 , ki), ct = (c 0 , ci, c 2 )) 
return M = C2 • e(ci, ko)/e(co, ki) 


Fig. 1. Main result: a concrete IBE scheme based on the k - Lin assumption. 
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Param(l A , n) 

KeyGen(MPK, MSK, id) 

a i — Zp 

r «— Zp 

for (i, b ) E [n] x {0, 1} do 

SK = (M 2 > [« + r -Er=i w i,iD[i]] 2 ) eGs 

Wi,f , «- Zp, Zi,b = (Wj,6,a) € Zp 

return SK 

GP = 

return GP 

Enc(MPK, ID, m) 
s Zp 

Setup(GP) 

CT 7 = ([s • a] x , [s • J2i = 1 z i,m[i]\i) £ 

KEY — [s • (a, Ct)] T 

a Zp 

mpk = ([a],, {[z^],}, [(a,a)] T ) 

return CT = (ct', key • m) 

MSK= ([«] 2 , {[w i;i ,] 2 }) 

Dec(MPK, SK = (feo, ki), CT = (c 0 , Cl, c 2 )) 

return MPK, MSK 

return M = C 2 • e(ci, &o)/e(co, ki) 


Fig. 2. A concrete IBE scheme based on SXDH (k — 1). Here we let (x, y) be the inner 
product of x and y of the same length and e([x] 1 , [y] 2 ) = [(x, y)] T in this case. 
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Abstract. In this paper, we demonstrate that various cryptographic 
constructions — including ones for broadcast, attribute-based, and hierar- 
chical identity-based encryption — can rely for security on only the static 
subgroup hiding assumption when instantiated in composite-order bilin- 
ear groups, as opposed to the dynamic g-type assumptions on which their 
security previously was based. This specific goal is accomplished by more 
generally extending the recent Deja Q framework (Chase and Meiklejohn, 
Eurocrypt 2014) in two main directions. First, by teasing out common 
properties of existing reductions, we expand the g-type assumptions that 
can be covered by the framework; i.e., we demonstrate broader classes of 
assumptions that can be reduced to subgroup hiding. Second, while the 
original framework applied only to asymmetric composite-order bilinear 
groups, we provide a reduction to subgroup hiding that works in sym- 
metric (as well as asymmetric) composite-order groups. As a bonus, our 
new reduction achieves a tightness of log (q) rather than q. 


1 Introduction 

In cryptography, the provable security paradigm crucially relies on the existence 
of hard mathematical problems. To prove the security of a candidate crypto- 
graphic construction, one must demonstrate that any adversary that can break 
its security can be used to construct another adversary that can break the under- 
lying mathematical problem; if the problem is assumed to be hard, then it logi- 
cally follows that the construction is secure. 

To be confident in the security of a construction, we must therefore also 
be confident in the underlying assumption; i.e., the assumption that the given 
mathematical problem is hard. Cryptographic assumptions come in many forms, 
and confidence in them can be gained through various means: one can perform 
cryptanalysis on the problem and attempt to break it, prove its security in the 
generic group model [40], or generalize multiple assumptions using a construct 
like the uber- assumption [11,15] to provide general lower bounds on security. 

As a field, cryptography has in the past decade become increasingly tolerant 
of assumptions that are new, not particularly well understood, and in some cases 
even “hard to untangle from the constructions which utilize them” [26]. While 
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there are of course good reasons for doing so (e.g., driving the state of the art 
forward), and it is demonstrably impossible to reduce every construction to a 
simple assumption like DDH, the growth in the volume and complexity of new 
assumptions nevertheless provides an opportunity to revisit this landscape of 
assumptions and attempt to simplify and systematize it where possible. 

Our specific focus in this paper is the class of q-type assumptions , in which the 
assumption is not static, but rather can grow dynamically; e.g., the decisional q- 
wBDHI (weak Bilinear Difhe-Hellman Inversion) assumption [11] says that given 
(g, g c , g b , g &2 , . . . , g 6<? ), it should be hard to distinguish e(g,g) bq+lc from random. 
These assumptions are closely tied to the schemes that rely on them for security, 
as the value q is often equal to the number of oracle calls that can be made in 
a reduction; e.g., in identity-based encryption (IBE), a distinct value from the 
assumption is used within the reduction to respond to each of q key extraction 
queries. Moreover, g-type assumptions become stronger as q grows, and the time 
to recover the discrete logarithm scales inversely with q [22] . 

In a recent paper [18], Chase and Meiklejohn demonstrated the potential 
to move away from g-type assumptions by demonstrating that certain types of 
g-type assumptions (under the umbrella of the uber-assumption) were implied 
by the static subgroup hiding assumption [13] in asymmetric composite-order 
groups. Specifically, they demonstrated a reduction — with looseness q — to the 
subgroup hiding assumption from all g-type assumptions that either (1) gave out 
functions on only one side of the pairing and asked the adversary to distinguish 
elements in the source group or (2) gave out functions on both sides of the pairing 
and asked the adversary to compute an element in the source group. Following 
Wee [44], we dub their set of techniques and results the “Deja Q framework.” 


1.1 Our Contributions 

In this paper, we seek to expand the applicability of the Deja Q framework to 
encompass wider classes of assumptions and to apply to settings that are used 
more commonly in cryptographic constructions. In particular, we provide the 
following three main contributions: 

Broader classes of assumptions. In terms of specific schemes and assump- 
tions, the original Deja Q framework implied that the Dodis-Yampolskiy 
PRF [23] and the g-SDH assumption [10] could be reduced to subgroup 
hiding. To broaden not only the class of assumptions but also the concrete 
applicability of the framework, we capture computational and decisional uber- 
assumptions in the target group, including commonly used g-type assump- 
tions such as g-BDHE [11] and g-wBDHI. We also demonstrate techniques 
for translating concrete schemes — in particular, the BGW broadcast encryp- 
tion scheme [12], the BBG hierarchical identity-based encryption scheme [11], 
the Waters attribute-based encryption scheme [41], and the ACF identity- 
based key encapsulation mechanism [1] — that rely on the symmetric versions 
of these assumptions for security into asymmetric composite-order bilinear 
groups, where they can then be reduced to subgroup hiding. 
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Tighter reductions. We provide a new reduction from both computational and 
decisional uber-assumptions in the target group to subgroup hiding. Our new 
reduction requires adding at least one additional prime to the factorization of 
TV, but it achieves logarithmic — rather than linear — tightness. These results 
can then be applied to any scheme based on these assumptions, including 
the ones mentioned above, which directly gives a tightly (or almost tightly, 
depending on ones preferred terminology) secure instantiation, albeit in a 
somewhat inefficient setting. 

Symmetric and asymmetric groups. The original Deja Q framework could 
operate only in asymmetric composite-order bilinear groups (or composite- 
order groups where no pairing existed), of which only one construction is 
known [14,37]. Our new proof works in both symmetric and asymmetric 
settings, thus allowing us to consider the more “usual” instantiations of 
composite-order bilinear groups. 


1.2 Our Techniques 

In terms of the techniques we use, our proof in Sect. 3 that computational and 
decisional uber-assumptions in the target group can be reduced to subgroup 
hiding is closely based on the proof in the original Deja Q framework for com- 
putational uber-assumptions in the source group. To achieve this, we observe 
that reductions frequently treat group generators in separate ways; i.e. , separate 
sets of generators are used to answer separate types of queries, and the reduction 
crucially relies on this separation to ensure that the adversary can’t test the rela- 
tionships between different objects as they (separately) incorporate additional 
randomness or otherwise shift in value. By explicitly acknowledging this usage 
in our statement of the uber-assumption, we can treat the separate generators 
in different ways in our reductions and thus extend the results to the target 
group. To further demonstrate how to securely move symmetric constructions 
into the asymmetric setting, where they can then be covered by these results, 
we rely on a recent set of techniques due to Abe et al. [3] for doing automated 
symmetric-to-asymmetric translations . 

Next, in Sect. 4, we consider a modified version of this proof strategy, where 
in each game hop we double the amount of randomness included in the assump- 
tion. To do this, we require three subgroups instead of two, meaning we can write 
G = Gi x G 2 x G 3 . As in the original Deja Q framework, we start by shifting 
the variables used in the q-type assumption from G\ into G 2 and G3, which 
following the usual dual-system technique we can argue goes unnoticed by sub- 
group hiding [13]. We then change the variables in G 2 and G 3 to take on entirely 
new values, which again following the dual- system technique we can argue goes 
unnoticed by parameter hiding [29]. Now, however, instead of continuing to shift 
the same variables from G\ into G 2 and change them one by one, we shift the 
new variables from G3 into G 2 , so that G 2 has effectively doubled the number of 
new variables it contains. By repeating this process of shifting all the variables 
from G 2 into G3, changing them, and shifting them back, we achieve the same 
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outcome as the original framework of having t sets of variables in G 2 , but using 
\og 2 (t) game transitions instead of i. 

While one additional subgroup suffices to achieve this tighter reduction in 
asymmetric bilinear groups, our reduction relies on the use of subgroup gen- 
erators that would break subgroup hiding in symmetric groups. To address 
this, our new reduction brings in certain aspects of the more traditional appli- 
cation of the dual-system technique to constructions (rather than assump- 
tions) [9,20,29,31,32], and in particular a recent result due to Wee [44] that 
used an adaption of the Deja Q framework to reduce both an IBE scheme and 
a broadcast encryption scheme to subgroup hiding. We thus demonstrate that 
by folding in random values from a fourth subgroup, we can sufficiently “mask” 
the subgroups to push through the same reduction in symmetric groups. Thus, 
while our results in Sect. 3 apply to versions of concrete constructions translated 
into the asymmetric setting (but otherwise unmodified), our results in Sect. 4 
provide tighter reductions for the (original) symmetric versions in which addi- 
tional randomness is incorporated when instantiated in groups with two addi- 
tional subgroups, or for asymmetric versions with an additional subgroup (but 
no additional randomness). 

1.3 Related Work 

Our work closely builds on the Deja Q framework due to Chase and Meikle- 
john [18]. In order to go beyond the original set of contributions, we draw on 
certain aspects of the dual-system technique [31,32,42], the notion of parameter 
hiding [29,30], and the general notion of subgroup hiding [8]. For our results 
in the symmetric setting, we draw on ideas in a recent work by Wee [44], who 
extended the original Deja Q framework but focused specifically on constructions 
for broadcast encryption and IBE. 

The search for tight reductions goes back to the paper of Bellare and Rog- 
away [7], and the results are extensive. To compare with the results most similar 
to ours, we focus on results for pairing-based primitives, where much related 
work has provided (almost) tight reductions for various primitives, including 
identity-based encryption [1,9,21,28,35], inner product encryption [38], authen- 
ticated key exchange [6], and quasi- adaptive non-interactive zero-knowledge 
proofs [24,36]. Each of these results focuses on a specific construction, and 
employs a specific set of techniques to achieve tight security. (One exception 
is a paper by Attrapadung, Hanoaka, and Yamada [5] that gives an abstrac- 
tion from which several different IBE variants can be constructed. This work, 
however, is still focused on IBE and on a particular construction approach.) By 
presenting our results at the level of assumptions, we can instead prove tight 
security for an entire class of constructions; i.e., constructions that are instan- 
tiated in appropriate groups and have been previously proved secure under an 
appropriate class of g-type assumptions. To the best of our knowledge, we are 
thus the first to use the dual-system technique to provide a tightly secure reduc- 
tion in a more general setting. Finally, we note that while much of the previous 
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work has focused on reductions whose running time is linear in the security para- 
meter, our reduction is linear in log(g), which in practice may be a much smaller 
number. 

2 Definitions and Notation 

2.1 Preliminaries 

If x is a binary string then \x\ denotes its bit length. If 5 is a finite set then \S\ 

denotes its size and x <— S denotes sampling a member uniformly from S and 
assigning it to x. A G N denotes the security parameter and 1 A denotes its unary 
representation. [n\ denotes the set {1, . . . , n}. 

Algorithms are randomized unless explicitly noted otherwise. “PT” stands 
for “polynomial-time.” By y <— A(xi , . . . , x n ; R) we denote running algorithm 
A on inputs xi, . . . ,x n and random coins R and assigning its output to y. By 

y <— A(x i, . . . , x n ) we denote y <— A(x i, . . . , x n ; R) for coins R sampled uni- 
formly at random. By [A(xi, . . . , x n )\ we denote the set of values that have 
positive probability of being output by A on inputs x\, . . . , x n . Adversaries are 
algorithms. 

We use games in definitions of security and in proofs. A game G has a main 
procedure whose output is the output of the game. Pr[G] denotes the probability 
that this output is true. 


2.2 Basic Bilinear Groups 

A bilinear group is a tuple G = (TV, G, H, Gt, e), where TV is either prime or 
composite, \G\ = \H\ = kN and \Gt\ = GV for k,£ G N, all elements of G, H , 
and Gt are of order at most AT, and e : G x H — > Gt is a bilinear map : it is 
efficiently computable, satisfies e(A :E , J B ?/ ) = e(A,B) xy for all A E G, B G TV, 
and x, y G Z/7VZ (bilinearity), and if e(A, B) = 1 for all B G H then A = 1 and 
vice versa if this holds for all A E G (non-degeneracy). We use BilinearGen to 
denote the algorithm by which bilinear groups are generated. 

When G and H are cyclic, the description of the group may include their 
respective generators g and h. If the groups can be decomposed as G = G\ x 
G 2 and H = H 1 x # 2 , the description of the group may include information 
about these subgroups and their generators; additionally, the number of cyclic 
subgroups may be provided as an argument n to BilinearGen. 


2.3 Subgroup Hiding and Parameter Hiding 

We highlight two structural properties of bilinear groups — subgroup hiding and 
parameter hiding — that are essential to the Deja Q framework, using adapted 
versions of the definitions given by Chase and Meiklejohn [18]. 
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Assumption 2.1 (Subgroup hiding). For n G N and a bilinear group gener- 
ation algorithm BilinearGen(-, •), define Adv^(A) = 2Pr[SGH^(X)] — 1 , where 
SGH^(X) is defined as follows: 

main SGH$( A) 

b {0, 1}; (AT, G, H , Gt, e, /i) BilinearGen(l A , n) 
if (b = 0) then w G 
if ( b = 1) ic <3- G\ 

V<?-A(N,G,H, G T ,e,iJL,w) 
return (b' = b) 

Then subgroup hiding holds in G\ with auxiliary information fi if for all PT 
adversaries A there exists a negligible function v(-) such that Adv^(A) < z/(A). 

Subgroup hiding is defined analogously for G2 , Gi ? t, and G2 ,t (where G\ : t 
and G2 ,t are cyclic subgroups of Gt), and the auxiliary information /a is designed 
to capture additional subgroup generators that may also be given out (with 
the observation that revealing certain subgroup generators might allow one to 
trivially distinguish subgroups when using a canceling pairing, so one must be 
careful with what /a contains). If we switch between different subgroups rather 
than one subgroup and the full group — e.g., between G2 and G23, as we do in 
Sect. 4 — then we say subgroup hiding holds between the subgroups. 

To elaborate on the point about /i, subgroup hiding can be trivially broken if 
the adversary has knowledge of certain generators; e.g., if an adversary is given a 
value w and asked to determine if it is in G or G\ , knowledge of the generator h<± 
allows it to check if e(ie, hfi) = 1 and trivially break subgroup hiding. To avoid 
this, the many variants of subgroup hiding used in the literature often specify 
which subgroup elements the adversary can see [16,25,27,33,34,39], and the 
rules about which generators can be given out have been codified in the general 
subgroup decision assumption due to Bellare, Waters, and Yilek [8]. The variants 
of subgroup hiding that we use in Sects. 3 and 4 are specific instantations of this 
general assumption. 


Definition 2.1 (Extended parameter hiding). Forman G N and a bilinear 
group (N,G, Ff,GT,e, p) E [BilinearGen(l A , n)\, we say extended parameter hid- 


ing holds with respect to a family of functions T , auxiliary information aux, and 
a pair of subgroups (G^G^) if for all g ^ G G^ and gi 2 G Gi 2 , the distribution 

J(x) f(x') 


f(x ) fix) 

jL a l ; 

(Z/ATZ) m . 


(ffii 9il ’ ,a(x)} fe r taeaux is identical to {g 1 ^ gQ , a(x)} f ^ , a£aux for x , x’ 


Chase and Meiklejohn proved [18, Lemma 5.2] that their original definition of 
extended parameter hiding (which used n = 2) holds in composite-order bilinear 
groups with respect to all polynomial functions and the version of aux that we 
require in Sect. 3. In Sect. 4, however, we consider a group with n > 2 subgroups 
and we want parameter hiding to hold across subgroups beyond G\ and G2. We 
thus prove that parameter hiding still holds in this setting as long as the orders 
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of Gi x and Gi 2 have no primes in common and the auxiliary information is not 
in G i2 . 

Lemma 2.1. For all m,n G N, and for all bilinear groups (N,G,H,GT,e) G 
[BilinearGen(l A , n)] where N = pi • . . . • p n , (ii , ^2 ) such that 1 < i \^2 < 
and for the class T of all polynomials /(•) over Z/7VZ, z/gcd(pi 15 pi 2 ) = 1 and 
if for all a G aux, a(-) G A such that gcd(|A|,p^ 2 ) = 1, £/ie distribution 

over {g(^ g(^ x \ a{x)} f ae aux ^ identical to the distribution over {g(^ g{!f x \ 
a (x)}fer,ae aux for x,x i (Z/NZ) m . 

Proof. For any polynomial /(•), one can compute g?^ knowing just the value 

of Xj modp^ for all j, 1 < j < m, and can similarly compute g{^ knowing 
just the value of Xj mod pi 2 for all j, 1 < j < m. If gcd^^p^) = 1 and the 
functions in aux reveal no information about Xj mod pi 2 , then by the Chinese 
Remainder theorem the values of Xj mod pi 2 are independent of all the other 
values, so this is identical to using an independent x'- for the gi 2 values. □ 

3 Uber- Assumptions in the Target Group 

In this section, we consider how to capture new classes of assumptions within 
the Deja Q framework [18]. In particular, we first prove in Sect. 3.1 that deci- 
sional and computational uber- assumptions in the target group are implied — 
through the repeated application of subgroup hiding and parameter hiding — by 
assumptions with significant amounts of randomness folded into particular sub- 
groups. (The framework previously covered only computational assumptions in 
the source group, which are implied by computational assumptions in the target 
group, or “one-sided” decisional assumptions in the source group; i.e., assump- 
tions where meaningful functions could be given out on only one side of the 
pairing.) 

Next, in Sect. 3.2, we show that the computational variant of the transitioned 
uber- assumption is so weak that it holds by a statistical argument; thus, the 
computational uber-assumption can be implied solely by subgroup hiding. By 
relying on an additional mild subgroup hiding assumption in the target, we can 
show the same results for decisional variants as well; i.e., we can show that the 
decisional uber-assumption is implied by three variants of subgroup hiding. 

Finally, in Sect. 3.3, we observe that many examples of uber- assumptions 
(including widely used g-type assumptions) have been used only in symmet- 
ric bilinear groups to date, making it difficult to cover them directly with our 
analysis. (In Sect. 4, we do provide ways to cover the symmetric setting, but this 
requires an extra prime in the order of the group.) We thus demonstrate how 
to convert popular symmetric assumptions into asymmetric variants using tech- 
niques due to Abe et al. [3]. All of our converted symmetric schemes — e.g., the 
BGW broadcast encryption scheme [12] and the Waters attribute-based encryp- 
tion scheme [41] — rely for security on g-type decisional uber- assumptions of the 
appropriate form, so our results demonstrate the security of these schemes when 
instantiated in groups where subgroup hiding holds. 
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3.1 Reducing Asymmetric Assumptions to Weaker Variants 

In the uber-assumption [18, Assumption 4.1], the adversary is given three sets 
of values with respect to a set of c variables x : a generator g E G raised to 
a set of functions R(x), a generator h G H raised to a set of functions S(x), 
and the value e(g,h) raised to a set of functions T[x) (where g R ( x ) is used as 
shorthand for {g pi ^}l =1 for R = (pi(x), . . . , p r (x)), and similarly for S and T). 
The adversary is then asked to either compute e(p, h)^A (in the computational 
assumption in the target group) or distinguish it from random. 

This definition captures a broad range of g-type assumptions, but in some 
cases it may be instructive to explicitly identify the qualities of the assump- 
tion that are used in the reduction. In particular, constructions that use the 
dual-system technique must add noise into group elements in such a way that 
valuable information is hidden but one can nevertheless continue to correctly 
perform operations (e.g., decryption) without noticing the added noise. This is 
often accomplished by using two separate generators that are primarily used for 
separate operations — e.g., in the case of identity-based encryption, one generator 
is used to create the parameters and the other to form the challenge ciphertext — 
and this separation is acknowledged in the assumption. For example, the (sym- 
metric) g-BDHE assumption [11] says that given (p, g s , {g a *}ie[ 2 g],i#g+i)j if 
should be hard to distinguish e(g,g) aq+ s from random. 

We thus modify slightly the original definition of the uber-assumption to (1) 
make explicit the role of two generators h and ft, the former of which we move 
into a subgroup to provide the necessary correctness and the latter of which 
we keep in the full group to provide the necessary hiding guarantee, and ( 2 ) 
combine computational and decisional assumptions into the same definition so 
we can cover them both in our main theorem. 

Assumption 3.1 (Uber-assumption). Define the advantage of an adversary 
A by Adv^ mp " w6er (A) = Pr[comp-UBER^ RST j( A)] in the computational case 
and Advjf c_n6er (A) = 2Pr[dec-UBER ^ R 1 * n the decisional case , where 
type- UBERf RST f(\) is defined as follows for type G {comp, dec}: 

MAIN type- UBER^ RST j (A) 

(V, G, H, G t , e) £ BilinearGen(l\ 2 ); g £ G, h,h <?- H 

xi , . . . , x c 'L/N'L 

inputs 4 - (TV, G, H, G T , e, g, ft, g R ^\h s ^\e(g, h) T ^) 

chal e(< 7 , 

return type-PLAY(A, inputs, chal) 

comp-PLAY(A, inputs, chal) 

y A( 1 A , inputs) 

return (y = chal) 
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dec-PLAY(A, inputs, chal) 

b^{ 0 , 1 } 

if ( b = 0) then y A Gt 
if ( b = 1) then y <— chal 

b' A(l x , inputs, y) 

return (b' = b) 

Then the uber- assumption in the target group holds if for all PT algorithms A 
there exists a negligible function i/(-) such that Adv^f er (A) < v(X). 

We now proceed to prove a theorem analogous to the one in the original Deja 
Q framework [19, Theorem 4.8], but which treats these different bases in H in 
different ways. For ease of exposition, we make explicit the original assumption 
used in this proof, which (with our additional generator h added) is as follows: 

Assumption 3.2. For a bilinear group G = (N,G, H,Gr,e) E [BilinearGen 
(1 A ,2)], £ G N, and classes of functions R, S, T, and f (as defined in the uber- 
assumption in Assumption 3.1), given 


inputs = ri ,h, {g^gf^ 1 riPk(xi) } r k=1 ,h^ {x) ,e(g 1 ,h 1 ) T< ' £) ) 

for gi £ Gi, 22 2- G 2 \{1} ; h±H,hx£- and r u . . . ,r e ,£ Z/NZ, 

x,xi, . . . (Z/AZ) C ; no PT adversary has more than negligible advantage 

when playing type-PLAY(A, inputs, e(#i, h)A x )e(g 2 , h )^=i ri f( x A} m 


Theorem 3.3. For a bilinear group G = (A, G, H , Gt, e) G [BilinearGen(l A , 2)] ; 
consider the uber- assumption in the target group parameterized by (c, R , S', T, /). 
Then this is implied by Assumption 3.2 if 


1. subgroup hiding holds in G\ with y = {g 2 , hi}; 

2. subgroup hiding holds in Hi with y = {gi}; and 

3. extended parameter hiding holds with respect to IF = R U {/} and aux = 


{hFhesur for all h x e 


In particular, for £ G N we have that 

Adv^ er (A) < Adv^(A) + Adv^f(A) + £ Adv^f(A) + Adv^ 2 (A). 

A proof of this theorem can be found in the full version of the paper [17]. 
Intuitively, the outline is similar to that of the original proof: to start, all elements 
in G are first shifted into G\, and elements using h as the base are shifted into 
H\. Elements using h remain in the full group H (this is our main point of 
divergence from the original Deja Q proof). We argue that both of these changes 
go unnoticed by subgroup hiding. Then, the elements in G i are added into G 2 , 
which we again argue goes unnoticed by subgroup hiding. The elements in G 2 
are then switched to use a new set of variables xi, which we argue is identical by 
parameter hiding. Now, we repeat this process of adding the original elements 
from G i into G 2 and switching them to a new set of variables, until — after £ 
transitions — we end up with £ sets of variables in G 2 . 
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3.2 Reducing Asymmetric Assumptions to Subgroup Hiding 

We now deal separately with the case of computational and decisional assump- 
tions, as decisional assumptions require an extra assumption on the indistin- 
guishability of random elements in and random elements in Gt (we use 

Gi^r to denote the i th subgroup of Gt)- For both, however, we first recall two 
relevant components from the Deja Q framework: the matrix V defined as 


'1 Pl(xi) 

P 2(^1) 

■■■ Pq(x l) f(x l)' 

1 Pl(x 2 ) 

P 2{X 2 ) 

■■■ Pq(x 2) f(x 2 ) 

.1 pi(xe) 

P 2(xe) 

••• Pq{xi) f(xe)_ 


(i) 


and a lemma that relates the linear independence of the polynomials with the 
invert ibility of V as follows: 


Lemma 3.1. [18] For all A G N , if the functions in R U {/} are linearly inde- 
pendent and of maximum degree poly(X), £ = q + 2 for q = poly(X), and 
N = p\ - ... - p n for n = poly(X) distinct primes pi, . . . ,p n C f](2 poly ^), then 
with all but negligible probability the matrix V is invertible. 


We also make explicit the argument used in the Deja Q framework concerning 
the multiplication of this matrix with a random vector. 


Lemma 3.2. IfV is invertible, then the distribution over mV forri, . . . ,r q+ 2 <— 
Z/7VZ is uniformly random. 

Proof. Define y r • V , and consider the set of all vectors of length q + 2 over 
Z/7VZ. Since r and y are both members of this set, multiplication by V maps 
the set to itself; as V is furthermore invertible, it is a permutation over this set. 
Thus, sampling r uniformly at random and multiplying by V yields a vector y 
that is also distributed uniformly at random. □ 


Computational Assumptions. For computational assumptions, we can now 
argue directly that, by transitioning to Assumption 3.2, we reach an assumption 
so weak that it holds by a statistical argument. Thus, the computational uber- 
assumption reduces directly to subgroup hiding. 

Proposition 3.1. For a bilinear group G of order N, the computational uber- 
assumption parameterized by (c, R , 5, T, /) holds in the target group if 

1. subgroup hiding holds in G\ with fi = {p 2 , hi}; 

2. subgroup hiding holds in Hi with fi = {pi}; 

3. extended parameter hiding holds with respect to T = R U / and aux = 
{hp}\/aeSuT for all h x € Hu 

4 . N = pi • . . . • p n for distinct primes pi, . . . ,p n G Q{2 voly ^); and 
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5. the polynomials in R U / are linearly independent and have maximum degree 
poly(X). 


Proof. By requirements (l)-(3), Theorem 3.3 tells us that the original assump- 
tion is implied by the computational variant of Assumption 3.2. We make the 
problem strictly easier if we assume that gi and x are public, in which case , 
hf^ x \ and e(gi,hi) T ^ provide no additional information, and A can compute 
the component of chal directly. 


We thus consider a problem where A is given g ^ 


and {gp tlriPk{Si) Y k= 0 


and we must argue that it is hard for it to compute e(# 2 , h Ti P Xi \ If we let 
I = q + 2, requirements (4)-(5) and Lemma 3.1 imply that V is invertible with 
all but negligible probability, and Lemma 3.2 then tells us that the distribution 
over y <— r • V is uniformly random. As A is given values in G 2 raised to the 
first q + 1 entries of y and is asked to compute e (#2 , h) raised to the last, it is 
thus given uniformly random values and asked to compute something uniformly 
random, which it has at most negligible probability in doing. □ 


Decisional Assumptions. Finally, to enable an argument about the decisional 
assumption in the target, we introduce the following assumption: 

Assumption 3.4. For I G N and a bilinear group G = (N,G, H,GT,e) E 
[BilinearGen(l A , 2)], consider the inputs given to A in Assumption 3.2. Given 
the same set of inputs, it is difficult to distinguish e(g\, h)f( x ^e(g 2 , /i)^ =1 ri A x i) 
from e(gi,h)f( x ) • R for R G 2 ,t- 

We now prove the following lemma: 

Lemma 3.3. If subgroup hiding holds in G^,t with fi = {#i, # 2 , hi}, then 
Assumption 3.2 is implied by Assumption 3.4- 


MAIN G§. 2 (A) / Go (A) / G? (A) 
if ( b = 0) then chal Gt 

if (6 = 0) then R Gt ; chal 


// G3.2W 
■R II GS (A) 

if ( b = 0 ) then 

R < — G 2 ,t 

; chal 

<- e(gi,h) f{ 

:a) R II Gt (A) 


Fig. 1 . Games for the proof of Lemma 3.3. Each game introduces the boxed code on 
its corresponding line. 
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Proof. Let A be a PT adversary playing game G«£ 2 (^)> and let Adv^{ 4 (A) denote 
its advantage in the game specified in Assumption 3.4. We build a PT adversary 
B such that 

Adv^( 2 (A) < Adv^ h (A) + Adv^{ 4 (A) 

for all A gN, from which the theorem follows. To do this, we build B such that 

Pr[G^ 2 (A)] - Pr[Gj?(A)] = 0 (2) 

Pr[Gf?(A)] - Pr[Gj*(A)] < Advf h (A) (3) 

Pr[G^(A)]=Advy(A). (4) 


We then have that 
Advy (A) = Pr[G^ 2 (A)] 

= .(Pr[G&(A)] - Pr[Gff (A)]) + (Pr[G^(A)] - Pr[Gj*(A)]) + Pr[G^(A)] 

< Advf h (A) + Ad v y(A). 

We follow the game hops presented in Figure 1. 

Equation 2 : G<£ 2 (^) to Gj^(A) 

This follows trivially, as the values chal • A and chal are identically distributed 
for chal Gt and A £ Gi 5 t- 

Equation 3 : Gj^(A) to G^A) 

B behaves as follows: 

B(1 X ,N, G, H, G T ,e,g 1 ,g 2 ,h 1 ,w) 

b 4 {o, i} 

x,x u ...,x t £- (Z/NZ) C , n ,...,r e £ Z/NZ 

v k *— r3pk( ' X ^ Vfc G [r] (Here we define po = 1.) 

Vk <- K k ^ x) Vk e [s] 

Zk <- e(gi,hi) Tk W Vfc G [t] 

inputs <- (N, G, H, G T , e, h, v 0 , ■ ■ ■ , v r , y lt . . . , y s , z 1} . . . , z t ) 

if ( b = 0) then chal <— e(gi, h)^ x ^ • w 

if ( b = 1) then chal e(gi,h)^ x ^e(g2,h)^o=^ r A( x 3) 

b' A{ 1 A , inputs, chal) 
return (b f = b ) 

If w <— Gt, then this is identical to Go (A). If w <— G^t, then this is identical 
to Gf(A). ’ □ 

Proposition 3.2. For a bilinear group G of order N, the decisional uber- 
assumption parameterized by (c, R , S, T, /) holds in the target group if 

1. subgroup hiding holds in G\ with fi = {# 2 , hi}; 
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2 . subgroup hiding holds in Hi with fi = {gi}; 

3. subgroup hiding holds in with fi = {^ 1 ,^ 2 , hi}; 

4 . extended parameter hiding holds with respect to T — R U / and aux = 
{ h 1 ^ ^}\/ a esuT for all hi G Hi; 

5. N = pi • . . . • p n for distinct primes pi , . . . ,p n G Q(2 voly ^); and 

6 . the polynomials in R U / are linearly independent and have maximum degree 
poly(X). 

Proof. By requirements (l)-(4), Theorem 3.3 and Lemma 3.3 tell us that the 
original assumption is implied by Assumption 3.4. We make the problem strictly 
easier if we assume that gi and x is public, in which case hf^ x \ and 

o(gi 7 hi) T ^ provide no additional information, and A can compute the G\p 
component of chal directly (which is the same in either case). 

y ^ r - r- pl.(x ■) 

We thus consider a problem where A is given g ^ % and {g^ i=1 % * }£ =0 

and we must argue that it is hard for it to distinguish e(# 2 , h)^=i Vi P Xi ) from 
random. If we let i = g + 2, requirements (5)-(6) and Lemmas 3.1 and 3.2 imply 
that the distribution over y <— r • V is uniformly random with all but negligible 
probability. As A is given values in G 2 raised to the first q + 1 entries of y and 
is asked to distinguish e(g 2 , h) raised to the last from random, it is thus given 
uniformly random values and asked to distinguish two uniformly random things, 
which it has at most negligible advantage in doing. □ 


3.3 Converting Symmetric Uber- Assumptions 

As mentioned earlier, most schemes that rely on g-type assumptions do so in 
the symmetric setting, whereas our analysis above works only in the asymmetric 
setting. To nevertheless capture these useful examples of g-type assumptions, we 
use the technique of Abe et al. [3] to convert the assumptions from the symmetric 
to the asymmetric setting so that they can be covered by our analysis. 

To perform this conversion, we must of course do so in a way that respects 
the underlying reduction; i.e., we must ensure that the asymmetric variant of the 
scheme can still be proved secure under the asymmetric variant of the assump- 
tion. The main technique for doing this revolves around the idea of dependency 
graphs that reflect the usage of all values in the source groups and how they 
interact with each other and with the pairing. Thus, all of the dependencies in 
both the scheme and its security reduction are represented in a directed graph 
-T, with pairings represented by two nodes (one for each side of the pairing). To 
find an asymmetric variant that respects these dependencies, one must search 
for a valid split of r into i~o and this is defined as a split in which 

-No nodes or edges are lost; i.e., merging 7 q an d A recovers T, 

- For every pair of pairing nodes, if one node is in To, the other node is exclu- 
sively in A, an d 

- For every node X in each split graph, the ancestor subgraph of X in r is 
included in the same graph. 
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For more details on this technique and the process of automating it, we refer 
to the original paper of Abe et al. or to a paper by Akinyele et al. [4] that 
proposes a tool, AutoGroupA, that improves on the tool developed by Abe et al. 
and applies the technique to additional schemes. 

To demonstrate the coverage of our analysis, we have identified four influen- 
tial schemes that rely on symmetric uber-assumptions and demonstrated their 
conversion to asymmetric variants that fit into the class of uber-assumptions our 
analysis can cover. These are: 

- The general construction of the Bone h- Gentry- Waters broadcast encryption 
scheme [12], based on the g-BDHE assumption; 

- the Boneh-Boyen-Goh hierarchical identity-based encryption scheme with 
constant-sized ciphertexts [11], based on the g-wBDHI assumption; 

- the version of Waters’ attribute-based encryption scheme [41] that uses the 
g-BDHE assumption (as opposed to the more efficient construction that uses 
the g-parallel BDHE assumption [43] , which we cannot cover) ; and 

- the Abdalla-Catalano-Fiore identity-based key encapsulation mechanism [1], 
based on the g-wBDHI assumption. 

These schemes are given in Table 1, along with the assumptions they rely 
on for security, and the number of elements in both the symmetric and the 
asymmetric variants of the public key. As an example of our analysis, we include 
in Fig. 2 the dependency graph for the Boneh-Boyen-Goh HIBE. In the graph, 
the shape of the node indicates which side of the split each element goes on: 
triangle nodes are in G, inverted triangle nodes are in if, and diamond nodes 
are replicated across G and H. Pairing equations are denoted by pn[i\, where 
n G N indicates a particular usages of the pairing and i G {0, 1} indicates the 
side of the pairing in which the element is used. The nodes with an i included 
represent multiple (related) values; e.g., the node yi represents {g a }i- 

The original g-wBDHI assumption states that given (g,g c ,g a ,g a , . . . , g a<? ), 
it should be hard to distinguish e(g,g) a c from random. Looking at the graph 


Table 1 . Examples of schemes whose reductions are compatible with the desired con- 
version from symmetric to asymmetric assumptions, along with the assumptions they 
rely on and the numbers of group elements in both the symmetric and asymmetric 
variants of the public key. The value A refers to the number of parallel instances of the 
system being run in the BGW scheme, and the value U refers to the maximum number 
of system attributes in Waters’ scheme. 


Scheme 

Assumption 

Elements in public key 



symmetric 

asymmetric 

BGW [12] 

g-BDHE 

2 q + A 

4 q + A 

BBG [11] 

g-wBDHI 

q + 4 

2q + 7 

Waters [41] 

g-BDHE 

3 A U 

5 A2 U 

ACF [1] 

g-wBDHI 

2 A 2 q 

3 A 2 q 
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Fig. 2. Dependency graph for the BBG HIBE scheme [11]. The public key consists of g , 
g 1, g2 , #3, and hi , the master secret key is denoted msk, and the secret keys consist of 
aO, al, and bi. Encryption uses the pairing pO and produces B and C, and decryption 
uses the pairings pi and p2. In the reduction, yi and gc are derived from the g-wBDHI 
assumption. 


in Fig. 2, in which these quantities are represented by yi and gc , we see that the 
yi nodes must be replicated across G and H but gc can remain in only one source 
group. Writing h c as ft, the asymmetric g-wBDHI assumption thus states that 
given (g, ft, ft, g a , ft a , . . . , g a<1 , ft^ 9 ), it should be hard to distinguish e(g,ft) a9 
from random. This same converted version of the assumption also works for 
the Abdalla-Catalano-Fiore IB-KEM (whose dependency graph is included in 
Appendix A). 

A similar analysis works for the schemes that rely on the g-BDHE assumption 
(whose dependency graphs are also included in Appendix A), which states that 
given (g,g c , {g a }ie[ 2 q],i^q+i)i it should be hard to distinguish e(g,g) a c from 
random. Here we find that the asymmetric variant states that — again, rewriting 
h c as h — given (g, ft, ft, {g a , h a }ie[ 2 q ],i^ q +i, it should be hard to distinguish 
e(g, h) aQ+1 from random. 

As each of the converted assumptions fits the set of requirements for the 
uber- assumption needed for Proposition 3.2, we thus obtain as a corollary that, 
when instantiated in asymmetric composite-order bilinear groups, the security of 
each of these schemes can rely solely on (three variants of) the subgroup hiding 
assumption. 

4 Tighter Reductions in (A) symmetric Groups 

The results in the previous section already demonstrate a broader application of 
the Deja Q framework, but two fundamental restrictions remain: it can be applied 
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directly to assumptions only in asymmetric composite-order bilinear groups, and 
it introduces a looseness of q into the reduction. In this section, we address both 
of these restrictions. In particular, we show that by adding more primes into the 
factorization of TV, we can achieve a tighter reduction — one with log(g) looseness 
instead of q — in symmetric composite-order bilinear groups. 

Our inspiration for the conversion to symmetric groups comes from Wee [44] , 
who applied the Deja Q framework at the level of constructions rather than 
assumptions, and thus was able to make use of two key features of traditional 
dual-system reductions: fresh randomness across queries and a third subgroup 
used to hide additional information. To maintain the most generality, we con- 
tinue in Sect. 4.1 to work at the level of assumptions, but we nevertheless attempt 
to capture these additional features by using a variant of the uber-assumption 
in which extra randomness is added into components in G. We then define an 
assumption with significant randomness added into various subgroups in G (anal- 
ogous to Assumption 3.2). Finally, we diverge completely from [44] and prove 
that — in only a logarithmic number of game hops — this assumption implies these 
additionally randomized computational and decisional uber-assumptions in the 
target group. 

Next, in Sect. 4.2, we show — in a manner almost completely analogous to that 
in Sect. 3.2 — that the computational variant of the transitioned uber-assumption 
is so weak that it holds by a statistical argument; thus the computational ran- 
domized uber-assumption is implied by two variants of subgroup hiding. In the 
case of the decisional uber-assumption, we transition to an assumption analo- 
gous to Assumption 3.4 and show that it is implied by three variants of subgroup 
hiding. 

Finally, in Sect. 4.3, we briefly discuss the implications of our results for 
the concrete schemes presented in Sect. 3.3. Although our discussion here is not 
as formal as our symmetric-to- asymmetric conversions, we nevertheless suggest 
ways to transform existing schemes to provide them with tight reductions to 
subgroup hiding. 


4.1 Reducing Randomized Assumptions to Weaker Variants 

We begin by formalizing the randomized uber-assumption as follows: 

Assumption 4.1 (Randomized uber-assumption). Define the advantage of 
an adversary A by Adv^ mp_r_w6er (A) = Pr[comp-RandUBER^ R ST j( A)] in the 
computational case and AdvJ c " r_w6er (A) = 2Pr[dec-RandUBER^ RST j(X)] — l in 
the decisional case , where for type E {comp, dec}, type- RandUBER^ RST j(X) is 
defined as follows (with the omitted end games comp-PLXY and dec- play the same 
as in Assumption 3.1 ): 
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MAIN type-RandUBER^ R S T j(X) 

(N, G, H, G t , e) A BilinearGen(l A , 4 ); g A G, g 4 A G 4 , h H 123 

X U ...,X c ,Xl ^/AZ 

inputs <- (AT, G, H, G T , e, g, # 4 , h, g R ^g\, , e(#, ^m) 7 ^) 

chal <— e(g, h)^ x ^ 

return type-PLAY(A, inputs, chal) 

T/m randomized uber- as sumption in the target group holds if for PT algorithms 
A there exists a negligible function i/(-) that Adv^ n6er (A) < z/(A). 

The main difference from the regular uber-assumption is the additional ran- 
domness in G4 (hence the name), and the fact that h and h are now sampled 
from the subgroup #123 rather than the full group H. As discussed further in 
Sect. 4 . 3 , this latter change is needed to balance out the former, as the canceling 
property of the pairing means that we can still obtain meaningful values in Gt 
(i.e., values without added randomness) by pairing an element with a random 
G4 component with an element in #123. To maintain full generality, we also 
continue to write G and H separately, but in a symmetric pairing they would 
be the same group. 

Assumption 4.2. For G = (A, G, H, Gt, e) G [BilinearGen(l A , 4 )] a bilinear 
group, I G N, and classes of functions R, S, T, and f (as defined in the uber- 
assumption in Assumption 4 - 1 ), given 


inputs = (G, c/ififp- 1 ri gf,g 4 , h, {g[ k(x) g ^- 1 riPk(xi) g$ k } r k = i,hf (x) ,e(gi,hi) T{x) ), 

for gi A Gi, g 2 A G 2 \{1}, g 4 A G 4 , hi A #i\{l}, h A H 123 ; x,...,x e A 

(Z/AZ) C ; r*i, . . . , r^, x, xi, . . . , % r Z/AZ, there does not exist a PT adversary 
with better than negligible advantage when playing the game type-PLAY(A, inputs, 
e( gi ,hyWe(g 2 ,h)ZUrim))' 


In addition to the extra subgroups, our new reduction also makes use of a 
different class of functions for extended parameter hiding. In particular, our old 
proof added variables into G2 one at a time, which allowed us to fold in a freshly 
random coefficient rj in this step. As we now add many variables at a time, 
however, the extra randomness added by the subgroup hiding transition is not 
sufficient, so we instead use parameter hiding to argue that the randomness can 
be “freshened up” in the new subgroup instead. In the main parameter hiding 
step, we thus want to transition the quantity JA VjPk(xj) to JA r'- pk (x '- ) , which 
we accomplish using the set of functions defined as 


A — ( Hi -> Ul 5 • • • 5 2/m) Vm) — ^ ^ ymPighm ) 


( 5 ) 


i= 1 


peRu{f } 


Theorem 4.3. For a bilinear group (A, G, iJ, Gt,c) G [BilinearGen(l A , 4 )] ; con- 
sider the randomized uber-assumption parameterized by (c, R , S, T, /). Then this 
is implied by Assumption 4-2 if 
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1 . subgroup hiding holds between Hi and #123 with ji = {#4,^123}; 

2 . subgroup hiding holds between G 24 and G34 with /a = {gi, #24, #4, ft-i, ^123}; 

extended parameter hiding holds with respect to R U {/} , with respect to 

aux = {#3 , /ii hpeflu{/},<resuT / or al1 93 e G 3 and hi e Hi, and sub- 

groups (Gi,G 2 ); 

4 - extended parameter hiding holds with respect to RU{f}, with respect to aux = 

{hi^jaesuT for all hi G Hi, and subgroups (Gi,Gs); and 
5 . extended parameter hiding holds with respect to the T defined in Eq. 5 , aux = 

0, and subgroups (G2,Gs). 

In particular, we have that 

AdvY ber (X) < Adv“f (A) + Adv'f (A) + log 2 (£)(Advgf (A) + Advgf +i (A)) 

+Advi 2 (A). 

Our two subgroup hiding variants are valid instantiations of the general 
subgroup decision assumption [8] discussed in Sect. 2. Similarly, we proved in 
Lemma 2.1 that in composite-order groups extended parameter hiding holds for 
all polynomials and the aux and subgroups that we use here, so the three variants 
all hold and are listed separately solely for insight into the reduction. 

A proof of this theorem can be found in the full version of the paper [17]. 
To start, all elements using h as the base are shifted into the Hi subgroup, 
but elements using h or in G remain unchanged. Using the first two variants 
of parameter hiding, we now switch the variables in G 2 to x' and in G3 to x" , 
and — using subgroup hiding — fold the x" elements into G2. At this point we now 
have the original variables f in Gi, two new sets of variables in G2, nothing in 
G3, and random values in G4. 

Our reduction now proceeds by exploiting this “semi- functional” subgroup 
G3 and the masking effect provided by the randomness in G4. First, a shadow 
copy of all of the variables in G2 is added to G3, which we argue goes unnoticed 
by subgroup hiding. Second, the variables in G3 are changed to a new set of 
variables, which is identical by the third variant of parameter hiding. Finally, we 
fold all of the new variables back into G2, which we again argue goes unnoticed 
by subgroup hiding. By working with all of the variables at once — as opposed 
to the one-at-a-time approach of the original Deja Q framework — we double the 
number of new variables in the G2 subgroup after each iteration, so after only 
log 2 (T) transitions we end up with I sets of variables in the G 2 subgroup. 

As described, we move new variables from G3 to G2 while using the generator 
g2 to compute the existing variables in the G2 subgroup. In symmetric groups 
with a canceling pairing, however, one could use knowledge of this generator to 
violate subgroup hiding by checking if e(g2,w) = 1 . The G4 subgroup is thus 
needed to mask this transition, so in symmetric groups we transition from G34 
to G 24 instead, and argue that the randomness in G4 “absorbs” the variables 
that are added there. In an asymmetric setting, however, knowledge of #2 does 
not provide the ability to distinguish G2 and G3, so the masking effect of G4 
is unnecessary and the same reduction goes through without it. We thus state 
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the simplified version of Theorem 4.3 for asymmetric groups as the following 
corollary: 

Corollary 4.1. For (N,G, H,Gr,e) £ [Bi I i nearGen (1 A , 3)] an asymmetric bilin- 
ear group, consider the uber- assumption parameterized by (c, R, S,T, /). Then 
this is implied by a version of Assumption 3.2 (using BilinearGen(l A , 3)) if 

1. subgroup hiding holds between H and Hi with f± = { }; 

2. subgroup hiding holds between G 2 and 63 with /x = {gi,g2, hi}; 

3. extended parameter hiding holds with respect to R U {/}, with respect to 

aux = {53 ( ) ,^ ( ) }peflu{/},<reSuT for all g 3 E G 3 and hi E Hi, and sub- 
groups (Gi,G 2 ); 

4. extended parameter hiding holds with respect to RU{f}, with respect to aux = 

{hi^} a esuT for all hi G Hi, and subgroups (G15G3); and 

5. extended parameter hiding holds with respect to the T defined in Eg. 5, aux = 
0, and subgroups (62,63). 

In particular, we have that 

Advt er (A) < Adv*f (A) + Adv‘f (A) + log 2 (£)(Advgf (A) + Adv^(A)) 

+Adv^ 1 2 3 4 5 (A). 

Thus, under the conditions in Propositions 3.1 and 3.2, we get tight reductions 
in the asymmetric setting with N = piP 2 P 3 - 

For the rest of this section we will focus on the symmetric setting. 


4.2 Reducing Randomized Assumptions to Subgroup Hiding 

As in Sect. 3, we now treat computational and decisional assumptions separately. 


Computational Assumptions. Our argument that the computational ran- 
domized uber-assumption holds is nearly identical to our previous argument 
that the (regular) computational uber-assumption holds. 

Proposition 4.1. For a bilinear group G of order N, the computational uber- 
assumption parameterized by (c, R , S , T, /) holds in the target group if 

1. subgroup hiding holds between Hi and H123 with /x = {#4,^123}/ 

2. subgroup hiding holds between G34 and G24 with /x = {gi, #24, #4, hi, /1123}; 

3. extended parameter hiding holds with respect to R U {f}, with respect to 

aux = {gf'\ h F}peRu{f},<resuT for all g 3 e G 3 and hi e Hi, and sub- 
groups (Gi,G 2 ); 

4. extended parameter hiding holds with respect to RU{f}, with respect to aux = 

{hf^} a esuT for all hi G Hi, and subgroups (Gi, G3); 

5. extended parameter hiding holds with respect to the T defined in Eq. 5, aux = 
0, and subgroups (G2,Gs); 
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6. N = pi p n for distinct primes pi , . . . ,p n G f2(2 poly ^); and 

7. the polynomials in R U / are linearly independent and have maximum degree 
poly(X). 

Proof. By requirements (1) — (5), Theorem 4.3 tells us that the computational 
uber-assumption is implied by the computational variant of Assumption 4.2. We 
make the problem strictly easier if we assume that g\, gq, x, and x are public, in 
which case and e(gi, h\) T ^ provide no additional information. 

In this case A can also compute the Gi,t component of chal directly, so we need 
only to argue that it is hard for it to compute e(g 2 ,h)^=i ri K Xi \ The rest of 
the argument can thus proceed as in the proof of Proposition 3.1. □ 


Decisional Assumptions. To enable an argument about the decisional 
assumption in the target group, we introduce an assumption analogous to 
Assumption 3.4. 

Assumption 4.4. For a bilinear group (TV, G, H^Gr^e) G [BilinearGen(l A , 4)], 
I G N ; consider the values given to A in Assumption Given the same 
set of values, it is difficult to distinguish e(gq, hi)f( x ^e(g 2 , Ji 2 )^ i=1 ri ^ Xi ^ from 

e(gi M) f{S) -R for R^G 2 ,T. 

We now prove the following lemma: 

Lemma 4.1. If subgroup hiding holds in G 2 ,t with fi = {g\, # 2 , # 4 , hi, ^ 123 }; 
then Assumption f.2 is implied by Assumption f.f. 

Proof Let A be a PT adversary playing game G^M? and let Adv^{ 2 (A) denote 
its advantage in the game specified in Assumption 4.2. We build a PT adversary 
B such that 

Adv^ 2 (A) < Adv^ h (A) + Adv^{ 4 (A) 

for all A G N, from which the theorem follows. To do this, we build B such that 
P r [G^ 2 (A)] - Pr[Gf 4 (A)] < Advg h (A) (6) 


We then have that 


Ad v y (A) < Advg h (A) + Adv^ 2 (A). 

Equation 6 : G^fA) to G^qA) 

B behaves as follows (again assuming po = 1): 
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23(1 , 2V, G, G'j ' , 6, ? ^ 2 ? 54 5 ■> r ui) 

b -{0,1} 

z,£i, . . . ,x e 4 (Z/NZ) C , n, ...,r e ,Xi,---,Xr^~ Z/iVZ 

Pk( x ) Xb = 1 r jPk( x j) Y k \j 7 r -I 

<- 9i y 2 9a v k t M 

J/te <- ^r (x) eja] 

Zfc <- /ii) Tfe(;5) Vfc e [i] 

inputs <- (V, G, if, G t , e, g 4 , , h, v 0 , . . . , v r , y 1} . . . , y a , z 4 , . . . , z t ) 

if ( b = 0) then chal <— e(gi, h)^ x ^ • w 

if ( b = 1 ) then chal <— e(gi, h)^ x ^e(g 2 , h)^ mt r A( x j) 

b' *4(1 A , inputs, chal) 
return ( b ' = b) 

If w <— Gt, then this is identical to G£ 2 (A). If w <— G 2 ,t, then this is identical 
to G^A). □ 

Proposition 4.2. For a bilinear group G of order N, the decisional uber- 
assumption parameterized by (c, i7, S', T, /) holds in the target group if 

1. subgroup hiding holds between R\ 2 z and Hi with g = {54,^123}; 

2. subgroup hiding holds between G 24 and G34 with g = {#i, 524, 9 A: fti, ^123}; 

3. subgroup hiding holds in G 2: t with g = {gi, 52, 54, hi, ^123}; 

extended parameter hiding holds with respect to R U {/}, with respect to 

aux = {53 ( ^i ( ) }peflu{/},<resuT /or all g 3 e G 3 and /i x e i?i, and sub- 
groups (G 1 ,G 2 ); 

5. extended parameter hiding holds with respect to RU{f}, with respect to aux = 

{hf^^aesuT for all hi E Hi, and subgroups (G15G3); 

5. extended parameter hiding holds with respect to the T defined in Eq. 5, aux = 
0, and subgroups (G 2 ,Gs); 

7. N = pi p n for distinct primes pi,...,p n £ f2(2 poly ^); and 

8. the polynomials in R U / are linearly independent and have maximum degree 
poly(X). 

Proof By requirements (l)-( 6 ), Theorem 4.3 and Lemma 4.1 tell us that the 
original assumption is implied by Assumption 4.2. We make the problem strictly 
easier if we assume that gi, < 74 , x, and x are public, in which case g^ x \ g±, 
hf^ and e(gi, hi) T ^ provide no additional information. In this case A can also 
compute the Gi : t component of chal directly (which is the same in either case), 
so we need only to argue that it is hard for it to distinguish e(g 2l h)^= 1 r H( x i) 
from random. The rest of the argument can thus proceed as in the proof of 
Proposition 3.2. □ 
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4.3 Application to Existing Schemes 

In Sect. 3 . 3 , we demonstrated how to convert schemes that rely on symmetric 
version of the uber-assumption to work in asymmetric groups and thus be cov- 
ered by our overall results in Sect. 3 . Here, we briefly demonstrate how to convert 
schemes to be covered by our results in this section as well. 

Suppose we have a scheme and corresponding reduction that work in asym- 
metric groups and performs only group operations, pairings, and equality tests 
between group elements. We can then modify both the scheme and reduction as 
follows: instead of sampling elements from H we sample them from #123; when 
we multiply any elements in G we also include a freshly random element in G4; 
and when we compare two elements g and g' in G for equality, rather than return 
(g = d') we return (e(g, ^123) = e(g', ^123))- In particular, this last alteration — 
combined with the fact that e(#4, ^123) = 1 and an asymmetric scheme only ever 
pairs elements of G with elements of H — allows us to preserve the functionality 
of the original scheme despite the fact that additional randomness is added into 
the G4 subgroup. 

If the original assumption relied on for security is a case of the uber- 
assumption (Assumption 3 . 1 ), then the resulting assumption is a case of the 
randomized uber-assumption (Assumption 4 . 1 ). Thus, the concrete schemes pre- 
sented in Sect. 3.3 can be instantiated either in asymmetric groups of order 
N = P1P2P3 under the asymmetric variants of their original (symmetric) assump- 
tions, or in symmetric groups of order N = P1P2P3P4, under the randomized vari- 
ants. In either case, the results of Theorem 4.3 and Corollary 4.1 imply a tight 
reduction to the appropriate variants of the subgroup hiding assumption. 

Acknowledgments. Mary Mailer is supported by a scholarship from Microsoft 
Research and Sarah Meiklejohn is supported in part by EPSRC Grant EP/M029026/1. 


A Dependency Graphs from Sect. 3.3 

In this section, we include the rest of the dependency graphs (Figs. 3 , 4 and 5 ) 
for the converted schemes in Table 1. As a reminder from Sect. 3.3 (in which 
we included the graph for the Boneh-Boyen-Goh HIBE), the shape of the node 
indicates which side of the split each element goes on: triangle nodes are in G, 
inverted triangle nodes are in i 7 , and diamond nodes are replicated across G and 
H. Pairing equations are denoted by pn[i\, where n G N indicates a particular 
usage of the pairing and i G { 0 , 1 } indicates the side of the pairing in which 
the element is used. The nodes with an i included represent multiple (related) 
values; e.g., the node gi represents {g a }i- 
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Fig. 3. Dependency graph for the BGW broadcast encryption scheme [12]. The public 
key consists of g , gi and vi, and the secret key of di. Encryption uses the pairing pO 
and produces CO and Ci , and decryption uses the pairings pi and p2. In the reduction, 
gi are derived from the g-BDHE assumption. 



Fig. 4. Dependency graph for the ACF IB-KEM [2] . The master public key consists 
of g , gij, and g\. Secret key derivation uses hi as the auxiliary information and skID 
as the secret key for identity ID. The pairing pO and the ciphertext C are used in the 
encapsulation process, decapsulation uses the pairings pi, p2, and p3, and the key is 
calculated from the encapsulation using p4. In the reduction, Bi and gc are derived 
from the g-wBDHI assumption. 
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Fig. 5. Dependency graph for the Waters ABE scheme [41]. The public key consists 
of g , ga , and hi , and is computed using the pairing pO. msk denotes the master secret 
key and the secret key consists of K , Kx, and L. Encryption uses the pairing pi and 
produces C' and CT, and decryption uses the pairings p2, p3, and pA. In the reduction, 
gi and gc are derived from the g-BDHE assumption, and the pairing p5 is used to 
simulate the pairing pO. 
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Abstract. In this paper, we present new adaptively secure identity- 
based encryption (IBE) schemes. One of the distinguishing properties of 
the schemes is that it achieves shorter public parameters than previous 
schemes. Both of our schemes follow the general framework presented 
in the recent IBE scheme of Yamada (Eurocrypt 2016), employed with 
novel techniques tailored to meet the underlying algebraic structure to 
overcome the difficulties arising in our specific setting. Specifically, we 
obtain the following: 

- Our first scheme is proven secure under the ring learning with errors 
(RLWE) assumption and achieves the best asymptotic space efficiency 
among existing schemes from the same assumption. The main technical 
contribution is in our new security proof that exploits the ring struc- 
ture in a crucial way. Our technique allows us to greatly weaken the 
underlying hardness assumption (e.g., we assume the hardness of RLWE 
with a fixed polynomial approximation factor whereas Yamada’s scheme 
requires a super-polynomial approximation factor) while improving the 
overall efficiency. 

- Our second IBE scheme is constructed on bilinear maps and is secure 
under the 3-computational bilinear Diffie- Heilman exponent assump- 
tion. This is the first IBE scheme based on the hardness of a compu- 
tational/search problem, rather than a decisional problem such as DDH 
and DLIN on bilinear maps with sub-linear public parameter size. 


1 Introduction 

Background. Identity-based encryption (IBE) is a generalization of public key 
encryption (PKE) where the public key of a user can be any arbitrary string such 
as an e-mail address. The concept of IBE was first proposed by Shamir [Sha85] 
in 1984, but it took nearly two decades for the first realizations of IBE [SOKOO, 
BF01,Coc01] to appear. Since then, the construction of IBE has been one of the 
central topics in cryptography. Nowadays, we have constructions of IBEs from 
assumptions on bilinear maps [BF01,BB04a,BB04b, Wat05,Gen06, Wat09], the 
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quadratic residue assumption [Coc01,BGH07], and from the learning with error 
(LWE) assumption [GPV08,CHKP10, ABB10] whose hardness is implied by the 
worst case reductions to certain lattice problems [Reg05]. 

One of the most standard security definitions for IBE is the adaptive secu- 
rity, or often called full security. While it is not quite hard to obtain the adap- 
tive security for an IBE in the random oracle model [BF01,Coc01,GPV08], the 
realization in the standard model is much harder. Roughly speaking, currently 
there are two general techniques in achieving adaptive security in the standard 
model: the partitioning technique [BB04b, Wat05] and the dual system encryp- 
tion methodology [Wat09,LW10]. The latter is very attractive, because it allows 
us to construct very efficient IBE schemes [CW13, JR13] and even more advanced 
cryptosystems such as attribute-based encryptions [LOS+IO] with adaptive secu- 
rity. However, it inherently relies on decisional assumptions on bilinear maps 
(e.g., SXDH and DLIN) and cannot be extended to the proofs based on com- 
putational assumptions on bilinear maps (e.g., computational bilinear Diffie- 
Hellman (CBDH) assumption) or assumptions on lattices. On the other hand, 
the application of the former technique is wider. We can construct adaptively 
secure IBE from the CBDH assumption (by the straightforward combination of 
the Goldreich-Levin bit [GL89] and Waters IBE [Wat05]) and from the LWE 
assumption [CHKP10, ABB10,Boyl0]. However, IBE schemes constructed from 
the former approach typically requires larger parameters due to the use of the 
Waters’ hash [Wat05] or the admissible hash [BB04b, CHKP10]. Very recently, 
Yamada [Yaml6] constructed IBE schemes from lattices based on the partitioning 
technique with novel ideas that are different from the Waters’ hash or the admis- 
sible hash. His schemes achieve asymptotically shorter public parameters than 
previous works. One of the drawbacks of the schemes is that they require super- 
polynomial size modulus for LWE. As a result, their ciphertexts are longer than 
those of previous works by a rather large super-constant factor. In addition, they 
have to assume the hardness of the LWE problem for all polynomial (i.e., 0(n c ) for 
all c G N) or the more aggressive super-polynomial approximation factor. Though 
their assumption is plausible, it is much stronger than those used in the previous 
works where the hardness of the LWE problem for some fixed polynomial approxi- 
mation factor (i.e., 0(n c ) for some c E N) is assumed. Furthermore, since he used 
fully homomorphic computations of trapdoors [BGG+14], a technique unique to 
the lattice setting, it is a highly non-trivial task to construct analogous schemes 
in other settings such as bilinear maps. 

Our Contribution. In this paper, we focus on the constructions of adap- 
tively secure IBE in these settings where dual system encryption methodol- 
ogy is unavailable. In particular, we propose IBE schemes with shorter public 
parameters from ring/ideal lattices and from a certain computational assump- 
tion (rather than a decisional assumption) on bilinear groups, by extending and 
adding twists to the techniques of [Yaml6]. Specifically, we obtain the following 
results. See Tables 1 and 2 for the overview. 

- We propose an anonymous and adaptively secure IBE scheme from the ring 
LWE (RLWE) assumption with fixed polynomial approximation factors, which 
is further reduced to certain worst case problems on ideal lattices. Note that 
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simply instantiating Yamada’s scheme using ideal lattices 1 will still require the 
RLWE assumption for all polynomial approximation factors, which is a much 
stronger assumption than what we use. As for the efficiency, the size of the pub- 
lic parameters, private keys, and ciphertexts in our scheme are 0{nn}/ d logn), 
O(nlogn), and O(nlogn), respectively. Here, n is the dimension of the ring 
elements, k is the length of the identities, and d is a flexible constant that 
can be set arbitrary, but will affect the reduction cost exponentially. We note 
that all of them achieve the best efficiency among the other adaptively secure 
IBE from the RLWE assumption in an asymptotic sense. Compared to the 
ring version of Yamada’s scheme, we managed to reduce the poly-logarithmic 
factors contained in the public parameters, private keys, and ciphertexts. 

- We propose a (non anonymous and) adaptively secure IBE scheme from the 3- 
computational bilinear Diffie- Heilman exponent (3-CBDHE) assumption. The 
3-CBDHE assumption is a weaker variant of the n-decisional bilinear Diffie- 
Hellman exponent (n-DBDHE) assumption [BBG05,BGW05,BH08]. The for- 
mer seems to be much a weaker assumption than the latter in two aspects. 
First, the former is a computational assumption whereas the latter is a deci- 
sional assumption. Second, the former is not a parameterized assumption, in 
the sense that the size of the problem instance only depends on the secu- 
rity parameter. As for the efficiency, the public parameters, private keys, and 
ciphertexts in our scheme require group elements. Here, k is the length 

of the identities. This is the first adaptively secure IBE scheme from a compu- 
tational assumption on bilinear groups with public parameters consisting of 
sub-linear number of group elements in the length of the identities. However, 
we note that the sizes of the ciphertexts and private keys of our scheme are 
larger than the previous schemes. 

We emphasize that our result for the lattice based construction cannot be 
obtained through the simple switch to the ring setting in Yamada’s scheme. 
Their proof will still require a super-polynomial-size modulus to work, whereas 
our new technique allows for a polynomial-size modulus. In addition, the security 
proof of our scheme requires new ideas that did not appear in [Yaml6]. It exploits 
the commutative properties of the underlying ring elements in an essential way, 
involves a more generalized partitioning argument, and a careful analysis of the 
Gaussian error. Refer Sect. 2 for the technical overview. We note that the public 
parameter of our second scheme could be further reduced to 0{n}' d ) assuming 
the d+l-CBDHE assumption. However, it would come at the cost of even longer 
ciphertexts and complicated description of the scheme. This is beyond the scope 
of our work. We finally remark that the reduction costs for both of our schemes 
are inadmissible as was in the case of [Yaml6]. In fact, the reduction loss for the 
first scheme is worse than [Yaml6]. Improving them is left as an open problem. 

Related Works. One way to reduce the size of the public parameters in Waters’ 
hash and its analogue is to use Naccache’s approach [Nac07,SRB12]. However, 

1 Note that he does not describe nor mention the ring variant of the scheme. However, 
we can convert his scheme into a ring variant in a straightforward manner as is the 
case in most previous works [CHKP10, ABB 10, Boy 10]. 
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with this approach, we are only allowed to reduce the size of public parameters 
up to logarithmic factor. Ducas et al. [DLP14] constructed efficient IBE over 
NTRU lattices in the random oracle model. Gentry [Gen06] proposed adap- 
tively secure IBE with compact parameters from a parameterized (or g-type) 
assumption on bilinear maps. Galindo [GallO] and Chen et al. [CCZ11] proposed 
selectively secure CCA-secure IBE schemes from the CBDH assumption. 

Note on Recent Works. Here, we mention two important recent related works. 

Apon et al. [AFL16] proposed an adaptively secure IBE scheme from lat- 
tices whose parameters are very compact, using collision resistant hash function 
with output-length k = a; (log A). Here, A is the security parameter. While their 
scheme is more efficient than our scheme, we clarify that they implicitly assume 
exponential security on the collision resistant hash function, which is a stronger 
assumption than what we use. To demonstrate this, let us set k = log 2 A. If there 
is no better attack than the birthday attack against the hash function, no PPT 
adversary can find a collision with more than negligible probability. On the other 
hand, the existence of even a sub-exponential time attack would compromise the 
security of the IBE. For example, assume that there exists an attack that finds 
a collision in time 2^Y Then, the collision for the hash can be found in linear 
time in A, since 2^ = 2 logA = A. 

In their very recent work, Zhang et al. [ZCZ16] constructed an IBE scheme 
with poly-logarithmic public parameters. While their scheme achieves better 
asymptotic space efficiency than our scheme, their scheme is Q-bounded, in 
the sense that the security of the scheme is not guaranteed any more if the 
adversary obtains more than Q private keys. This restriction cannot be removed 
by just making Q super-polynomial, because the running time of the encryption 
algorithm in their scheme is at least linear in Q. We note that our scheme is 
secure against an unbounded collusion. 

2 Overview of Our Techniques 

2.1 Construction from Ring and Ideal Lattices 

The Yamada IBE. We briefly review the Yamada IBE [Yaml6], for our pro- 
posed IBE scheme follows the framework of theirs and overcomes some of the 
major problems posed by their construction. Their construction follows the gen- 
eral framework of constructing lattice-based IBE schemes that associates to 
each identity ID the matrix [A| H (I D)] E Z^ x2m . In previous IBE constructions 
[ABB10,CHKP10], the function H(ID) was computed by using the rather long 
k public matrices {Bjiew, where k = 0(n) is the length of the identities. The 
main technical contribution of the Yamada IBE was in reducing the size of the 
public matrices to for any constant d and hence reducing the size of the 
public parameters by incorporating a primitive called fully homomorphic trap- 
door functions. Hereafter, we consider the case d = 2 for simplicity. In detail, 
they used an injective map S : {0,1}^ — > 2^ x ^ that maps an identity to a 
subset of the set [£\ x [£\ where £ = [ft 1 / 2 ], and computed the function H(ID) as 
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H(ID)=B 0 + Y B M -G- 1 (B 2>i ) (1) 

(ij)es(iD) 

where the number of public matrices Bq,{B z,j}q,j)e[2]x[q are now reduced to 
O (ft 1 / 2 ). Here, G is a special gadget matrix whose trapdoor is publicly known 
[MP12] and G -1 is viewed as a deterministic function rather than a matrix, that 
maps a matrix V G Z™ xm to a matrix U G {0, l} mxm such that G U = V 
mod q. 

During the security proof, the reduction algorithm first prepares random 
integers Vo, {yi,j}(ij)e[2]x[£] £ ^ q from certain domains whose size grows linear 
in the number of key extraction query Q of the adversary. Then after sampling 
Ro, {R'i,j}ie[2],je[£\ ^ Z mxm with small spectral norm, the reduction algorithm 
prepares the public parameters as 

Bo = ARo + ^oG, B ij = ARij + yij G 

for (i, j) G [2] x [l\. Then during the security reduction the hash value for identity 
ID Eq. (1) is computed as 

H(ID) = (AR 0 + yoG)+ ]T (AR^* + j/i^G) • G -1 (B 2 j) 

(ij)es( id) 

= (ARo + 2/0 G) + (ARi,iG + 2/i,iB 2 j) 

id) 

= (AR 0 + 2/0 G) + (ARi^G 1 (B 2 , i )+^(AR 2 , i +^G)) 

id) 


— (ARo + ^/oG)+ (ARi^G 1 (B 2 j) + A(t/i^R 2 j) + 2/i,i2/ 2 ,jG) 

(i,j)es(iD) 



:=Rid, which is “small” :=F y (lD) 


= AR| D + F y (ID)G. (2) 

Observe that we implicitly relied on the fact that A and commutes. There- 
fore, the reduction algorithm is able to sample a secret key for ID using the 
trapdoor of G if and only if F y (I D) ^ 0 mod q. Hence, the simulation succeeds 
when the adversary queries on secret keys for ID satisfying F y (ID) ^ 0 mod q , 
and queries for a challenge ciphertext for ID* satisfying F y (ID*) = 0 mod q in 
which case the reduction algorithm can embed its LWE challenge. 

Overview of the Construction and Security Proof. The major drawback of 
the Yamada IBE is that they require the modulus size q to be super-polynomial. 
This stems from the fact that the size of yo,yij G 7L q must grow linearly in 
the number of adversarial key extraction query Q for the security proof to be 
meaningful, i.e., Pr y [F y (ID*) = 0AF y (IDi) ^ 0A- • • AF y (IDg) ^ 0] is noticeable 
in n. However, since the size of the G-trapdoor Rid used during simulation 
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grows proportionally to the size of y\^ (check above Eq. (2) to see how Rid 
was created), thereby growing proportional to Q = poly (n), we need to set the 
modulus size q to be at least super-polynomial in n for the trapdoor to operate 
properly. Therefore, if we try to restrict ourselves to a polynomial sized modulus 
g, it seems the best we can achieve is a scheme where we have to set a bound 
on the number of adversarial key extraction queries before instantiation, i.e. , a 
Q-bounded scheme. 

In our work, we combine several ideas in a novel way to circumvent the 
above seemingly inevitable problem. The first idea is to extend the elements 
UchUij £ Z q to matrices Yo,Y E Z q xn so that instead of increasing the 
size of the element y G Z g , we can “pack” small elements in the entries of the 
matrix Y GZJ xn . Namely, since the matrix has n 2 entries, if the number of key 
extraction query is Q = n c for some constant c, we can always set up the matrix 
so that c of the entries are packed by elements of size 0{n). Since there are n 2 
entries in total, this allows us to pack the matrix with small entries (e.g., 0(n )) 
for arbitrary Q = poly(n) without the need of increasing the modulus size q. 
However, this simple idea alone does not work, since during the security proof 
to obtain Eq. (2), we crucially relied on the fact that A and y\^ commutes. For 
our idea to work we need the two matrices A and Yi^ to commute, however, in 
general this does not hold. 

To overcome this problem, we introduce our second idea of using the ring 
structure of ideal lattices. Concretely, we use the special polynomial ring R = 
Z[X\/(X n + 1) to construct our scheme for n a power of 2. The construction 
itself is exactly the same as the ring analogue of the Yamada IBE, however, our 
new security proof relies crucially on the underlying ring structure. In detail, the 
reduction algorithm prepares the public parameters as 

bo — aR 0 T yo@ i bij — aRi j T yijQ 

for (i,j) E [2] x [(], where a,b 0 ,bij E R k q , R E R kxk , yo,Vi,j € Rq and g E R k 
is the ring analogue of the G-trapdoor. Observe that yo,yij are now elements 
in R q instead of 7L q . Although this y is not quite a matrix, this is actually more 
than enough for us to use the packing technique described above. This can be 
seen by first noticing the natural isomorphism between R q = Z™ induced by 
the coefficient embedding and viewing y E R q as a vector in Z™. Since y has 
n entries when viewed as vectors, it can support up to n n queries by packing 
each entry with small elements of size 0(n). Furthermore, the second part of the 
problem addressed above is naturally resolved, since now that we are working 
in a ring we get the commutativity of a and y±j for free. This key role in the 
commutativity for rings is somewhat reminiscent to the signature scheme of 
[DM14]. We note that the technique used by [Alpl5] (which has also been used 
in [Xagl3]) to extend the results of [DM14] to matrices seems to be inapplicable 
in our setting. This is because in our setting we need to commute the LWE 
challenge matrix A instead of the gadget matrix G whose associating trapdoor 
is known. To summarize, by incorporating our second idea, we obtain the ring 
variant of Eq. (2) and the trapdoor operates as specified. We note that one might 
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be tempted to pack the entries of y with constant size elements, since 2 n is still 
exponential in n and hence Q(n) < 2 n . However, the security proof relies heavily 
on the fact that the density (i.e. , the number of entries that are packed) of y 
is bounded by some constant. Therefore, we must choose the size of the packed 
elements with care to make the overall scheme secure. 

The final idea is carefully crafting a properly distributed challenge ciphertext. 
To be precise, the main issue is in the difficulty of creating a ciphertext that has 
errors that are properly distributed. This problem of generating a properly dis- 
tributed challenge ciphertext was addressed in [Yaml6] as well, however, they used 
the standard technique called the “smudging” or “noise flooding” technique which 
came at the cost of making the modulus size q super-polynomial in n. This was 
not a problem for them, since as we pointed out earlier, their scheme inherently 
needed a super-polynomial sized modulus to work. However, this tactic is inap- 
plicable to our setting since we want to restrict ourselves to the polynomial sized 
modulus. To overcome this we devise a way to carefully craft the error term; a 
technique reminiscent of [GPV08, ACPS09]. First, assume we have F(ID*) = 0 for 
the challenge identity ID* and thus H(ID) = ARid*. Note that for ease of under- 
standing we explain the technique in the matrix form instead of the ring form. To 
prove security, we have to embed the LWE challenge A and v into the challenge 
ciphertext, where v = sA + x or v a random vector. One natural way is to set 

xi = X, x 2 = xR| D * (3) 

and compute the challenge ciphertext as 

s[A|H(ID*)] + [xi|x 2 ] = [v|vR| D *]. 

However, one can not simply use the standard generalized leftover hash lemma 
for lattices presented in [ABB10]; a technique often used in proving such forms. 
This is because Rid* is not uniformly sampled as in the case of [ABB10], but 
instead highly correlated to the values of y,{yij} used during the simulation. 
Alternatively, we present a noise rerandomization technique and add a small 
extra noise to Eq. (3) and statistically hide Rid- Namely, we sample noises ei 
and e 2 from a particular Gaussian distribution with variance computed from 
Rid* and set 


xi = x + ei, x 2 = xR| D * + e 2 . 

Thus the challenge ciphertext is created as above by further adding the new 
noise terms. Although the general idea of this technique has been around since 
[Reg05,GPV08] and has been used in contexts elsewhere, as far as we know, we 
believe this is a nice application for rerandomizing the noise without the need 
of adding a huge (super-polynomial sized) noise. 

An Additional Idea. Working in the ring setting introduces some subtle yet 
crucial obstacles, which we did not have to address before. Namely, for q a 
prime and n a power of 2, the domain R q = Z[X\/(q, X n + 1) we work in is 
no longer a field as in the case of 7L q . Additionally, if we use a modulus q such 
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that q = 1 mod 2 n as in [LPR10,LPR13], the ring R q completely splits into 
n fields. In such a ring, each field only contains q = poly(n) elements so the 
Schwartz- Zippel lemma during our security proof can not be applied. We get 
around this by using a modulus q such that q = 3 mod 8 where it is known 
to split into only two fields. Then, since each field now contains q n / 2 elements 
and R q acts roughly as a field, we are able to apply our proof techniques. As 
for the purpose of completeness, we prove the hardness of LWE over such rings 
by the straightforward combination of previous results. We finally note that we 
also obtain a nice regularity lemma over such rings which helps us attain better 
parameters for the scheme. 

We also employ some ideas to further optimize the sizes of the public para- 
meters, secret keys and ciphertexts. Namely, we use the (ring version of the) 
G-trapdoor where the base is set as n 11 for some positive constant g. We use 
r] = | for our concrete parameter selection. By incorporating this idea, we can 
further reduce the size of the parameters by a factor of logn. However, this 
comes at the cost of making the scheme less efficient, since the function G _1 (-) 
has a slower running time for a larger base. 


2.2 Construction from Bilinear Maps 

Here, we explain our IBE scheme from bilinear maps. We start with a slightly 
modified version of Waters IBE [Wat05] and gradually modify it to obtain our 
scheme. Let us consider a group G with prime order p whose generator is g. The 
group is equipped with a efficiently computable bilinear map e:GxG^ G t- 
The public parameters of the scheme contains rather long k + 3 group elements 
{d Wi }ie[ o,«]j 9 a , and a randomness rand E {0, that is used to derive 

the Goldreich-Levin hardcore bit function GL : {0, x {0, — > {0,1}. 

The form of the ciphertexts and private keys in the scheme are as follows: 

C=[g s , <f H(ID) , GL (e(g a , gP) s , rand) ® M ) , sk, D = ( g*? • 5 rH < ID >, g~ r ) 

where M E {0, 1} is the message to be encrypted, and s and r are random ele- 
ments in Z p that are picked during the encryption and key generation algorithms, 
respectively. 

Here, H : {0,1}^ —> Z p is defined as H(ID) = wq + Sid w i where ID^ is 
the i-th bit of ID. The reason why we use the hardcore bit function is to base 
the security of the scheme on the computational bilinear Diffie-Hellman (CBDH) 
assumption, rather than the stronger decisional bilinear Diffie-Hellman (DBDH) 
assumption which was used to prove the security of the original Waters IBE. 

Next, we try to reduce the size of the public parameters using the idea of 
the Yamada IBE. A natural way to do this would be to introduce the injective 
map : {0, l} 7 ^ — ^ with i = r« i / 2 ] , change the public parameters to be 

9 W ° i{g Wi,j }(i,j)e[ 2 ]x[q? and modify the function H as 

H(ID)=to 0 + ^2 w l,i w 2,j- 

(ij)es(iD) 
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Through this change, we can reduce the size of the public parameters from 
O(k) group elements to O(y^), just in as [Yaml6]. However, we come across 
an immediate problem: We cannot efficiently compute g sH ( |D ) from the public 
parameters! A straightforward solution to this problem is to put “helper” terms 
{gwi,iw 2 ,jy the public parameters. However, this makes the size of the public 
parameters large again. 

Our solution to this problem is to rely on the Boneh-Boyen technique [BB04a] 
to compute something similar to the problematic term. Namely, we compute 

/H(iD)+£; e W>2,i, (4) 

instead of computing only g sH ( |D ). Here, {tj} are additional randomness intro- 
duced by the encryption algorithm. Accordingly, we change the form of the 
ciphertexts and private keys of our scheme as follows: 

c= (y, g s "W + ^m^, {g^} je[e] , GL(e( 5 “,/) s ,rand)®M ), 
sk,D = ( 9 a0 • <f H(ID) , g~ r , {9 rW2 ’ j hem ) • (5) 

Note that although the size of the public parameters is smaller than the original 
scheme, the sizes of the ciphertexts and private keys are larger due to the addi- 
tional terms. We now show that one can efficiently compute the ciphertext. In 
particular, we show that it is possible to generate the terms in Eq. (4). To see 
this, let us introduce the variables {tj} such that 


tj :— tj s 


Y wi > 

ue{ie[i,£]|(ij)es(iD)} 


( 6 ) 


Then, we have 


sH(ID) + Y h w 2,j 

ieM 

sH(ID) + Y W2 j [h ~ g ( Y Wl •* 

Me] V \ie{i£[l/]|(i,i)6S(ID)} 

~ sH (ID) + Y W 2,jtj -S Y Y w l,i w 2 ,j 

je[t] jeM \ie{ie[i,^]|(i,i)eS(iD)} 

= SW 0 + S T + Y1 ~ S Y 

fcrtesh ID) je[e] ^jJesxiD) 

sw 0 + Y W2 ’hr 

ieM 


(7) 


Since Eqs. (6) and (7) are linear in rco, Wij, it can be seen that the terms in 
Eq. (4) can be computed efficiently, as desired. 


Partitioning via Non-linear Polynomial Functions 691 


By substituting tj in Eq. (5) with the right-hand side of Eq. (4), we obtain 
our final scheme. As for the security, we can prove the adaptive security of the 
scheme from the 3-computational bilinear Diffie-Hellman exponent (3-CBDHE) 
assumption. We need to rely on this stronger assumption than the standard 
CBDH assumption, because of the different algebraic structure incorporated by 
the modified Waters IBE. 

3 Preliminaries 

Due to the space limitation, most of the proofs for the lemmas presented in this 
paper are omitted. For the full proof refer to our full version. 

Notations. We use non- italic bold lowercase letters (e.g., v) for vectors with 
entries in M and italic bold lowercase letters (e.g., v) for vectors with entries 
in rings or number fields. We view vectors in the row form stated otherwise. 
Matrices are denoted by uppercase bold letters analogously. For a vector v G M n , 
denote |Jv|| p as the L p - norm, where p = 2 is the standard Euclidean norm. For 
a matrix R G M nxn , denote ||R||gs as the longest column of the Gram-Schmidt 
orthogonalization of R and denote s i(R) as the largest singular value (spectral 
norm). We denote [-|-] (resp. [•;•]) as the horizontal (resp. vertical) concatenation 
of vectors and matrices. We denote [a, b] as the set {a, a + 1, . . . , b — 1, b} for any 
integers a, b G N satisfying a < 6, and for simplicity write [b] for the special case 
a = 1. For a (quotient) polynomial ring R over Z, we denote [—&,&]# C R as 
the set of elements in R with all coefficients in the interval [—b,b]. Statistical 
distance between two random variables X and Y with support Q is defined as 
A{X\ Y) = \ I Pr I X = *] - Ft I y = # A function / : N — > M> 0 is said to 

be negligible, if for all c, there exists Ao such that /(A) < 1/A C for all A > Ao- 
We denote by negl(A) a negligible function in A. 


3.1 Identity-Based Encryption 

We use the standard syntax of IBE [BF01]. We briefly recall the security notion 
of IBEs and refer the exact definition to the full version. In our paper, we define 
two security notions: adaptive security and adaptively- anonymous security. The 
former adaptive security is the standard notion for IBEs as in [Wat05]. The 
latter adaptively-anonymous security is a notion that additionally requires the 
ciphertext to be indistinguishable from random. The term anonymous captures 
the fact the the ciphertext does not reveal the identity for which it was sent to. 
Furthermore, we use two random variables coin and coin in {0, 1} for defining the 
security for IBEs. coin refers to the random value chosen by the challenger at the 
beginning of the security game and coin refers to the random value outputted by 
the adversary at the end of the game. We provide a general statement concerning 
coin and coin in Sect. 3.4. 
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3.2 Lattices and Gaussian Distributions 

An n-dimensional (full rank) lattice A C M n is the set of all integer linear combi- 
nations of some set of n linearly independent basis vectors B = {bi, . . . , b n } C 
M n , A = {X^ie[n] z i^i\ z ^ ^ n }- For positive integers g,n,m, a matrix A E Z™ xm 
and a vector u E Z™, the m-dimensional “shifted” integer lattice is defined as 
A u( A ) = { Z E Z m |Az T = u T mod q}. We simply write A- 1 (A) in case u = 0. 

For s > 0, the n-dimensional Gaussian function p s : M n — > (0, 1] is defined 
as p s (x) = exp(— 7r||x||2 /s 2 ). The (spherical) continuous Gaussian distribution 
D s over M n is the distribution with density function proportional to p s . When 
the dimension n is not clear from context, we explicitly write it as Df . More 
generally, for any matrix B E M nxm , denote D& as the distribution of xB T 
where x is distributed as D™. A well known fact is that for any two matrices 
Bi,B 2 , the sum of an independent sample from and Tb 2 is distributed as 
D c where C = (B x Bf + B 2 B^) 1 / 2 . 

For a n-dimensional lattice A and a vector in u E M n , the discrete Gaussian 
distribution Da+ u ^ s over the coset A + u is defined as Ta+ U)S (x) = p s {x)/p s { A + 
u) for all x E A+u. We also define the discrete Gaussian distribution r over 

a (quotient) polynomial ring R in X over M. The discrete Gaussian distribution 
D^Lr is the distribution of a = X^ILc) 1 a iX l E R where the coefficient vector 
[ao, . . • , OL n - 1] €= M n is sampled from the discrete Gaussian distribution D\+ Urr . 
This definition naturally extends to vectors a E R k in case of n/c-dimensional 
lattices. 

The following lemma on noise rerandomization plays an important role in 
the security proof of our scheme when creating a properly distributed challenge 
ciphertext. This allows us to simulate the challenge ciphertext without resorting 
to the noise flooding technique as in [Yaml6]. Namely, during simulation we set 
£ = 2 m, V = [I m |R| D ] and b + x as the LWE challenge (note that we view the 
LWE challenge in a slightly different way than usual). 

Lemma 1 (Noise Rerandomization). Let q,i,mn be positive integers and r a 
positive real satisfying r > max{cj(y / Iogm), cj(vTogl)}. Let b E Z^ be arbitrary 
and x chosen from D Then for any V E Z mx£ and positive real a > si(V), 
there exists a PPT algorithm ReRand(V, b + x, r, a) that outputs b' = bV + x' E 
Z^ where x' is distributed statistically close to 


3.3 Rings and Ideal Lattices 

We try to provide a minimum exposition of rings and ideal lattices to keep 
it self-contained. For further detail see the full version or refer to other works 
[LPR10,LPR13]. 

Preparation. Let n be a power of 2 and set m = 2 n. Define the ring R = 
Z[X]/(^ m (X)), where < P rn (X) = X n + 1 is the mth cyclotomic polynomial. For 
an integer q , denote R q as R/qR = Z [X]/(q,@ m (X)). By viewing the elements 
in R as n — 1 degree polynomials in Z[X], we can consider a natural coefficient 
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embedding of R onto the integer lattice Z n . Namely, we define the coefficient 
embedding 0 : R — > Z n that maps a = a iX l G R to [ao, aq, . . . , a n _i] G 

Z n . We extend the coefficient embedding naturally to vectors and matrices. On 
the other hand, we can also identify R as the subring of anti-circulant matrices in 
Z nxn by viewing each ring element a G R as a linear transformation r — > a-r of R. 
Concretely, we define the ring homomorphism rot : R — > Z nxn that sends a G R 
to a matrix in Z nxn such that the i-th row is (f)(a • X l ~ x mod @ m (X)) G Z n . 
Note that the first row of rot (a) is 0(a). Similarly to above, the definition of the 
map rot naturally extends to vectors and matrices. 

Norms in R. We define the Euclidean length for an element a G R and a vector 
v G R k by identifying R with Z n through the coefficient embedding. 2 Therefore, 
when we say a vector v in R k is “short”, we mean that ||0(v)||2 is small. We also 
define the largest singular value of a matrix R G R sxt by identifying the ring 
R with Z nxn through the map rot. 3 Namely, si(R) := max|| z || 2=1 ||z • rot(-R) || 2 - 
Note that this definition allows us to consider singular values of an element in 
R as well. 

Properties for Elements in R. As with matrices with entries in M, we have 
similar singular value bounds for matrices with elements in R. Namely, we can 
bound the singular value of a random matrix chosen from [— b, 6]^ xt . Recall that 
an element of [—6, b]n is an element in R with all of its coefficients in the interval 

[-M- 

Lemma 2 ([DM15], Special case of Fact 1). Let b be a positive integer and 
R be a s x t matrix chosen uniformly at random from [— b, 6]^ xt . Then, there 
exists a universal constant C(~ 1 /V2tt) such that 

Pr[si(il) > C • by/n • (y/s + y/t + u(y/\ogn))] = negl(n) 

We note that similarly to matrices with entries in M, we have si(RiR 2 ) < 
Si(Ri)si(R 2 ) for all R\,R 2 G R kxk , which follows from the fact that rot is 
a ring homomorphism. Furthermore, it also holds when R\ is replaced by an 
element a in R. 

Regularity Lemma. The former Lemma shows that there exists a quotient 
ring R q = R/(q, @ m (X)) that acts roughly as a field, or in other words, R q has 
exponentially many invertible elements. The latter Lemma is a ring analogue of 
the standard lattice regularity lemma. 

Lemma 3. Let q be a prime such that q = 3 mod 8 and n be a power of 2. 
Then, <L> 2 n(X) = X n + 1 splits as X n + 1 = t\t 2 mod q for two irreducible 
polynomials U = X n ' 2 + uX n / A - 1 and t 2 = X n ' 2 - uX n ^ - 1 in Z q [X\ 
where u 2 = —2 mod q. Furthermore, all x € R q satisfying ||0(x)||2 < Jq are 
invertible, i.e., x G R*. 

2 We could have identified the Euclidean length by the canonical embedding as done 
in other works. However, for our special case where n is power of 2, the lengths are 
equivalent up to a factor of y/n. 

3 For the special case where n is a power of 2, si(R) defined by the coefficient and 
canonical embeddings are both equivalent to the one defined by the map rot. 
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Lemma 4 (Regularity Lemma). Let n be a power of 2, q be a prime larger 
than 4 n such that q = 3 mod 8, and £,k',k,p be positive integers satisfying 
£,k' >1, k >2, p < ^yjq/n. Define the family of hash functions TL = {Ha(x) : 
[—PiP\r Rq}> where Ta(x) = Ax for A G R k ' xk , x G R kxl . Then, TL is 
a universal hash family. Furthermore, for A A- R k ' xk and X A- [— p, p] k ^f l , we 
have 

mA.AX) ; (A, [/«>■'))) < I- sj JF tTJ' 

Ring Learning with Errors. The ring LWE problem was introduced by 
Lyubashevsky et al. [LPR10]. They showed that solving it on the average is 
as hard as (quantumly) solving several standard problems on ideal lattices in 
the worst case. 

Definition 1 (RLWE). For positive integers n = n( X), k = k(n), a prime 
integer q = q(n) > 2, an error distribution x = x( n ) over Rq> an & em PPT 
algorithm A, an advantage for the RLWE problem RLWE n? / Cj(??x of A is defined 
as follows: 

Adv R F En ’ k - q ’ x = |Pr[^({(o i ,t; j )}? =1 ) - 1 ] - Pr [A{{{a u a iS + e^U) ^ U I 

where a \, . . . , a^, v \, . . . , Vk, s R q and e \, . . . , e& y. We say that RLWE n? / ej(??x 
assumption holds if Adv^ LWEn,/c,9,x is negligible for all PPT A. 

Theorem 1. Let a be a positive real, m be a power of 2, £ be an integer, T f rn (X) = 
X n + 1 be themth cy clot omic polynomial where m = 2n, and R = Z[X]/(T f rn (X)). 
Let q = 3 mod 8 be a (polynomial size) prime such that there is another prime 
p= 1 mod m satisfying p < q < 2p and aq > n 3 / 2 /c 1 / 4 cj(log 9 / 4 n). Then, there 
is a probabilistic polynomial-time quantum reduction from 0(y/n/ a) -approximate 
SIVP (or SVP) to RLWE^/^^ with x = 

The proof is obtained by a straightforward combination of previous results 
[LPR10,LS15]. Due to the Linnik’s theorem and Dirichlet’s theorem on arith- 
metic progressions, we have that there are sufficiently many primes p and q 
satisfying the assumption of the theorem. 

Trapdoors for Rings. Define the gadget matrix g b = [l\b\ • • • \b k — 1 1 0] G R k , 
where b is a positive integer and k > k' = [log b q]. When k = k! and b = 2, 
this corresponds to the matrix representation of the gadget matrix G G Z q xnk 
often used in the literatures by properly rearranging the rows and columns of 
ro t(g 2 )- The following algorithms are simple modification of traditional lattice 
based algorithms. 

Lemma 5. Let n be a power of 2, q be a prime larger than 4 n such that q = 
3 mod 8, and b, p be a positive integer satisfying p < \ \[qjn. Furthermore, 
define log 1 (-) := log 2 (-). Then, there exist polynomial time algorithms with the 
properties below: 
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- TrapGen(l n , l k , q, p) — > (a, T a ) ([MP12], Lemma 5.3): a randomized algorithm 
that, when k > 21og p g, outputs a vector a G and a matrix T a G R kxk , 
where rot (a T ) T G Z™ xn/c zs a full- rank matrix and rot (T a ) G Z nkxnk is a basis 
for A- L (rot(a T ) T ) szzc/z that a is negl (n)-close to uniform and ||rot(T a )||GS = 
0(6p- ynlogp A 4 

- SampleLeft(a, 6 , iz, T a , cr) — > e ([CHKP10]): a randomized algorithm that, 
given vectors a, 6 G R k where rot(a T ) T , rot( 6 T ) T G Z7^ xnk are full-rank, an 
element u G R q , a matrix T a G R kxk such that rot (T a ) G Z nkxnk is a basis 
for A x (rot (a T ) T ), and a Gaussian parameter a > ||rot(T a )||Gs * ^(ydog nk), 
outputs a vector e G R 2k sampled from a distribution which is negl (n) -close 
to ^A°| ( ff )([rot(a T ) T| rot( 5 T ) T D?(J ; i-e-, [a\b\e T = u and 0(e) G Z 2nk is distributed 

according to ^ A 0 (u) ([ rot (a T ) T | rot ( 6 T )^]),a* 

- SampleRight(a, g h , R, y,u, T 9h , a) — > e where b = aR + yg b ([ABB10]): a ran- 

domized algorithm that, given vectors a,g b G R k such that rot(a T ) T , rot(g 5 ) 5 
G Zq Xnk are full-rank matrices, elements y G R*,u G R q , a matrix R G R kxk , 
a matrix Tg b G R kxk such that rot(T^J G Z nkxnk is a basis for A ± (rot(g b )), 
and a Gaussian parameter a > si(R) • ||rot(T^ )||gs * uj(y/lognk), outputs 
a vector e G R 2k sampled from a distribution which is negl (n) -close to 
D \ j- ([rot(a T ) T |rot(6 T ) T ]) cr ; [Gk|b]e ^ ^Tid 0(e) G Z Z5 distributed 

according to L) A ^ ([rot(a T ) T| rot(5 T ) T ])?a . 

- ([MP12]:) Ze£ k > flog b g] . There exists a publicly known matrixT 9b such that 
rot(Tg b ) G Z nkxnk is a basis for the lattice A- L (rot(gf 6 )) and ||rot(T^J || gs 
< \/fr 2 + 1. Furthermore, there exists a deterministic polynomial time algo- 
rithm g b x which takes input u G R k and outputs R = g^^u) such that 
Re [-b,b] kxk and g b R = u. 

Note that we abuse the notation g b x by viewing it as a function rather than a 
vector. Namely, for any u G R k there are many choices for R G R kxk such that 
g b R = u , and g 6 " 1 (n) is a function that deterministically outputs a particular 
short matrix from the possible candidates. Since we have s\(R) < b ■ nk for any 
R G [— b, b] k ^ k , si(g b 1 (u)) < bnk holds for arbitrary u G R k . 

Homomorphic Computation. Let d be a natural number. We introduce the 
function PubEval^ : ( R k ) d — > R k as in [Yaml6], which takes a set of vectors 
&i, 62 , . . . , bd G R k as inputs and outputs a vector in R k . This function will be 
used to hash identities to R k in our lattice-based IBE construction. The function 
is defined recursively as follows: 

N f bi if d = 1 

PubEval d ( 6 i,..., 6 d ) « < _ x 

[bi • g b (PubEval d _i( 6 2 , . . . , b d )) if d > 2 . 

4 We combine several lemmas from [MP12] and the regularity lemma (Lemma 4) 
to show correctness of TrapGen. See the full version for further detail. Further, the 
unusual lattice A ± (rot(a T ) T ) is used only to be consistent with the other algorithms. 
Namely, we could have instead defined the trapdoor for the lattice A ± (rot(a)). 

5 We have rot(g^) T = rot (g b ) since all the entries of g b are integers. 
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Lemma 6. Let y\, , yd be elements in R, a, &i, . . . , bd be vectors in R k and 

Ri , . . . , Rd be matrices in R kxk such that bi = aRi + yig b for i G [d\. Further- 
more, we assume that si(Ri) < B , j|0(^)||j < S for i G [d]. t/iere exists 

an efficient algorithm TrapEval d that takes R ±, . . . , Rd , yi , . . . , yd as inputs and 
outputs R! G R fex/e that 


>k 

'q 


PubEval d (6i, ...,b d ) = aR! + yi ■ ■ ■ y d g b e i?‘ 


and si(R') < B5 d 1 + Bbnk( - (5 _ 1 * ) . 

3.4 Other Facts 

Lemma 7 (Expansion of Coefficients). Let <7 , C2 , L> i , L>2 £ N. Let also u = 
H - U\X + • • • ^ G R and v = r?o H - rqYT H - • • • , e C2 _ i^Y C2 ^ G R 6e 

rmg elements. We further assume that c\ + C2 < n and || || oo < Ri and 
110(^)1100 < L>2- Then we have ||0(tw)||oo < min{ci, C2} • B1B2. 

The following Lemma addresses a general statement for bounding the suc- 
cess probability of an adversary engaging with the security game of IBE. In 
more detail, when the partitioning technique is used to prove security, the guess 
returned by the adversary is correlated with the key extraction queries it has 
made. Therefore, we need to argue with care to obtain a meaningful bound on 
the success probability that holds for arbitrary key extraction queries. 

Lemma 8 (Implicit in [BR09, Yaml 6 ]). Let us consider an IBE scheme and 
an adversary A that breaks adaptive security (adaptively- anonymous security) 
with advantage e. Let us also consider a map 7 that maps a sequence of iden- 
tities to a value in [0,1]. We consider the following experiment. We first exe- 
cute the security game for A. Let ID* be the challenge identity and IDi, . . . , IDq 
be the identities for which key extraction queries were made. We denote ID = 
(ID*, IDi, . . . , IDq). At the end of the game, we set coir/ G {0, 1} as coin 7 = coin 
with probability y(ID) and coin 7 A- {0,1} with probability 1 — y(ID). Then, the 
following holds. 



7max Tmin 

2 


where 7 m i n (resp. 7 maxy ) is the maximum (resp. minimum) of 7 (ID) taken over 
all possible ID. 

Injective map. Let d and ft be some integers. Furthermore, let I be I = | "ft 1 ^]. 
Then, an element of [l,ft] can be written as an element of [l,I] d using some 
canonical map. Furthermore, it is also possible to write a subset of [l,ft] as a 
subset of [l,I] d by naturally extending the canonical map. By identifying a bit 
string in { 0 , 1 } K with a subset of [ 1 , ft] (for example, by regarding the former as 
the indicator vector of a subset of [ 1 , ft]), we can define an efficiently computable 
injective map S that maps a bit string ID G {0, 1}* to a subset S^ID) of [l,I\ d - 
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3.5 Core Lemma for Our Partitioning 

We make a general statement concerning the partitioning technique for IBEs, 
which we use during the security analysis for both our lattice and bilinear map 
based constructions. Namely, we use the following Lemma in order to argue 
that the probability of the hash value for identities corresponding to the key 
extraction queries being invertible and the hash value for the challenge identity 
being zero is non-negligible. 


Lemma 9. Let v,p,d,Q > 1 be any integers. Let <L> be a ring and 
be a set of fields equipped with homomorphisms ttj : <L> — > 12 j for j G [v\. Assume 
that the map LI defined as 77 : @ 3 y (7Ti(y ), . . . , 7r u (y)) G i?i x • • • x Q v 
is an isomorphism. Let So and Si be subsets of <L> with finite cardinality. Let 
us consider a set of multivariate polynomials fi(Yi , . . . , Y^) G ^[Yi, . . . , Y^\ for 
i G [0,(2] We further assume the following properties : 

1. The map it j is injective on Si for all j G [v\. 

2. We have TTj{fo) — it ' j(fi) is a non-zero polynomial with degree d for all i G [Q] 
and j G [v\. Here ttj is extended to ttj : @[X\ — ► Oj[X] in a natural way. 

3. We have S 0 2 U ie [ 0 ,Q]{-/;(yi, . . . , y^)\yi, ■ ■ ■ , y„ € Si}- 

Then, for yo So and yi , . . . , y^ S\ , we have 


1 / dvQ\ 

\s 0 \\ isii; 


< q < 


1 

isoi 


where we denote 

7 = p r,[ Vo + fo{y') = 0 A y 0 + A(y') e &* A • • • A y 0 + foiv') e $*], 

yo,y' 

y ' = (yi,---,Vn), and$* = x ••• x J?*). 

4 Construction from RLWE 

In this section, we show our IBE scheme from the RLWE assumption. Let d be 
a (flexible) constant number. In addition, let the identity space of the scheme be 
TV = {0, 1}* for some kgN and the message space be {0, l} n C R . 6 For our 
construction, we consider an efficiently computable injective map S that maps 
an identity ID G {0, 1}* to a subset S'(ID) of where I = Such a map 

can be constructed easily as we explained in Sect. 3.4. Let n := n( A), b := b(n), 
p := p{n), m := 2 n, k := fc(n), q := q(n), I := I[n), a := a(n), a' := a'(n), and 
cr := cr(n) be parameters that are specified later. Let also @ m (X) = X n + 1 be 
the mth cyclotomic polynomial and R = Z[X]/(^ m (X)). 


Note that we regard m as an elements in R via <f 1 : Z n — > R (the inversion of 
coefficient embedding). 
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Setup(l A ): On input 1 A , it first runs (a, T a ) <4- TrapGen(l n , l fe , g, p) to obtain 
a G Rq and T a G R kxk . It also picks u 4- R q , b 0 , b ir j 4- for (i,j) G [d] x [^] 
and outputs 

mpk = (a,b 0 ,{b i?i } (i j )e[d]x[ ^,^) and msk = T a . 

In the following, we use a deterministic function H : TV — > R k defined as 

H(ID) = bo + Y PubEvald(6ij 1 , 6 2 j 2 ) • • • > bd,j d ) € Rq- 

0'i.— .j'd)es(iD) 


KeyGen(mpk, msk, ID): It first computes H(ID) and picks e G i? 2/c such that 

[a|H(ID)] ■ e T = u 

using SampleLeft(a, H(ID), u, T a , cr) — > e. It returns sk|D = e. 

Encrypt(mpk, ID, M): To encrypt a message M G {0, l} n C R , it first picks 5 4- 
x 0 4- , ®i,a5 2 4- Then it computes 

Co = stx + x 0 + [g/2] • M, Cl = s[o|H(ID)] + [® 1 |a5 2 ]. 

Finally, it outputs the ciphertext C = (co, Ci) G R q x i? 2/c . 

Decrypt(mpk, sk|D, C): To decrypt a ciphertext C = (co,Ci) using a private key 
skip = e, it computes (|_(2 /q) • 0(c o — Cie T )] mod 2) = m. Here, the round- 
ing function is applied componentwise. 


4.1 Correctness and Parameter Selection 

The following lemma addresses the correctness of the scheme. 

Lemma 10 (Correctness). Assume aqu(\/\ogn) + y/nka f au(y/ log nk) < q / 5 
holds with over whelming probability. Then the above scheme has negligible 
decryption error. 

Parameter selection. We refer the precise requirements for the parameter 
selection to the full version. One concrete selection for the parameters is as 
follows: 

k = 8d+ 12, q = n 2d+3 , b = p = n* , 

a = n d • cj(logn), a = n~ 2d ~i • cj(log 2 n) _1 , o' = • cj(log4 n) -1 , 

where d is a (flexible) constant which may be set very small (e.g., d = 2 or 
3) in a typical setting and the length k, of the identities ID is set as n. This 
specific instantiation is denoted as the Type 2 IBE scheme in Sect. 6. Table 1. 
Furthermore, the other concrete instantiation provided only in the full version, 
where we set b = 2 and k = O(logn), is denoted as the Type 1 IBE scheme. 
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4.2 Security Proof for the Scheme 

The following theorem addresses the security of the scheme. The proof proceeds 
in a similar manner as in [Yaml6], but we incorporate several novel ideas as we 
explained in Sect. 2. 

Theorem 2. The above IBE scheme is adaptively- anonymous secure assuming 
RLWE n k-\-i,q,Dy°n f i s hard, where the ciphertext space is C = R q x R q k . 

Proof. Let A be a PPT adversary that breaks the adaptively-anonymous security 
of the scheme. In addition, let e = e(n) and Q = Q(n ) be its advantage and the 
upper bound of the number of key extraction queries, respectively. 

Since A is PPT and A and n are polynomially related (namely, n = 0(A S ) for 
some constant 5), there exists a constant number c\ E N such that 4(dQ + 1) < 
n Cl for all n that are sufficiently large. Similarly, since A breaks the security of 
the scheme, there exists E N such that 2e > n~ C2 holds for infinitely many n. 
By setting c = c\ + C2 , we have that 


4 dQ < n c for all n E N and 


— — r — > — for infinitely many n E N. 

2(dQ + 1) ~ n c J J 


(8) 


In the proof, we will assume d(c — 1) < n. Since both c and d are constant 
numbers, this holds for sufficiently large n. 

We show the security of the scheme via the following j^anies. In each game, 
a value coir/ E {0,1} is defined. While it is set coin 7 = coin in the first game, 
these values might be different in the later games. In the following, we define Xi 
to be the event that coin 7 = coin. 


Gameo: This is the real security game. In the challenge phase, the challenge 
ciphertext is set as C * = (co, cf) R q x R q k if coin = 1 . Otherwise, it is set 
as C* <— Encrypt(mpk, ID, M), where M is the message chosen by A. At the 
end of the^game, A outputs a guess coin for coin. Finally, the challenger sets 
coin 7 = coin. By definition, we have 


r , 1 


r . _ 1 


i 1 

Pr[*o] - 2 

— 

Pr[coin = coin] — - 

— 

Pr[coin = coin] — - 


Gamei: For integers to,ti £ ^ such that to < t\ and positive integer c E N, let 
us denote [to,ti\R,c as 

[to,ti] RiC : = I y ^CLjX 1 

l 2=0 

In words, [toAi]R,c denotes the set of polynomials of degree less then c— 1 with 
all of its coefficients in the interval [to, ti\. Note that c is the constant defined 
in Eq. (8). In this game, we change Gameo so that the challenger performs the 
following additional step at the end of the game. First, the challenger picks 
y = (yo>{yi,j}(i,j)e[d,e]) as 


E [to, ti\ for all i E [0, c — 1] > C R. 


700 


S. Katsumata and S. Yamada 


Vo [-K(cn) d ,-l] flj(c _i )d+1 and y itj 4- [l,n] fljC (9) 

for (i, j) G [d] x [£]. Recall k is the length of the identities. We then define a 
function F y : XV — > R g as follows: 

FyOD) = 2/o + 2/i,ii ' ' * yd,j d - 

Ui,..Jd)eS(\D) 

Then the challenger checks whether the following condition holds: 

F 2 / (I D*) = 0 A F y (ID 1 ) G R* A ••• A F y (ID q) e R^ (10) 

where ID* is the challenge identity, and IDi, . . . , IDq are identities for which 
A has made key extraction queries. If it does not hold, the challenger ignores 
the output coin of A, and sets coin 7 e- {0, 1}. In this case, we say that the 
challenger aborts. If condition (10) holds, the challenger sets coin' = coin. As 
we will show in Lemma 11, we have 


So as not to interrupt the proof of Theorem 2, we intentionally skip the proof 
for the time being. 

Game 2 : In this game, we change the way bo and bij are chosen. At the beginning 
of the game, the challenger picks Ro,Rij e- [— p, p\ k R k for (i,j) G [d] x [£]. 
It also picks y as in Gamei. Then, a, &o, and bij are defined as 

bo = aRo T yoQbi bij = aRij T yijQbi (H) 

for (i, j) G [d\ x [£]. The rest of the game is the same as in Gamei. 

Now, we bound |Pr [AT 2 ] — Pr[XjJ|. By Lemma 4, the distributions 

(a, aRo + yo9b •> {^Rzj yi,j9b} (i,j)£[d]x[£.]) (a,, bo, {bij x[q) 

are negl(n)-close, where bo, bij e- R k . Thus, we have |Pr[Xi] — Pr [AT 2 ] | = 
negl(n). 

Games: Recall that in the previous game, the challenger aborts at the end of the 
game if condition (10) is not satisfied. In this game, we change the game so 
that the challenger aborts as soon as the abort condition becomes true. Since 
this is only a conceptual change, we have Pr[^ 2 ] = Pt[Xs\. 

Before describing the next game, we define .Rid G R kxk for an identity ID G XV as 

R\d = Ro+ Y TrapEv a l d (i? ljl , . . . ,Rd,j d ,yi,jn ■ ■ ■ >yd,j d )- (12) 
0'i>— Jd)es(iD) 

Note that by the definition of Rid, H(ID), PubEval and TrapEval (Lemma 6) we 
have 

H(ID) = & 0 + Y PubEvaU&iji&sj,,-.., VjJ 

O'i.— J d)eS(iD) 

= aR\o + F y (\D)g b . 


Pr[W] - ^ 


> 


( Kc d n d y c ~ 1 ') d + 1 \2 


dQ 

n c 


( 13 ) 
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Since R 0 ,Rij [~P,p\ k R k , from Lemma 2 we have si(Ro), s i(Ri,j) < B 
with all but negligible probability where B = C' • p^/n(Vk + uj(^/\ogn)) for some 
positive absolute constant C' . Furthermore, we have ||^,j||i < cn from Eq. (9). 
Therefore by Lemma 6, we have 

Si (-Rid) <si(i?o)+ s 1 (TrapEva\d(Rij 1 ,...,Rd,j d ,yi,j 1 ,---,yd,j d )) 

0'i.— Jd)eS(iD) 

< B ( 1 + K(cn) d_1 + Kbnk^— — 1), (14) 

\ cn — 1 J 

for any I D G TV with all but negligible probability. 

Garner In this game, we change the way the vector a is sampled. Namely, 
Game 4 challenger picks a R k instead of generating it with a trapdoor. 
By Lemma 5, this makes only negligible difference. Furthermore, we also 
change the way the key extraction queries are answered. When A makes a 
key extraction query for an identity ID, the challenger first computes .Rid as 
in Eq. (12). It aborts if F y (ID) 0 R* as in the previous game and runs 

SampleRight(a, g 6 , Rid, F y (ID), a ) e ’ 

otherwise. Note that in the previous game the private key was sampled as 
Samplel_eft(a, H(ID), u, T a , cr) — ► e. 

By Eq. (14) and for our choice of cr, the output distribution of SampleRight is 
negl(n)-close to D c °f f n T . T . . Furthermore, by the choice of 

J ([rot(a T ) T |rot(H(ID) T ) T ]),cr ’ J 

cr, this distribution is negl(n)-close to the output distribution of SampleLeft. 
Therefore, the above change alters the view of A only negligibly. Thus, we 
have |Pr[Xs] — Pr[X*]| = negl(n). 

Games: In this game, we change the way the challenge ciphertext is created 
when coin = 0. Recall in the previous games when coin = 0, we created a 
valid challenge ciphertext as in the real scheme. If coin = 0 and F y (ID*) = 0 
(i.e., if it does not abort), to create the challenge ciphertext Games challenger 
first picks s R q and x 4- {D^^ aq ) k and computes v = sa + x G R k . It 
then runs the algorithm 

ReRand (rot([I fc |.RiD*]), <f>(v), aq, —> c E Z 2 q nk 

from Lemma 1, where Ik G R kxk is the identity matrix of size k x k. Finally, 
it picks xo D^ f aq and sets the challenge ciphertext as 

C* = ( c 0 = n 0 + [q/2] • M, a = ^\c) ) G R q x Rf , (15) 

where no = su + xo and M is the message chosen by A. We claim that this 
change alters the view of A only negligibly. To show this, observe that the 
input to ReRand is rot (\Ik\ Rid*]) £= Z ™ kx2nk and 


(j){v) = (j){sa + x) = 0(s)rot(a) + (f)(x) G Z q k , 
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where (j)(x) is distributed as (j){x) D Z nk^ aq . Therefore, by the property of 
Re Rand and our choice of a and a ', the output c G Z q nk is 

c = (^(s)rot(a)) • rot([Jfc|H| D *]) +x' 

= (f)(s) • rot([a|H(ID*)]) + x' 

= 0(s[a|H(ID*)]) + x', 

where the distribution of x' is within negligible distance from x' D Z 2 nk^ a / 
due to Lemma 1. Here, we use the fact that H(ID*) = oRid* holds since 
F y (ID*) = 0. It can be readily seen that the distribution of c\ = </> _1 ( c) in 
Games is statistically close to that in Game 4 . Therefore, we conclude that 
|Pr[X 4 ]-Pr[X 5 ]| = negl(n). 

Gamee: In this game, we change the way the challenge ciphertext is created when 
coin = 0. If coin = 0 and the abort condition is not satisfied, to create the 
challenge ciphertext for identity ID* and message M, Game6 challenger first 
picks vq 4- R q , v' 4- R k and x (D%!?^ aq ) k , and runs 

ReRand ^rot([I fc | J R| D *]), (p{v), aq, ^ J c € Z 2nk , (16) 

where v = v' + x. Then, the challenge ciphertext is set as in Eq. (15). As 
we will show in Lemma 12, assuming RLWE n?fe+1 ^coeff is hard, we have 
|Pr[X 5 ]-Pr[X 6 ]| = negl(n). 

Gamer: In this game, we further change the way the challenge ciphertext is 
created. When coin = 0 and the abort condition is not satisfied, the challenge 
ciphertext for ID* is created as 

C* = ( Co = v 0 + [q/2~\ • M, c\ = [i/|i/_R| D *] + [®i| x 2 ] ) £ R q x R 2k , 
where v 0 R q , v' 4- R k and xi,x 2 (D^ a ,) k . 

We claim that this change alters the view of A only negligibly. This can be seen 
by a similar argument to that we made in the step from Games to Game 4 . We 
first observe that in Game6 the input to ReRand is rot([/fe|i?iD*]) G Z q kx2nk 
and 


4>(v) = H v ' + *) = 4>(v') + 4>(x) e z q k , ( 17 ) 

where <fi(x) is distributed as D Z nk^ aq . Therefore, the output c G Z 2nk of 

ReRand is 


c = <p(v') ■ rot([J fc |il| D *]) + x' = ^([«'|t>'il|D*]) +x', 

where the distribution of x' is within negligible distance from x' D Z 2 nk a / 
due to Lemma 1. Hence, the distribution of c\ = </> _1 (c) in Game6 is statisti- 
cally close to that in Gamey. Therefore, we have |Pr[X 6 ] — Pr[X 7 ]| = negl (n). 
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Gameg: In this game, we change the way the key extraction queries are 
answered. Instead of running SampleLeft or SampleRight, the (possibly inef- 
ficient) challenger directly picks a secret key sk|D for identity ID as sk|D 
D C j?f ([ ro t(a T ) T |rot(H(iD) T ) T ]),<r without using R iD . Similarly to the change from 

Games to Game^ by the choice of a and Eq. (14), this alters the view of A 
only negligibly. Therefore, we have |Pr[.XY] — Pr[Xg]| = negl(n). Note that 
this is only a conceptual game in order to get rid of any (negligible) correla- 
tion between the secret key and .Rid so as not to interfere with the statistical 
argument using Rid* in the following game. 

Gameg: In this game, we change the challenge ciphertext to be a random vec- 
tor, regardless of whether coin = 0 or coin = 1. Namely, Gameg challenger 
generates the challenge ciphertext C* = (co,ci) as 

c 0 R q , and c\ R 2k . 

We now proceed to bound |Pr[Xg] — Pr[Xg]|. Since Gameg and Gameg differ 
only in the creation of the challenge ciphertext when coin = 0, we focus on 
this case. First, it is easy to see that Co is uniformly random over R q in both 
of Gameg and Gameg. Therefore, we only need to show that the distribution 
of Ci in Gameg is negl(n)-close to the uniform distribution over R q k . To see 
this, it suffices to show that [v'\v'R\o*] is distributed statistically close to the 
uniform distribution over R q k . First, observe that the following distributions 
are negl(n)-close: 

(a, aRo, v'Rq) « (a, a', t/, v") « (a, aRo, v ' , v") : (18) 

where a, a' 4- R^, R 0 4- [— p, p]^ x/c , v',v" 4- R*. It can be seen that the 
first and the second distributions are negl(n)-close, by applying Lemma 4 for 
[a;v f ] E R q xk and R 0 . It can also be seen that the second and the third 
distributions are negl(n)-close, by applying the same lemma for a and Ro- 
From the above, the following distributions are statistically close: 

(a,aRo, v 7 , v'Rid*) 

= (a, aRo, v', v' (J? 0 + -R(d*)) 

~ (a, aR 0 , v', v" + v' R[ d * ) 

« (a, aRo, v', v") 

where a, a' 4- R* t Rq 4- [— p, p] k ^ k , v',v" 4- R* t and 

N TrapEval^fli,,-! , . . . , Rdj d ,Vx , h , • • • , Vdj d ). 

U i,-Jd)eS(\D) 

The second and the third distributions above are negl(n)-close by Eq. (18). 
Note that we intentionally ignored all the aRi j terms to keep the argument 
simple, since focusing on the aRo term is enough to prove randomness of 
[v'\v'R\o*]. Therefore, we conclude that |Pr[X 8 ] — Pr[X 9 ]| = negl(n). 
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Analysis. From the above, we have 


Pr[X 9 ] Y = Pr[Xi] 


Pr[^i]-^ + E(Pr[X i+ 1 ]-Pr[X,]) 






> Pr[V]-i -^iPr^+iJ-Pr^]! 



(19) 


where the last equality follows from the facts that c and d are constants and 
n = poly(n). Since the challenge ciphertext is independent from the value of coin 
in Gameg, we have Pr[Xg] = 1/2 and thus |Pr[Xg] — 1/2 1 = 0. Therefore, we 
have that e/2 — dQ/n c is negligible. However, by Eq. (8), 


e dQ > dQ + 1 dQ 1 


2 n c n c n c n c 


holds for infinitely many n, which is a contradiction. 

To complete the proof of Theorem 2, it remains to prove Lemmas 11 and 12. 
Lemma 11. For any PPT adversary A, we have 



Proof. For a sequence of identities ID = (ID*, IDi, . . . , IDq) G XD^ +1 , we define 
7 (ID) as 

7 (IB) = Pr[F y (ID*) = 0 A F l/ (ID 1 ) / 0 A F y (ID 2 ) + 0 A • • • A F y (ID g ) + 0] 

y 

where the probability is taken over y = (y 0 , {yi,j}(ij)e[d,i]), which is chosen as 
specified in Gamei. Then, it suffices to show 


(i Kc d n d ) ( < c - 1 ') d + 1 



since by Lemma 8, this implies 



2 (/^ c d n d )( c - 1 ) d+1 


1 
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where the last inequality follows from Eq. (8). In the following, we will prove 
Eq. (20) by applying Lemma 9. We set 

v = 2, ii = d£ ( P = R q , 

= Rq/{tj), 7Tj : Rq Rq/{tj ), for j G [2], 

So = [~K,(cn) d , -l]fi,( c -i)d+i, s 1 = [1, n] fiiC 

where 7Tj is a natural homomorphism and A, £2 are elements in R q as defined 
in Lemma 3. Therefore, the map II : <P 3 y \-^ (tti ( 2 /), 7 ^( 2 /)) G x i ?2 is an 
isomorphism. We define /i({^,j'}(j,j')e[d]x[q) for 2 £ [0, Q\ as 

A (j,j')e[d]x[£.\) = ’ ’ ' ^ d d' d 

where we define I Do := ID*. Note that we have F y (ID^) = y$ + 
/i({^,i}(«,j)e[<i]x[q)- We now check that the three conditions for Lemma 9 hold. 

- We prove that 7 Tj is injective on Si for j G {1,2}. Assume for contradiction 
that there are ai, a 2 G Si with ai 7^ a 2 and 7Tj(ai) = 717 (< 22 ) 7Tj (ai — 02 ) = 
0. We then have a± — (12 0 ii*. On the other hand, we have ||0(ai — <^ 2 ) II 2 < 
v/cn < ^/g. However, this contradicts Lemma 3. 

- For i G [1, Q], we have 


A ({»«■)) -/■({»«■)) 

Ui,...,j' d )es (id*) (jl,...,^)es(iD i ) 

Since ID* 7 ^ ID^ and S' is an injective map, we have S(ID*) 7 ^ S(ID^). There- 
fore, there exists (j*, . . . , j^) G [£] d such that (j*, . . . , j^) G S(ID*) A S(ID^), 
where S(ID*) AS(ID^) denotes the symmetric difference of S(ID*) and S(ID^). 
Thus, the above polynomial is a non-zero polynomial with degree d. Since the 
coefficients of /o — fi are all in { — 1,0, 1} and 7 Tj(=bl) = ±1, 7Tj (/q — fi ) is a 
non-zero polynomial for j G {1,2} as well. 

- We prove So 2 {-fi({yjj'}(j,j')e[d\x[e])\yi,i, ■ ■ ■ , Vd,e & Si} for all i G [0,Q]. 
By our assumption d(c — 1) < n and by regarding elements yjj/ as poly- 
nomials in Z[X]/(X n + 1) with degree c — 1, we have fi({yj,j'}) are all 
in [*, *] j R,d(c-i)+i where * represents some integer. It then suffices to show 
\\HM{yjJ'}(j,j')e[d]x[e]))\\oc < K(cn) d . For any {yj,j'}(j,j')e[d\x[i], we have 


\\4 > {fi{{Vj ) j'}(j,j')e[d]-K[(]))\\co 

H yi,j;J/2.j' • • • y,i,y d 

yU'i,-J' d )es( iDi) 


( 21 ) 
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E <Kvi,jiV2,ti ••■Vdj'J 

IDO 


* E 

U[,-,j' d )eS( ido 


(Kvixvw-vdj'j 


oo 


< K(cn) d 


(22) 

(23) 

(24) 


where Eq. (21) follows from the definition, Eq. (22) holds because 0 _1 is a 
homomorphism, Eq. (23) is from the triangle inequality, and Eq. (24) is from 
Lemma 7 and the fact that || II oo < ft- 


This completes the proof of Lemma 11. 


Lemma 12. For any PPT adversary A, there exists another PPT adversary B 
such that 


RLWE 

|Pr[X 5 ]-Pr[X 6 ]| <Adv^ 


n,k+l,q,D“% f{ 

Z n ,cxq 


In particular, we have |Pr[Xs] 
assumption, . 


■Pr[X 6 ]| = negl(n) under the R\\NE nk+hq D ^ 


h n ,cxq 


We omit the proof here. It is a standard proof where we convert the adversary 
distinguishing Games from Game6 into another adversary against the RLWE 
assumption. This is accomplished by noticing that the trapdoor information for 
a nor (secret) randomness used to create the ciphertext is no longer required to 
simulate the challengers in Games and Games- 


5 Construction from Bilinear Maps 

In the following, we present our IBE scheme from bilinear maps. Here, for sim- 
plicity, we present the scheme with only single-bit message space. A variant of 
our scheme that can deal with longer message space will appear in the full ver- 
sion. Let the identity space of the scheme be XV = {0, 1} K for some n G N. 
For our construction, we consider an efficiently computable injective map S that 
maps an identity ID G {0, 1}* to a subset 5(1 D) of [1,1] x [1, £] , where I = \y/Ti\. 
We would typically set n = 0(A), and thus I = 0[\/X) in such a case. We also 
use GL(K, rand) to denote the Goldreich-Levin hardcore bit [GL89] of K using 
randomness rand. Recall that GL(K, rand) is the bitwise inner product between 
K and rand. 

Setup(l A ): On input 1 A , it chooses an asymmetric bilinear group Gi,G 2 ,Gt 
with efficiently computable map e : Gi x G 2 — > G t of prime order p = 
p( A). Let g and h be generators of Gi and G 2 respectively. It then picks 
wo, w i,h • • • , W2,ij • • • ? ol, (3 4- 7L V and rand 4- {0, 1}I Gt L It finally 
outputs 

m pk=(g,W o =g w °,{W hi =g w ^}U,{W 2 ,i=g W2 -’}Li, 9 a ,h 0 ,rand) and 
msk = (h,a,/3,w 0 , wi.i, . . ■ ,wi,e,w 2 ,i, ■ ■ ■ ,w 2 ,i) 
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In the following, we use a deterministic function H : XV — > 7L V that is defined as 
follows. 


H(ID) — Wq + 'y ] w l,i w 2,j £ ^p- 

ID) 

KeyGen(mpk, msk, ID): It first computes H(ID) using msk and picks r A- Z p . It 
then returns 

sk| D = ( .1, h aP+r - H (' D) , A 2 = /i“ r , {Bj- = h rw *’*} e j=1 ). 

Encrypt(mpk, ID, M): To encrypt a message M G {0, 1}, it picks s,£i, . . . , C A- 
and computes 

C 0 = M©GL(e( 5 “,^) s ,rand), Ci = C 2 = W 0 S • J] 

a,- //' • ( n ^m] fOT ie[M] 

V^pe[i,dl(hi)e5(iD)} J 

Finally, it returns the ciphertext C = (Co, Ci, C2, {Cj}^ =1 ). 

Decrypt(mpk, sk|D, C): To decrypt a ciphertext C = (Co, Ci, C2, {DjYj=i) using 
a private key sk|D = (A3., A2, {^j}j=i), it first computes 

e(Ci,A 1 )-e(C' 2 ,A 2 ). n e(Dj,Bj) = e(g,h) sal3 . 
je[ i A 

Then it retrieves the message by Co ® GL (e(g, h) sa/3 , rand). 

The correctness of the scheme will be shown by a simple calculation. 

Definition 2 (3-Computational Bilinear DifRe- Heilman Exponent (3- 
CBDHE) Assumption). We say that 3-CBDHE holds on (Gi,G2,Gt) if 

¥r[A(g,g s ,g a ,g a \h,h a ,h a2 ) e(g,h) sa3 } 

is negligible for any PPT adversary A where g A- Gi, h A- G2, s,a±-7L v . 

The following theorem addresses the security of the scheme. 

Theorem 3 . The above IBE scheme is adaptively secure assuming the 3- 
CBDHE assumption. 
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6 Comparisons and Discussions 

In this section, we compare our IBE schemes obtained in Sects. 4 and 5 with 
previous schemes. Throughout this section, |mpk|, |C|, and |sk|o| denote the 
sizes of the master public keys, ciphertexts, and private keys, respectively. We 
denote by k the length of the identity, which corresponds to the output length 
of the collision resistant hash if we choose to hash the bit string representing an 
identity. 

Ideal Lattice Based IBE. In Sect. 4. we proposed a new ideal lattice based 
IBE scheme. By changing the base b of the g 6 -trapdoor, we obtain two types of 
instantiation offering tradeoffs. Namely, by setting b = 2 we obtain the Type 1 
IBE scheme presented in the full version and by setting b = n* we obtain the 
Type 2 IBE scheme presented in Sect. 4.1. The Type 2 IBE allows for a more 
compact size parameters compared to the Type 1 IBE, whereas the Type 1 
IBE allows for a more efficient sampling procedure due to the smaller Gaussian 
width. Note that the technique of changing the base b is applicable for other 
existing IBE schemes as well, offering a similar tradeoff presented above. Both 
of our schemes achieve the best efficiency among existing adaptively secure IBE 
schemes assuming the fixed polynomial approximation of the RLWE problem. 
This is illustrated in Table 1. We point out that the largest improvement from the 
Yamada’s IBE is that we greatly weakened the underlying hardness assumption 
while improving the overall efficiency of the scheme. 

Bilinear Map Based IBE. Here, we compare our scheme in Sect. 5 with other 
adaptively secure IBE schemes based on the hardness of computational/search 


Table 1 . Comparison of Lattice-Base IBEs in the standard model. 


Schemes 

|mpk| 

\c\, |sk ID | 

1/a for LWE 
Assumption 

Anonymous? 

[CHKP10] 

0{tik log 2 n) 

0(nn log 2 n) 

Fixed poly(n) 

Yes 

[ABB10]+[Boyl0]* 

0{tik log 2 n) 

0{n log 2 n) 

Fixed poly(n) 

Yes 

[Yaml6]: Scheme 1 

log 4 n) 

0(n log 4 n) 

n" (1) 

Yes 

[Yaml6]: Scheme 2 

0(nKd log 4 n) 

0{n log 4 n) 

All poly(n) 

No 

Ours: Sect. 4. Type 1. 

0{nKd log 2 n) 

0(n log 2 n) 

Fixed poly(n) 

Yes 

Ours: Sect. 4. Type 2. 

0(nK,d logn) 

0{n logn) 

Fixed poly(n) 

Yes 


All parameters presented in the table are obtained by instantiating the schemes in 
the ring setting, d G N is a flexible constant, which can be set to be any value. 
“1/a” for LWE assumption refers to the underlying LWE assumption used in the 
security reduction. “Fixed poly (n)” means that the corresponding scheme is proven 
secure under the LWE assumption with 1/a being some fixed polynomial (e.g., n 3 ). 
“All poly(n)” mean that we have to assume the LWE assumption for all polynomial. 
* In the security proof for the adaptively secure variant of IBE in [ABB 10], we have 
a restriction that q > Q. Namely, only bounded form of the security is proven. This 
restriction is removed in the refined analysis due to Boyen [BoylO]. 
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Table 2. Comparison of IBE from bilinear maps in the standard model. 


Schemes 

|mpk| 

\C\, |sk| D | 

Assumption 

[Wat 05] + Hardcore bit 

0 { k ) 

2 

CBDH 

[Nac07] + Hardcore bit 

0 { k / log(A)) = 0 ( k / log(/t)) 

2 

CBDH 

Ours: Sect. 5 

O(Vk) 

0{y/K) 

3-CBDHE 


problems on bilinear maps in the standard model. To base the security of IBE 
schemes on such problems, we have to mask the message using the Goldreich- 
Levin hardcore bit [GL89]. To the best of our knowledge, there are only two 
IBE schemes that we can apply this modification: Waters IBE [Wat 05] and 
Naccache IBE [Nac07]. As shown in Table 2, our scheme achieves asymptotically 
shorter master public key size than these schemes. We note that to compare the 
efficiency, we count the number of group elements. However our method comes 
at the cost of increasing the ciphertext and private key size and we further have 
to rely on a stronger assumption than theirs. 
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Abstract. A random oracle is an idealization that allows us to model 
a hash function as an oracle that will output a uniformly random string 
given any input. We introduce the notion of a universal sampler scheme 
that extends the notion of a random oracle, to a method of sampling 
securely from arbitrary distributions. 

We describe several applications that provide a natural motivation for 
this notion; these include generating the trusted parameters for many 
schemes from just a single trusted setup. We further demonstrate the 
versatility of universal samplers by showing how they give rise to simple 
constructions of identity-based encryption and multiparty key exchange. 
In particular, we construct adaptively secure non-interactive multiparty 
key exchange in the random oracle model based on indistinguishability 
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obfuscation; obtaining the first known construction of adaptively secure 
NIKE without complexity leveraging. 

We give a solution that shows how to transform any random oracle 
into a universal sampler scheme, based on indistinguishability obfusca- 
tion. At the heart of our construction and proof is a new technique we 
call “delayed backdoor programming” that we believe will have other 
applications. 

1 Introduction 

Many cryptographic systems rely on the trusted generation of common para- 
meters to be used by participants. There may be several reasons for using such 
parameters. For example, many cutting edge cryptographic protocols rely on the 
generation of a common reference string. 1 Constructions for other primitives such 
as aggregate signatures [10] or batch verifiable signatures [15] require all users 
to choose their public keys using the same algebraic group structure. Finally, 
common parameters are sometimes used for convenience and efficiency — such as 
when generating an EC-DSA public signing key, one can choose the elliptic curve 
parameters from a standard set and avoid the cost of completely fresh selection. 

In most of these systems it is extremely important to make sure that the 
parameters were indeed generated in a trustworthy manner, and failure to do so 
often results in total loss of security. In cryptographic protocols that explicitly 
create a common reference string it is obvious how and why a corrupt setup 
results in loss of security. In other cases, security breaks are more subtle. The 
issue of trust is exemplified by the recent concern over NS A interference in 
choosing public parameters for cryptographic schemes [2,27,30]. 

Given these threats it is important to establish a trusted setup process that 
engenders the confidence of all users, even though users will often have competing 
interests and different trust assumptions. Realizing such trust is challenging 
and requires a significant amount of investment. For example, we might try to 
find a single trusted authority to execute the process. Alternatively, we might 
try to gather different parties that represent different interests and have them 
jointly execute a trusted setup algorithm using secure multiparty computation. 
For instance, one could imagine gathering disparate parties ranging from the 
Electronic Frontier Foundation, to large corporations, to national governments. 

Pulling together such a trusted process requires a considerable investment. 
While we typically measure the costs of cryptographic processes in terms of com- 
putational and communication costs, the organizational overhead of executing 


1 Several cryptographic primitives (e.g. NIZKs) are realizable using only a common 
random string and thus only need access to a trusted random source for setup. How- 
ever, many cutting edge constructions need to use a common reference string that 
is setup by some private computation. For example, the NIZKs in Sahai- Waters [32] 
and the recent two-round MPC protocol of Garg et al. [19] uses a trusted setup 
phase that generates public parameters drawn from a nontrivial distribution, where 
the randomness underlying the specific parameter choice needs to be kept secret. 
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a trusted setup may often be the most significant barrier to adoption of a new 
cryptographic system. Given the large number of current and future cryposys- 
tems, it is difficult to imagine that a carefully executed trusted setup can be 
managed for each one of these. We address this problem by asking an ambitious 
question: 


Can a single trusted setup output a set of trusted parameters , 
which can (securely) serve all cryptographic protocols? 

In this work, we address this question by introducing a new primitive that we 
call Universal Samplers, and we show how to achieve a strong adaptive notion of 
security for universal samplers in the random oracle model, using indistinguisha- 
bility obfuscation (iO). To obtain our result, we introduce a new construction 
and proof technique called delayed backdoor programming. There are only a small 
handful of known high-level techniques for leveraging iO, and we believe delayed 
backdoor programming will have other applications in the future. 

Universal Sampler Schemes. We want a cryptographic primitive that allows us to 
(freshly) sample from an arbitrary distribution, without revealing the underlying 
randomness used to generate that sample. We call such a primitive a universal 
sampler scheme. In such a system there will exist a function, Sample, which 
takes as input a polynomial-size circuit description, d, and outputs a sample 
p = d{pc) for a randomly chosen x. Intuitively, p should “look like” it was freshly 
sampled from the distribution induced by the function d. That is from an attack 
algorithm’s perspective it should look like a call to the Sample algorithm induces 
a fresh sample by first selecting a random string x and then outputting d(x), 
but keeping x hidden. (We will return to a formal definition shortly.) 

Perhaps the most natural comparison of our notion is to the random oracle 
model put forth in the seminal work of Bellare and Rogaway [5] . In the random 
oracle model, a function H is modeled as an oracle that when called on a certain 
input will output a fresh sample of a random string x. The random oracle model 
has had a tremendous impact on the development of cryptography and several 
powerful techniques such as “programming” and “rewinding” have been used to 
leverage its power. However, functions modeled as random oracles are inherently 
limited to sampling random strings. Our work explores the power of a primitive 
that is “smarter” and can do this for any distribution. 2 Indeed, our main result 
is a transformation: we show how to transform any ordinary random oracle into 
a universal sampler scheme, by making use of indistinguishability obfuscation 

2 We note that random oracles are often used as a tool to help sample from various 
distributions. For example, we might use them to select a prime. In RSA full domain 
hash signatures [6], they are used to select a group element in Z* N - This sampling 
occurs as a two step process. First, the function H is used to sample a fresh string x 
which is completely visible to the attacker. Then there is some post processing phase 
such as taking x (mod N) to sample an integer mod N. In the literature this is often 
described as one function for the sake of brevity. However, the distinction between 
sampling with a universal sampler scheme and applying post processing to a random 
oracle output is very important. 
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applied to a function that interacts with the outputs of a random oracle - our 
construction does not obfuscate a random oracle itself, which would be problem- 
atic to model in a theoretically reasonable way. 


On Random Oracles, Universal Samplers and Instantiation. We view 
universal samplers as the next generation of the random oracle model. Universal 
samplers are an intuitive yet powerful tool: they capture the idea of a trusted 
box in the sky that can sample from arbitrary user-specified distributions, and 
provide consistent samples to every user - including providing multiple samples 
from the same user-specified distribution. Such a trusted box is at least as strong 
as a random oracle, which is a box in the sky that samples from just the uniform 
distribution. Our notion formalizes a conversion process in the other direction, 
from a random oracle to a universal sampler that can sample from arbitrary 
(possibly adaptively chosen) distributions. 

An important issue is how to view universal samplers, given that our strongest 
security model requires a random oracle for realization. We again turn to the 
history of the random oracle model for perspective. The random oracle model 
itself is a well-defined and rigorous model of computation. While it is obvious that 
a hash function cannot actually be a random oracle, a cryptographic primitive 
that utilizes a hash function in place of the random oracle, and is analyzed in 
the random oracle model, might actually lead to a secure realization of that 
primitive. While it is possible to construct counterexamples [16], there are no 
natural cryptographic schemes designed in the random oracle model that are 
known to break when utilizing a cryptographic hash function in place of a random 
oracle. 

In fact, the random oracle model has historically served two roles: (1) for 
efficiency, and (2) for initial feasibility results. We focus exclusively on the latter 
role. Our paper shows that for achieving feasibility results, by assuming iO, 
one can bootstrap the random oracle model to the Universal Sampler Model. 
And just as random oracle constructions led to standard model constructions in 
the past, most notably for Identity-Based Encryption, we expect the Universal 
Sampler Model to be a gateway to new standard model constructions. Indeed, 
the random-oracle IBE scheme of Boneh-Franklin [9] led to the standard model 
IBE schemes of Canetti-Halevi-Katz [17], Boneh-Boyen [8], and beyond. It is 
uncontroverted that these latter constructions owe a lot to Boneh-Franklin [9], 
even though completely new ideas were needed to remove the random oracle. 

Similarly, we anticipate that future standard model constructions will share 
intuition from universal sampler constructions, but new ideas will be needed as 
well. Indeed, since the initial publication of our work, this has already happened: 
for the notion of universal signature aggregators [25], an initial solution was 
obtained using our universal samplers, and then a standard model notion was 
obtained using additional ideas, but building upon the intuition conceived in the 
Universal Sampler Model. We anticipate many other similar applications to arise 
from our work. Indeed, identifying specific distributions that do not require the 
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full power of iO may allow one to avoid both the random oracle model and iO. 
But our work would provide the substrate for this exploration. 

We stress that unlike the random oracle model, where heuristic constructions 
of cryptographic hash functions preceded the random oracle model, before our 
work there were not even heuristic constructions of universal samplers. Our work 
goes further, and gives a candidate whose security can be rigorously analyzed in 
the random oracle model. Moreover, just as iO and UCEs (universal computa- 
tional extractors) [4] have posited achievable standard-model notions related to 
ideal models like VBB and random oracles, we anticipate that future work will 
do so for universal samplers. Our work lays the foundation for this; indeed our 
bounded-secure notion of universal samplers is already a realizable notion in the 
standard model, that can be a starting point for such work. 

Our work and subsequent work give examples of the power of the univer- 
sal sampler model. For example, prior to our work obtaining even weak notions 
of adaptivity for NIKE required extremely cumbersome schemes and proofs, 
whereas universal samplers give an extremely simple and intuitive solution, 
detailed in the full version of our paper. Thus, we argue that having universal 
samplers in the toolkit facilitates the development of new primitives by allowing 
for very intuitive constructions (as evidenced in subsequent works [7,21,24,25]). 

Last, but not least, in settings where only a bounded number of secure sam- 
ples are required (including a subsequent work [28]), universal samplers are a 
useful tool for obtaining standard model solutions. 


1.1 Our Technical Approach 

We now describe our approach. We begin with a high level overview of the defini- 
tion we wish to satisfy; details of the definition are in Sect. 3. In our system there 
is a universal sampler parameter generation algorithm, Setup, which is invoked 
with security parameter 1 A and randomness r. The output of this algorithm are 
the universal sampler parameters U. In addition, there is a second algorithm 
Sample which takes as input the parameters U and the (circuit) description of 
a setup algorithm, d, and outputs the induced parameters pd. 

We model security as an ideal/real game. In the real game an attacker will 
receive the parameters U produced from the universal parameter generation 
algorithm. Next, it will query an oracle on multiple setup algorithm descriptions 
di, . . . , d q and iteratively get back pi = Sample (77, di) for i = 1, 2, . . . , q. 

In the ideal world, the attacker will first get the universal sampler parameters 
7/, as before. Now, when the adversary queries on d^, a unique true random string 
ri is chosen for each distinct d^, and the adversary gets back pi = d^(r^), as if 
obtaining a freshly random sample from di. 

A scheme is secure if no poly-time attacker can distinguish between the real 
and ideal game with non- negligible advantage after observing their transcripts. 
Since pi is a deterministic function of d^, this strong definition is only achievable 
in the random oracle model. This strongest definition is formalized in Sect. 3.2. 

To make progress toward our eventual solution we begin with a relaxed secu- 
rity notion, which is in fact realizable in the standard model, without random 
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oracles. We relax the definition in two ways: (1) we consider a setting where the 
attacker makes only a single query to the oracle and (2) he commits to the query 
statically (a.k.a. selectively) before seeing the sampler parameters U. While this 
security notion is too weak for our long term goals, developing a solution will 
serve as step towards our final solution and provide insights. 

In the selective setting, in the ideal world, it will be possible to program U 
to contain the output corresponding to the attacker’s query. Given this insight, 
it is straightforward to obtain the selective and bounded notion of security by 
using indistinguishability obfuscation and applying punctured programming [32] 
techniques. In our construction we consider setup programs to all come from a 
polynominal circuit family of size £(A), where each setup circuit d takes in input 
m( A) bits and outputs parameters of k( A) bits. The polynomials of £,m,k are 
fixed for a class of systems; we often will drop the dependence on A when it is 
clear from context. 

The Setup algorithm will first choose a puncturable pseudo random function 
(PRF) key K for function F where F(K, •) takes as input a circuit description d 
and outputs coins {0, l} m . The universal sampler parameters are created as 
an obfuscation of a program that on input d computes and outputs d(F(K, d)). 
To prove security we perform a hybrid argument between the real and ideal 
games in the 1-bounded and selective model. First, we puncture out d*, the 
single program that the attacker queried on, from K to get the punctured key 
K(d*). We change the parameters to be an obfuscation of the program which 
uses K(d*) to compute the program for any d ^ d*. And for d = d* we simply 
hardwire in the output z where £ = d(F(K , d)). This computation is functionally 
equivalent to the original program — thus indistinguishability of this step from 
the previous follows from indistinguishability obfuscation. In this next step, we 
change the hardwired value to d(r) for freshly chosen randomness r G {0, l} m . 
This completes the transition to the ideal game. 

Achieving Adaptive Security. We now turn our attention to achieving our orig- 
inal goal of universal sampler generation for adaptive security. While selective 
security might be sufficient in some limited situations, the adaptive security 
notion covers many plausible real world attacks. For instance, suppose a group 
of people perform a security analysis and agree to use a certain cryptographic 
protocol and its corresponding setup algorithm. However, for any one algorithm 
there will be a huge number of functionally equivalent implementations. In a 
real life setting an attacker could choose one of these implementations based on 
the universal sampler parameters and might convince the group to use this one. 
A selectively secure system is not necessarily secure against such an attack, while 
this is captured by the adaptive model. 

Obtaining a solution in the adaptive unbounded setting will be significantly 
more difficult. Recall that we consider a setting where a random oracle may 
be augmented by a program to obtain a universal sampler scheme for arbitrary 
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distributions 3 . Indeed, for uniformly distributed samples, our universal sampler 
scheme will imply a programmable random oracle. 

A tempting idea is to simply replace the puncturable PRF call from our 
last construction with a call to a hash function modeled as a programmable 
random oracle. This solution is problematic: what does it mean to obfuscate an 
oracle-aided circuit? It is not clear how to model this notion without yielding 
an impossibility result even within the random oracle model , since the most 
natural formulation of indistinguishability obfuscation for random-oracle-aided 
circuits would yield VBB obfuscation, a notion that is known to be impossible to 
achieve [3]. In particular, Goldwasser and Rothblum [23] also showed a family of 
random-oracle-aided circuits that are provably impossible to indistinguishably 
obfuscate. However, these impossibilities only show up when we try to obfuscate 
circuits that make random oracle calls. Therefore we need to obtain a solution 
where random oracle calls are only possible outside of obfuscated programs. This 
complicates matters considerably, since the obfuscated program then has no way 
of knowing whether a setup program d is connected to a particular hash output. 

A new proof technique: delayed backdoor programming. To solve this problem we 
develop a novel way of allowing what we call “delayed backdoor programming” 
using a random oracle. In our construction, users will be provided with universal 
sampler parameters which consist of an obfuscated program U (produced from 
Setup) as well as a hash function H modeled as a random oracle. Users will 
use these overall parameters to determine the induced samples. We will use the 
notion of “hidden triggers” [32] that loosely corresponds to information hidden 
in an otherwise pseudorandom string, that can only be recovered using a secret 
key. 

Let’s begin by seeing how Setup creates a program, P, that will be obfuscated 
to create U. The program takes an input w (looking ahead, this input w will 
be obtained by a user as a result of invoking the random oracle on his input 
distribution d). The program consists of two main stages. In the first stage, 
the program checks to see if w encodes a “hidden trigger” using secret key 
information. If it does, this step will output the “hidden trigger” x G {0,l} n , 
and the program P will simply output x. However, for a uniformly randomly 
chosen string w, this step will fail to decode with very high probability, since 
trigger values are encoded sparsely. Moreover, without the secret information it 
will be difficult to distinguish an input w containing a hidden trigger value from 
a uniformly sampled string. 

If decoding is unsuccessful, P will move into its second stage. It will compute 
randomness r = F(K,w) for a puncturable PRF P. Now instead of directly 
computing the induced samples using r, we add a level of indirection. The pro- 
gram will run the Setup algorithm for a 1-bounded universal parameter gener- 
ation scheme using randomness r — in particular the program P could call the 


3 Note that once the universal sampler parameters of a fixed polynomial size are given 
out, it is not possible for a standard model proof to make an unbounded number of 
parameters consistent with the already- fixed universal sampler parameters. 
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1-bounded selective scheme we just illustrated above 4 . The program P then 
outputs the 1-bounded universal sampler parameters U w . 

In order to generate an induced sample by executing Sample (17, d) on an input 
distribution d, the algorithm first calls the random oracle to obtain H(d) = w. 
Next, it runs the program U to obtain output program U w = U(w). Finally, it 
obtains the induced parameters by computing pd = U w (d). The extra level of 
indirection is critical to our proof of security. 

We now give an overview of the proof of security. At the highest level the goal 
of our proof is to construct a sequence of hybrids where parameter generation is 
“moved” from being directly computed by the second stage of U (as in the real 
game) to where the parameters for setup algorithm d are being programmed in by 
the first stage hidden trigger mechanism via the input w = H(d). Any poly-time 
algorithm A will make at most a polynomial number Q = Q( A) (unique) queries 
d\ , . . . , dQ to the random oracle with RO outputs wi , . . . , wq . We perform a 
hybrid of Q outer steps where at outer step i we move from using U w . to compute 
the induced parameters for to having the induced parameter for di being 
encoded in Wi itself. 

Let’s zoom in on the i th transition for input distribution di. The first hybrid 
step uses punctured programming techniques to replace the normal computation 
of the 1-time universal sampler parameters U Wi inside the program, with a hard- 
wired and randomly sampled value U w . = U' . These techniques require making 
changes to the universal sampler parameter U. Since U is published before the 
adversary queries the random oracle on distribution d^, note that we cannot 
“program” U to specialize to di. 

The next step 5 involves a “hand-off” operation where we move the source 
of the one time parameters U' to the trigger that will be hidden inside the 
random oracle output Wi , instead of using the hardwired value U' inside the 
program. This step is critical to allowing an unbounded number of samples 
to be programmed into the universal sampler scheme via the random oracle. 
Essentially, we first choose U' independently and then set to be a hidden 
trigger encoding of U' . At this point on calling U{wi ) the program will get 
U w . = U' from the Stage 1 hidden trigger detection and never proceed to Stage 
2. Since the second stage is no longer used, we can use iO security to return to 
the situation where U' is no longer hardwired into the program — thus freeing up 
the a-priori-bounded “hardwiring resources” for future outer hybrid steps. 

Interestingly, all proof steps to this point were independent of the actual 
program d i. We observe that this fact is essential to our proof since the reduction 
was able to choose and program the one-time parameters U' ahead of time into 
U which had to be published well before di was known. However, now U w . = U' 
comes programmed in to the random oracle output Wi obtained as a result of the 


4 In our construction of Sect. 5 we directly use our 1-bounded scheme inside the 
construction. However, we believe our construction can be adapted to work for any 
one bounded scheme. 

5 This is actually performed by a sequence of smaller steps in our proof. We simplify 
to bigger steps in this overview. 
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call to H(di). At this point, the program U' needs to be constructed only after 
the oracle call H(di ) has been made and thus di is known to the challenger. We 
can now use our techniques from the selective setting to force U'{di ) to output 
the ideally generated parameters di(r) for distribution di. 

We believe our “delayed backdoor programming” technique may be useful 
in other situations where an unbounded number of backdoors are needed in a 
program of fixed size. 


1.2 Applications of Universal Samplers 

Universal setup. Our notion of arbitrary sampling allows for many applications. 
For starters let’s return to the problem of providing a master setup for all cryp- 
tographic protocols. Using a universal sampler scheme this is quite simple. One 
will simply publish the universal sampler U <— Setup(l A ), for security para- 
meter A. Then if subsequently a new scheme is developed that has a trusted 
setup algorithm d, everyone can agree to use p = Sample ([/, d) as the scheme’s 
parameters. 

We can also use universal sampler schemes as a technical tool to build applica- 
tions as varied as identity-based encryption (IBE), non-interactive key exchange 
(NIKE), and broadcast encryption (BE) schemes. We note that our goal is not to 
claim that our applications below are the “best” realizations of such primitives, 
but more to demonstrate the different and perhaps surprising ways a universal 
sampler scheme can be leveraged. 

From the public-key to the identity -based setting. As a warmup, we show how 
to transport cryptographic schemes from the public-key to the identity-based 
setting using universal samplers. For instance, consider a public-key encryption 
(PKE) scheme PKE = (PKGen, PKEnc, PKDec). Intuitively, to obtain an IBE 
scheme IBE from PKE, we use one PKE instance for each identity id of IBE. 

A first attempt to do so would be to publish a description of U as the master 
public key of IBE, and then to define a public key pk id for identity id as pk id = 
Sample (£/, d^), where di d is the algorithm that first generates a PKE key pair 
(' pk,sk ) PKGen(l A ) and then outputs pk. (Furthermore, to distinguish the 

keys for different identities, d id contains id as a fixed constant that is built 
into its code, but not used.) This essentially establishes a “virtual” public- key 
infrastructure in the identity-based setting. 

Encryption to an identity id can then be performed using PKEnc under public 
key pk id . However, at this point, it is not clear how to derive individual secret 
keys skid that would allow to decrypt these ciphertexts. (In fact, this first scheme 
does not appear to have any master secret key to begin with.) 

Hence, as a second attempt, we add a “master PKE public key” pk' from a 
chosen-ciphertext secure PKE scheme to IBE’s master public key. Furthermore, 
we set ( pk id ,c' id ) = Sample (£/, d^) for the algorithm di d that first samples 

(' pk,sk ) PKGen(l A ), then encrypts sk under pk' via c' PKEnc 7 (pk' , sk), 

and finally outputs ( pk,c' ). This way, we can use sk' as a “master secret key” 
to extract sk from c' id - and thus extract individual user secret keys. 
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We show that this construction yields a selectively-secure IBE scheme once 
the used universal sampler scheme is selectively secure and the underlying PKE 
schemes are secure. Intuitively, during the analysis, we substitute the user public 
key pk id * for the challenge identity id * with a freshly generated PKE public key, 
and we substitute the corresponding c' id * with a random ciphertext. This allows 
to embed an externally given PKE public key p&*, and thus to use PKE’s security. 

Non-interactive key exchange and broadcast encryption. We provide a very sim- 
ple construction of a multiparty non-interactive key exchange (NIKE) scheme. 
In an n-user NIKE scheme, a group of n parties wishes to agree on a shared 
random key k without any communication. User i derives k from its own secret 
key and the public keys of the other parties. (Since we are in the public-key 
setting, each party chooses its key pair and publishes its public key.) Security 
demands that k look random to any party not in the group. 

We construct a NIKE scheme from a universal sampler scheme and a PKE 
scheme PKE = (PKGen, PKEnc, PKDec) as follows: the public parameters are 
the universal samplers U. Each party chooses a keypair ( pk,sk ) PKGen(l A ). 
A shared key K among n parties with public keys from the set S = 
{pk 1 , . . . , pk n } is derived as follows. First, each party computes (ci, . . . , c n ) = 
Sample(U, ds), where ds is the algorithm that chooses a random key fc, and then 
encrypts it under each pk i to c* (i.e., using c* PKEnc(pAq, k)). Furthermore, 
ds contains a description of the set S, e.g., as a comment. (This ensures that 
different sets S imply different algorithms ds and thus different independently 
random Sample outputs.) Obviously, the party with secret key ski can derive k 
from Ci. On the other hand, we show that k remains hidden to any outsiders, 
even in an adaptive setting, assuming the universal sampler scheme is adaptively 
secure, and the encryption scheme is (IND-CPA) secure. 

We also give a variant of the protocol that has no setup at all. Roughly, we 
follow Boneh and Zhandry [12] and designate one user as the “master party” 
who generates and publishes the universal sampler parameters along with her 
public key. Unfortunately, as in [12], the basic conversion is totally broken in 
the adaptive setting. However, we make a small change to our protocol so that 
the resulting no-setup scheme does have adaptive security. This is in contrast 
to [12], which required substantial changes to the scheme, achieved only a weaker 
semi-static security, and only obtained security though complexity leveraging. 

Not only is our scheme the first adaptively secure multiparty NIKE without 
any setup, but it is the first to achieve adaptive security even among schemes 
with trusted setup, and it is the first to achieve any security beyond static secu- 
rity without relying on complexity leveraging. Subsequent to our work, Rao [31] 
gave an adaptive multi-party non-interactive key exchange protocol under adap- 
tive assumptions on multilinear maps. One trade-off is that our scheme is only 
proved secure in the random oracle model, whereas [12,31] are proved secure in 
the standard model. Nevertheless, we note that adaptively secure NIKE with 
polynomial loss to underlying assumptions is not known to be achievable out- 
side of the random oracle model unless one makes very strong adaptive (non- 
falsiflable) assumptions [31]. 
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Finally, using an existing transformation of Boneh and Zhandry [12], we 
obtain a new adaptive distributed broadcast encryption from our NIKE scheme. 


1.3 Subsequent Work Leveraging Universal Sampler Schemes 

After the initial posting of our paper, a few other papers have applied universal 
sampler schemes. Hohenberger, Koppula and Waters [25] used universal samplers 
to achieve adaptive security without complexity leveraging for a new notion 
they called universal signature aggregators. Hofheinz, Kamath, Koppula and 
Waters [24] showed how to build adaptively secure constrained PRFs [11,14,26], 
for any circuits, using universal parameters as a key ingredient. All previous 
constructions were only selectively secure, or required complexity leveraging. 

Our adaptively secure universal sampler scheme in the random oracle model, 
also turns out to be a key building block in the construction of proof of human- 
work puzzles of Blocki and Zhou [7]. Again, the abstraction of universal samplers 
proved useful for constructing NIKE schemes based on polynomially-hard func- 
tional encryption [21]. 

Another paper that appeared subsequent to ours [18], introduced the notion 
of explainability compilers and used them to obtain adaptively secure, universally 
composable MPC in constant rounds based on indistinguishability obfuscation 
and one-way functions. We note that explainability compilers are related to our 
notion of selectively secure universal samplers. 


1.4 Organization of the Paper 

We give an overview of indistinguishability obfuscation and puncturable PRFs, 
the main technical tools required for our constructions, in Sect. 2. In Sect. 3, we 
define our notion of universal sampler schemes. We give a realization and proof of 
security for a 1-bounded selectively secure scheme in Sect. 4. In Sect. 5, we give 
the construction and security overview for our main notion of an unbounded 
adaptively secure scheme. The full proof of security of the adaptive unbounded 
universal sampler scheme is in the full version. Applications of Universal Sam- 
plers to IBE and NIKE are also detailed in the full version. 

2 Preliminaries 

2.1 Indistinguishability Obfuscation and PRFs 

In this section, we define indistinguishability obfuscation, and variants of pseudo- 
random functions (PRFs) that we will make use of. All variants of PRFs that 
we consider can be constructed from one-way functions. 
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Indistinguishability Obfuscation. The definition below is adapted from [20]: 

Definition 1 (Indistinguishability Obfuscator ( iO )). A uniform PPT 
machine iO is called an indistinguishability obfuscator for circuits if the fol- 
lowing conditions are satisfied: 


- For all security parameters A E N, for all circuits C , for all inputs x, we have 
that 

Pr[C\x) = C{x) : C' <- iO( A, C)} = 1 

- For any (not necessarily uniform) PPT adversaries Samp, D, there 
exists a negligible function a such that the following holds: if Pr[|Co| = 

| Ci | andWx,Co(x) = C±(x) : (Co, Ci,*) Samp{ 1 A )] > 1 — a(A), then 

we have: 


Pr [D(a,iO(X, C 0 )) = 1 : (C 0 ,Ci,cr) <- Samp{ 1 A )] 


— Pr [C((j, iO(A, Ci)) = 1 : (Co,*?!,*) 


Samp( 1 A )] 


< a(A) 


TTe will sometimes omit A from the notation whenever convenient and clear from 
context. 


Such indistinguishability obfuscators for circuits were constructed under 
novel algebraic hardness assumptions in [20]. 


PRF variants. We first consider some simple types of constrained PRFs 
[11,14,26], where a PRF is only defined on a subset of the usual input space. 
We focus on puncturable PRFs, which are PRFs that can be defined on all bit 
strings of a certain length, except for any polynomial-size set of inputs: 

Definition 2. A puncturable family of PRFs F is given by a triple of Turing 
Machines Key F , Puncture^, and Evali?, and a pair of computable functions n(-) 
and ra(-), satisfying the following conditions: 

- [Functionality preserved under puncturing] . For every PPT adversary 
A such that A{ 1 A ) outputs a set S C {0, l} n ( A ) ; then for all x G {0, 1}^( A ) 
where x £ S, we have that: 

Pr [EvalF(iT x) = Eval^TCs, x) : K Key F (l A ), Ks — PunctureF(TT, S)] = 1 


- [Pseudorandom at punctured points]. For every PPT adversary (Ai, A 2 ) 
such that Ai(l x ) outputs a set S C {0, l} n ( A ) and state cr, consider an exper- 
iment where K <— Key F (l A ) and Ks = Punctur e F (K,S). Then we have 

| Pr [A 2 (*, K s , S, EvalF (K,S)) = l] - Pr [A 2 (a, K s , S, U m(X y\s\) = l] | = negl(X) 

where Eval F (K, S) denotes the concatenation of Eval F (K, x \ )),... , 
Eval F (K,Xk)) where S = {x\,...,Xk} is the enumeration of the elements 
of S in lexicographic order, negl(-) is a negligible function, and Ui denotes the 
uniform distribution over £ bits. 
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For ease of notation, we write F(K,x) to represent Eval^if, x). We also 
represent the punctured key Puncture^ (if , S) by K(S). 

The GGM tree-based construction of PRFs [22] from one-way functions are 
easily seen to yield puncturable PRFs, as recently observed by [11,14,26]. Thus: 

Theorem 1. [11,14,22,26] If one-way functions exist, then for all efficiently 
computable functions n( A) and m( X), there exists a puncturable FRF family that 
maps n( A) bits to m( A) bits. 

3 Definitions 

In this section, we describe our definitional framework for universal sampler 
schemes. The essential property of a universal sampler scheme is that given 
the sampler parameters, and given any program d that generates samples from 
randomness (subject to certain size constraints, see below), it should be possible 
for any party to use the sampler parameters and the description of d to obtain 
induced samples that look like the samples that d would have generated given 
uniform and independent randomness. 

We will consider two definitions - a simpler definition promising security for 
a single arbitrary but fixed protocol, and a more complex definition promising 
security in a strong adaptive sense against many protocols chosen after the sam- 
pler parameters are fixed. All our security definitions follow a “Real World” vs. 
“Ideal World” paradigm. Before we proceed to our definitions, we will first set 
up some notation and conventions: 

- We will consider programs d that are bounded in the following ways: Note 
that we will use d to refer to both the program, and the description of the 
program. Below, £(A),ra(A), and k( A) are all computable polynomials. The 
description of d is as an ^(A)-bit string describing a circuit 6 implementing d. 
The program d takes as input m( A) bits of randomness, and outputs samples 
of length k( A) bits. Without loss of generality, we assume that I(X) > A and 
m( A) > A. When context is clear, we omit the dependence on the security 
parameter A. The quantities (£,m,k) are bounds that are set during the setup 
of the universal sampler scheme. 

- We enforce that every Gbit description of d yields a circuit mapping m bits 
to k bits; this can be done by replacing any invalid description with a default 
circuit satisfying these properties. 

- We will sometimes refer to the program d that generates samples as a “proto- 
col” . This is to emphasize that d can be used to generate arbitrary parameters 
for some protocol. 

A universal parameter scheme consists of two algorithms: 

6 Note that if we assume iO for Turing Machines, then we do not need to restrict 
the size of the description of d. Candidates for iO for Turing Machines were given 
by [1,13]. 
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(1) The first randomized algorithm Setup takes as input a security parameter 
1 A and outputs sampler parameters U. 

(2) The second algorithm Sample takes as input sampler parameters U and a 
circuit d of size at most t, and outputs induced samples pd. 

Intuition. Before giving formal definitions, we will now describe the intuition 
behind our definitions. We want to formulate security definitions that guarantee 
that induced samples are indistinguishable from honestly generated samples to 
an arbitrary interactive system of adversarial and honest parties. 

We first consider an “ideal world,” where a trusted party, on input a pro- 
gram description d, simply outputs d(r^) where is independently chosen true 
randomness, chosen once and for all for each given d. In other words, if F is 
a truly random function, then the trusted party outputs d(F(d)). In this way, 
if any party asks for samples corresponding to a specific program d, they are 
all provided with the same honestly generated value. This corresponds precisely 
to the shared trusted public parameters model in which protocols are typically 
constructed. 

In the real world, however, all parties would only have access to the trusted 
sampler parameters. Parties would use the sampler parameters to derive induced 
samples for any specific program d. Following the ideal/real paradigm, we would 
like to argue that for any adversary that exists in the real world, there should 
exist an equivalently successful adversary in the ideal world. However, the general 
scenario of an interaction between multiple parties, some malicious and some 
honest, interacting in an arbitrary security game would be cumbersome to model 
in a definition. To avoid this, we note that the only way that honest parties 
ever use the sampler parameters is to execute the sample derivation algorithm 
using the sampler parameters and some program descriptions d (corresponding 
to the protocols in which they participate) to obtain derived samples, which 
these honest parties then use in their interactions with the adversary. 

Thus, instead of modeling these honest parties explicitly, we can “absorb” 
them into the adversary, as we now explain: We will require that for every real- 
world adversary A , there exists a simulator S that can provide simulated sampler 
parameters U to the adversary such that these simulated sampler parameters 
V actually induce the completely honestly generated samples d(F(d)) created 
by the trusted party: in other words, that Sample ([/, d) = d(F(d)). Note that 
since honest parties are instructed to simply honestly compute induced samples, 
this ensures that honest parties in the ideal world would obtain these completely 
honestly generated samples d(F(d)). Thus, we do not need to model the honest 
parties explicitly - the adversary A can internally simulate any (set of) honest 
parties. By the condition we impose on the simulation, these honest parties would 
have the correct view in the ideal world. 

Selective (and bounded) vs. Adaptive (and unbounded) Security. We explore two 
natural formulations of the simulation requirement. The simpler variant is the 
selective case, where we require that the adversary declare at the start a single 
program d* on which it wants the ideal world simulator to enforce equality 
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between the honestly generated samples d*(F(d*)) and the induced samples 
Sample(U, d*). This simpler variant has two advantages: First, it is achievable in 
the standard model. Second, it is achieved by natural and simple construction 
based on indistinguishability obfuscation. 

However, ideally, we would like our security definition to capture a scenario 
where sampler parameters U are set, and then an adversary can potentially 
adaptively choose a program d for generating samples for some adaptively chosen 
application scenario. For example, there may be several plausible implementa- 
tions of a program to generate samples, and an adversary could influence which 
specific program description d is used for a particular protocol. Note, however, 
that such an adaptive scenario is trivially impossible to achieve in the standard 
model: there is no way that a simulator can publish sampler parameters V of 
polynomial size, and then with no further interaction with the adversary, force 
Sampl e(C7, d*) = d*(F(d*)) for a d* chosen after U has already been declared. 
This impossibility is very similar to the trivial impossibility for reusable non- 
interactive non-committing public-key encryption [29] in the plain model. Such 
causality problems can be addressed, however, in the random-oracle model. As 
discussed in the introduction, the sound use of the random oracle model together 
with obfuscation requires care: we do not assume that the random oracle itself 
can be obfuscated, which presents an intriguing technical challenge. 

Furthermore, we would like our sampler parameters to be useful to obtain 
induced samples for an unbounded number of other application scenarios. We 
formulate and achieve such an adaptive unbounded definition of security in the 
random oracle model. 


3.1 Selective One-Time Universal Samplers 

We now formally define a selective one-time secure universal sampler scheme. 

Definition 3 (Selectively-Secure One-Time Universal Sampler 
Scheme). Let £( A), m( A), k( A) be efficiently computable polynomials. A pair of 
efficient algorithms (Setup, Sample) where Setup(l A ) — > ?7, Sample (U, d) — > pd, 
is a selectively -secure one-time universal sampler scheme if there exists an efficient 
algorithm SimUGen such that: 

- There exists a negligible function neglf ) such that for all circuits d of length 
taking m bits of input , and outputting k bits , and for all strings pd G {0, l} k , 
we have that: 

Pr[Sample(SimUGen(l A , d,pd), d) = pd] = 1 — negl(X) 

- For every efficient adversary A = (Ai,A 2 ), where A 2 outputs one bit , there 
exists a negligible function neglf ) such that 

|Pr[Real(l A ) = 1] — Pr[ldeal(l A ) = 1] | = negl(X) (1) 

where the experiments Real and Ideal are defined below (a denotes auxiliary 
information). 
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The experiment Real(l A ) is as follows: 
Output *42(Setup(l A ), a) 


The experiment Ideal(l A ) is as follows. 
-(d*,a)^Ai(l A ) 

- Choose r uniformly from {0, l} m 

- Let p d = d*(r) 

- Output ^ 2 (SimUGen(l A , d* , Pd), cr) 


3.2 Adaptively Secure Universal Samplers 

We now define universal sampler schemes for the adaptive setting in the random 
oracle model, handling an unbounded number of induced samples simultaneously. 
We do not assume obfuscation of circuits that call the random oracle. Thus, we 
allow the random oracle to be used only outside of obfuscated programs. 

We consider an adversary that uses a universal sampler to obtain samples on 
(adaptively chosen) distributions of his choice. We want to guarantee that for 
any distribution specified by the adversary, the output samples he obtains are 
indistinguishable from externally generated parameters from the same distribu- 
tion. In other words, there must exist a simulator that can force the adversary to 
obtain the externally generated parameters as output of the universal sampler. 

Converting this intuition into an actual formal definition turns out to be 
somewhat complicated. The reason is that in the real world, the adversary must 
be able to generate samples on his own, using the universal sampler provided to 
him. However, the simulator which is required to force the external parameters 
cannot learn the adversary’s queries to the sampler program. Such a simulator 
must observe all of the adversary’s queries to the random oracle, and use them 
to program the output of the samplers, without knowing any of the adversary’s 
actual queries to the sampler program. 

Definition 4 (Adaptively-Secure Universal Sampler Scheme). Let £( X), 

m(X), k( A) be efficiently computable polynomials. A pair of efficient oracle algo- 
rithms (Setup, Sample) where Setup^(l A ) — > U, Sample 71 " (17, d) — > Pd is an 
adaptively -secure universal sampler scheme if there exist efficient interactive 
Turing Machines SimUGen, SimRO such that for every efficient admissible adver- 
sary A , there exists a negligible function negl(-) such that: 

|Pr[Real(l A ) = 1] — Pr[ldeal(l A ) = 1] | = negl(X) 

where admissible adversaries, the experiments Real and Ideal and our (non- 
standard) notion of the Ideal experiment aborting, are described below. 

- An admissible adversary A is an efficient interactive Turing Machine that 
outputs one bit, with the following input/output behavior: 

• A initially takes input security parameter A and sampler parameters U. 

• A can send a message (RO,x) corresponding to a random oracle query. 
In response, A receives the output of the random oracle on input x. 
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• A can send a message (sample, d), where d is a circuit of length I, taking m 
bits of input, and outputting k bits. A does not expect any response to this 
message. Instead, upon sending this message, A is required to honestly 
compute pa = Sample (f7, d), making use of any additional RO queries, 
and append ( d,pd ) to an auxiliary tape. 

Remark. Intuitively, (sample, d) corresponds to an honest party seeking a 
sample generated by program d. Recall that A is meant to internalize the 
behavior of honest parties that compute parameters by correctly querying 
the random oracle and recording the sampler’s output 7 . 

- The experiment Real(l A ) is as follows: 

1. Throughout this experiment, a random oracle Ti is implemented by assign- 
ing random outputs to each unique query made to Ti. 

2. U Setup^(l A ) 

3. A(1 X ,U) is executed, where every message of the form (RO,x) receives 
the response Tt(x). 

4- The output of the experiment is the final output of the execution of 
A(which is a bit b E {0, 1}). 

- The experiment Ideal(l A ) is as follows: 

1. A truly random function F that maps I bits to m bits is implemented 
by assigning random m-bit outputs to each unique query made to F 8 . 
Throughout this experiment, a Samples Oracle O is implemented as fol- 
lows: On input d, where d is a circuit of length I, taking m bits of input, 
and outputting k bits, O outputs d(F(d)). 

2. ( 77, r ) SimUGen(l A ). Here, SimUGen can make arbitrary queries to the 

Samples Oracle O. 

3. SimRO corresponds to the output of a programmable random oracle in the 
ideal world. 

4 . A(1 X ,U) and SimRO (r) begin simultaneous execution. Messages for A or 
SimRO are handled as: 

• Whenever A sends a message of the form (RO,x), this is forwarded 
to SimRO, which produces a response to be sent back to A. 

• SimRO can make any number of queries to the Samples Oracle O 9 . 

• Finally, after A sends a message of the form (sample, d), the auxil- 
iary tape of A is examined until A adds an entry of the form (d,pd) 
to it. At this point, if pa ^ d(F(d)), the experiment aborts and we 
say that an u Honest Sample Violation” has occurred. Note that this 

7 Note that proving security against such admissible adversaries suffices to capture the 
intuition behind a universal sampler and in particular suffices for all our applications. 
This is because honest parties will still use the correctly generated output, and we 
would like to guarantee that no malicious adversary will be able to distinguish the 
samples used by honest parties from externally generated samples. 

8 A does not have direct access to F , in fact A will only have access to SimRO which 
we define later to model the output of a programmable random oracle. 

9 Looking ahead, in our proof, SimRO will use the output of queries to O to generate 
a programmed output of the Random Oracle. 


732 


D. Hofheinz et al. 


corresponds to a correctness requirement in the ideal world, and is the 
only way that the experiment Ideal can abort 10 . In this case, if the 
adversary itself “aborts”, we consider this to be an output of zero by 
the adversary, not an abort of the experiment itself. 

5. The output of the experiment is the final output of the execution of A 
(which is a bit b E {0, 1 } ). 

Remark 1. We note that indistinguishability of the real and ideal worlds also 
implies that: Pr[ldeal(l A ) aborts] < negl(X) 

4 Selective One-Time Universal Samplers 

In this section, we show the following: 

Theorem 2 (Selective One-Time Universal Samplers). If indistinguisha- 
bility obfuscation and one-way functions exist, then there exists a selectively 
secure one-time universal sampler scheme, according to Definition 3. 

The required Selective One-Time Universal Sampler Scheme consists of pro- 
grams Setup and Sample. 

- Setup(l A ) first samples the key K for a PRF that takes I bits as input and 
outputs m bits. It then sets Sampler Parameters U to be an indistinguisha- 
bility obfuscation of the program * 11 Selective- Single-Samples in Figure 1. It 
outputs U. 

- Sampl e(U,d) runs the program U on input d to generate and output U(d). 


Selective-Single-Samples 

Constant: PRF key K. 

Input: Program description d. 

1. Output d(F(K, d)). 

Recall that d is a program description which outputs k bits. 
Fig. 1 . Program Selective-Single-Samples 


10 Recall that an admissible adversary only honestly computes samples and adds them 
to its tape - i.e., an admissible adversary always writes pa = Sample 71 " (U, d) as the 
honest output of the sampler program. Thus, an honest sample violation in the ideal 
world indicates that the simulator did not force the correct samples d(F(d)) obtained 
externally from a trusted party, into the output of the sampler program. 

11 Appropriately padded to the maximum of the size of itself and Program Selective- 
Single- Samples: 2 in Fig. 2. 
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4.1 Overview of Security Proof 

The proof follows straightforwardly from the puncturing techniques of [32] and 
we give a brief overview before giving the full proof. In the real world, the 
adversary commits to his input d* and then the challenger gives the Selective- 
Single- Samples program to the adversary. In the first hybrid, we puncture the 
PRF key K at value d*, and hardwire the output /* = d*(PRF(K,d *)) into 
the program, arguing security by iO of the functionally equivalent programs. In 
the next hybrid, PRF(K, d*) can be replaced with a random value x, setting 
/* = d*(x) and arguing security because of the puncturable PRF. Finally, the 
value /* can be replaced with the external sample pd. 


4.2 Hybrids 

We prove security by a sequence of hybrids, starting with the original experiment 

Hybrid 0 in the Real World and replacing the output at d* with an external sample 

in the final hybrid (Ideal World). Each hybrid is an experiment that takes as 

input 1 A . The output of each hybrid is the adversary’s output when it terminates. 

We denote changes between subsequent hybrids using red underlined font. 

Hybrid 0 : 

- The adversary picks protocol description d* and sends it to the challenger. 

- The challenger picks PRF key K and sends the adversary an iO of the pro- 
gram 12 Selective-Single-Samples in Fig. 1. 

- The adversary queries the program on input d* to obtain the sample. 

Hybrid x : 

- The adversary picks protocol description d* and sends it to the challenger. 

- The challenger picks PRF key K , sets /* = d*(F(K,d*)), punctures K at d* 
and sends the adversary an iO of the program 13 Selective-Single-Samples: 2 
in Fig. 2. 

- The adversary queries the program on input d* to obtain the sample. 

Plybrid 2 : 

- The adversary picks protocol description d* and sends it to the challenger. 

- The challenger picks PRF key K, picks x <— {0, l} m , sets /* = d*(x), punc- 
tures K at d* and sends the adversary an iO of the program 14 Selective- 
Single-Samples: 2 in Fig. 2. 

- The adversary queries the program on input d* to obtain the sample. 


12 Padded to the maximum of the size of itself and Selective-Single-Samples: 2. 

13 Padded to the maximum of the size of itself and Selective-Single-Samples. 

14 Padded to the maximum of the size of itself and Selective- Single- Samples. 
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Selective-Single-Samples: 2 

Constant: PRF key K{d *}, d*,/*. 

Input: Program description d. 

1. If d = d* output /*. 

2. Else output d(F(K,d)). Recall that d is a program description 
which outputs k bits. 


Fig. 2. Program Selective-Single-Samples: 2 


Hybrid 3 : 

- This hybrid describes how SimUGen works. 

- The adversary picks protocol description d* and sends it to the challenger. 

- The challenger executes SimUGen(l A , d*), which does the following: It picks 
PRF key K , sets /* = pd for externally obtained sample pd, punctures K at 
d* and outputs an iO of the program 15 Selective-Single-Samples: 2 in Fig. 2. 
This is then sent to the adversary. 

- The adversary queries the program on input d* to obtain the sample. 


4.3 Indistinguishability of the Hybrids 

To prove Theorem 2, it suffices to prove the following claims, 

Claim. Hybrid 0 (1 A ) and Hybrid 1 (l A ) are computationally indistinguishable. 


Proof. Hybrid 0 and Hybrid x are indistinguishable by security of iO, since the pro- 
grams Selective-Single-Samples and Selective-Single- Samples: 2 are functionally 
equivalent. Suppose not, then there exists a distinguisher V i that distinguishes 
between the two hybrids. This can be used to break security of the iO via the 
following reduction to distinguisher V. 

V acts as challenger in the experiment of Hybrid 0 . He activates the 

adversary V i to obtain input d*, and computes /* = d*(F(iF, d*)), to 

obtain circuits Co = Selective-Single-Samples according to Fig. 1 and C\ = 
Selective-Single-Samples: 2 according to Fig. 2 with inputs d*, /*. He gives Co, C\ 
to the iO challenger. 

The iO challenger pads these circuits in order to bring them to equal size. 
It is easy to see that these circuits are functionally equivalent. Next, the iO 
challenger gives circuit C x = iO(Co) or C x = iO(Ci) to V. 

V continues the experiment of Hybrid x except that he sends the obfuscated 
circuit C x instead of the obfuscation of Selective-Single-Samples to the adversary 
T>\. Since V i has significant distinguishing advantage, there exists a polynomial 
p(-) such that, Pr [T>i(Hybrid 0 ) = l] — Pr [Di( Hybrid x ) = l] > l/p(A). 


15 


Padded to the maximum of the size of itself and Selective- Single- Samples. 
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We note that Hybrid 0 and Hybrid x correspond exactly to C x being Co and 
Ci respectively, thus we can just have V echo the output of V i such that the 
following is true, for a(-) = 1 / p(*) 


Pr[P(cr, iO(n,Co)) = l] — Pr [X>(cr, iO(n, C±)) = l] 


> a( A) 


Claim. Hybrid 1 (l A ) and Hybrid 2 (l A ) are computationally indistinguishable. 


Proof. Hybrid 1 and Hybrid 2 are indistinguishable by security of the punctured 
PRF K{d*}. Suppose they are not, then consider an adversary V 2 who distin- 
guishes between these hybrids with significant advantage. 

This adversary can be used to break selective security of the punctured PRF 
K via the following reduction algorithm to distinguisher D, that first gets the 
protocol d * after activating the distinguisher V 2 . The PRF challenger gives the 
punctured PRF K along with challenge a to the PRF attacker D, which is 
either the output of the PRF at d* or is set uniformly at random in {0, l} m . 
V sets /* = d*(a) and continues the experiment of Hybrid x against V 2 . Then, 


Pr [P 2 ( Hybrid = l] — Pr [T> 2 (Hybrid 2 ) = l] > l/_p(A) for some polynomial p(-). 

If a is the output of the punctured PRF K at d*, then we are in Hybrid^ If a 
was chosen uniformly at random, then we are in Hybrid 2 . Therefore, we can just 
have V echo the output of V 2 such that 


Pr [D(F(K{d*},d*)) = 1] - Pr [V(y - {0, 1}") 


1 ] 


> l/p(A). 


Claim. Hybrid 2 (l A ) and Hybrid 3 (l A ) are identical. 

Proof. These are identical since x is sampled uniformly at random in {0, l} n . 
Claim. Pr[Sample(SimUGen(l A , d,pd), d) = Pd\ = 1 

Proof. It follows from inspection of our construction that the program always 
outputs the external samples in the ideal world, therefore condition (1) in Defi- 
nition 3 is fulfilled. 


5 Adaptively Secure Universal Samplers 

Theorem 3 (Adaptively Secure Universal Samplers). If indistinguisha- 
bility obfuscation and one way functions exist, then there exists an adaptively 
secure universal sampler scheme, according to Definition 4, in the Random Ora- 
cle Model. 

Our scheme consists of algorithms Setup and Sample, defined below. We rely 
on injective PRGs and indistinguishability obfuscation. 
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- Setup(l A ,r) first samples PRF keys K\^K 2 ^ K' 2 and then sets Sampler Para- 
meters U to be an indistinguishability obfuscation of the program Adaptive- 
Samples 16 , Figure 3. The first three steps in the program look for “hidden 
triggers” and extract an output if a trigger is found, the final step represents 
the normal operation of the program (when no triggers are found). 

The program takes as input a value u, where \u\ = n 2 and v where |i?| = n, 
such that u\\v is obtained as the output of a random oracle Ti on input d. 
Here, n is the size of an iO of program 17 Pk 3 (Figure 4). As such, n will be 
some fixed polynomial in the security parameter A. The key to our proof is to 
instantiate the random oracle Ti appropriately to generate the sample for any 
input protocol description d. 

Denote by F\ 2 ’ 0 , F ^ 1 . . . F™’ 0 , F™’ 1 } a sequence of 2 n 

puncturable PRF’s that each take n-bit inputs and output n bits. For some 
key sequence {F^’ 0 , FT^’ 1 , F^’°, . . . if™’ 0 , if™’ 1 }, denote the combined key 

by K [ n ^ . Then, on a n-bit input denote the combined output of the function 

F^ using key K by F^ n \K[ n \v i). Note that the length of this combined 
output is 2 n 2 . Denote by F 2 a puncturable PRF that takes inputs of ( n 2 + n) 
bits and outputs n\ bits, where n\ is the size of the key for the program 
Pk 3 in Fig. 4. In particular, m = A. Denote by F' 2 another puncturable PRF 
that takes inputs of (n 2 + n) bits and outputs n 2 bits, where n 2 is the size of 
the randomness r used by the iO given the program Pk 3 in Fig. 4. Denote by 
Fs another puncturable PRF that takes inputs of £ bits and outputs m bits. 
Denote by PRG an injective length- doubling pseudo-random generator that 
takes inputs of n bits and outputs 2 n bits. 

Here m is the size of uniform randomness accepted by d(-), k is the size of 
samples generated by d(-). 

- Sampl e(C/, d) queries the random oracle Ti to obtain (it, v) = Ti(d). It then runs 
the program U generated by Setup(l A ) on input (u,v) to obtain as output 
the obfuscated program P. It now runs this program P on input d to obtain 
the required samples. 


5.1 Overview of the Security Game and Hybrids 

We convert any admissible adversary A - that is allowed to send any message 
(RO,x) or ( para ms, d) - and construct a modified adversary, such that whenever 
A sends message (params, d), our modified adversary sends message (RO,d) and 
then sends message (params, d). It suffices to prove the security of our scheme 
with respect to such modified adversaries because this modified adversary is 
functionally equivalent to the admissible adversary. Because the modified adver- 
sary always provides protocol description d to the random oracle, our proof will 

16 This program must be padded appropriately to maximum of the size of itself and 
other corresponding programs in various hybrids, as described in the next section. 

17 Appropriately padded to the maximum of the size of itself and PK 3 ,p*,d*. i R future 
hybrids. 
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Adaptive-Samples 

Constants: PRF keys K[ n \ K 2 ,K 2 . 

Input: Program hash u = u[l\, . . . , u[n], v. 

1. Compute Fi(K[ n \v) = ( 2 / 1 , 0 , 2 / 1 , 1 ), ■■■, (y n ,o,y n ,i)- 

2. For i = 1, . . . ,n, if u[i] = yi f o set Xi = 0 else if u[i\ = yi , i set 
Xi — 1 else set Xi — _L 

3. If x G {0, l} n (i.e. no _Ls), output x. 

4. Else set K 3 = F 2 (K 2 ,u\v), r = F 2 (K 2 ,u\v). Output P = 
iO{Pk 3 ; r) of the program a Pk 3 of Figure 4. 

a Appropriately padded to the maximum of the size of itself and 
P' K * d * in future hybrids 

3 > V j 


Fig. 3. Program Adaptive- Samples 


Pk 3 

Constant: PRF key K3. 

Input: Program description d. 

1. Output d(F 3 (X 3 , d)). Recall that d is a program description which 
outputs k bits. 


Fig. 4. Program Pk 3 


not directly deal with messages of the form (params, d) and it will suffice to 
handle only messages (RO,d) sent by the adversary. 

We prove via a sequence of hybrids, that algorithms Setup and 
Sample satisfy the security requirements of Definition 4 in the Ran- 
dom Oracle Model. Hybrid 0 corresponds to the real world in the secu- 
rity game described above. Suppose the adversary makes q( A) queries 
to the random oracle 77, for some polynomial q(-). The argument pro- 
ceeds via the sequence Hybrid 0 , Hybrid x 1? Hybrid x 2 , ••• Hybrid x 13 , Hybrid 2 l5 
. . . Hybrid 2? i3 . . . Hybrid g( ' A ^ 13 , each of which we prove to be indistinguishable 
from the previous one. We define Hybrid 0 = Hybrid 0 13 for convenience. The 
final hybrid Hybrid g ( A ) jl3 corresponds to the ideal world in the security game 
described above, and contains (implicitly) descriptions of SimUGen, SimRO as 
required in Definition 4. For brevity, we only describe Hybrid 0 and Hybrid^. 13 
for a generic s G q( A) in this section. We also give a short overview of how 
the sequence of hybrids progresses. The complete sequence of hybrids along 
with complete indistinguishability arguments, beginning with Hybrid 0 and then 
Hybrid s l , Hybrid^ 2 , . . . Hybrid^ 13 for a generic s G [g(A)], can be found in the 
next sections. 
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In the following experiments, the challenger chooses PRF keys K[ n \K 2 and 
K 2 for PRFs F[ n \ F 2 and F 2 . Each hybrid is an experiment that takes input 1 A . 
The output of any hybrid experiment denotes the output of the adversary upon 
termination. Changes between hybrids are denoted using red underlined font. 

Flybrid 0 : 

- The challenger pads the program Adaptive-Samples in Fig. 3 to be the maxi- 
mum of the size of itself and all corresponding programs (Adaptive-Samples: 
2 , Adaptive- Samples: 3) in other hybrids. Next, he sends the obfuscation of 
the program in Fig. 3 to the adversary. 

- Set j — 0. While the adversary queries the RO, increment j and repeat: 

1 . Let the adversary query the random oracle on protocol description d*. 

2 . The challenger sets the output of the RO, <— {0, l} n2 + n . 

- The adversary then outputs a single bit V . 

Hybrid^ 13 : 

- The challenger pads the program Adaptive- Samples in Fig. 5 appropriately 18 
and sends an iO of the program to the adversary. 

- Set j — 0 . While the adversary queries the RO, increment j and repeat: 

1 . Let the adversary query the random oracle on protocol description d*. 

2. If j < s, the challenger sets the output of the random oracle, v*j { 0 , l} n . 

He sets K% <— {0, l} n , e' <— {0, l} n . He queries the oracle to obtain the 
sample p* and sets g = iO(P' K * d * , e f ) (See Fig. 7). 

For all b G {0,l}andi G [l,n],hesets (dqo, dpi), • • • , (dn,o^n,i) 

= Fi(K[ n \ Vj), Uj[i\ = y \ g . , where gi is the i th bit of g. 

3. If j > s, challenger sets the RO output, <— { 0 , l} n2 + n . 

- The adversary then outputs a single bit V . 

Note that Hybrid^ A ) 13 is the Ideal World and it describes how SimUGen and 
SimRO work in the first and second bullet points above, respectively. 

From Hybrid s _ 1 13 to Hybrid s l3 . 

We now outline a series of sub-hybrids from Hybrid s _ 1 13 to Hybrid^ 13 for a 
generic s E [1, < 7 ], where we program the universal sampler U to output external 
parameters on the s th query of the adversary. Our proof comprises of two main 
steps: the first step consists in hardwiring a fresh single- use program into the 
random oracle output for the s th query - this is done by first hardwiring values 
into the obfuscated program, then changing the output of the random oracle, 
and then un-hardwiring these values from the obfuscated program. 

Once this is done, the second step comprises of hardwiring the external para- 
meters into this single-use program. The complete hybrids and indistinguisha- 
bility arguments are in the next subsection. 


18 


To the maximum of the size of itself and all corresponding programs in the other 
hybrids. 
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Adaptive-Samples 

Constants: PRF keys K[ n) , K 2 ,K' 2 . 

Input: Program hash u = u[l], ... ,u[n\, v. 

1. Compute Fi(K[ n \v) = ( 3 / 1 , 0 , 2 / 1 , 1 ), • • • , (y n ,o,y n ,i)- 

2. For i = 1 , ...,n, if u[i\ — yi , o set Xi — 0 else if u[i\ = yi, ± set 
Xi — 1 else set Xi — _L 

3. If x G {0, l} n (i.e. no _Ls), output x. 

4. Else set K 3 = ^ 2 (^ 2 , it |x), r = F 2 (X 2 ,'u|x). Output iO(PK 3 ',r ) 
of the program a Px 3 of Figure 6 . 

a Appropriately padded to the maximum size of itself and PK 3 , P *,d* 


Fig. 5. Program Adaptive- Samples 


Pk 3 

Constant: PRF key K3. Input: Program description d. 
1. Output d(F3( K3, d)). 


Fig. 6. Program Pk 3 


P' 

^K 3 , P *,d* 

Constants: PRF key iFs{d*}, Input: Program description d. 

1 . If d = dj output p* . 

2. Else output d(F 3 (K 3 ,d)). 


Fig. 7. Program P^pj.dj 


First step. Hybrid^ x : Let the s th random oracle query of the adversary be on 
input d*. We first use punctured programming to hardwire computation corre- 
sponding to input d* into the Adaptive- Samples program. 

To do this, in Hybrid^ 1 the challenger picks v* uniformly at random as the 
output of the random oracle on input d*. He sets (y* 05 Vi i? • • • Vn o,Vn 1 ) = 

Fi(K[ n \v*). Then, for all b G {0,1}, i G [n\ he sets z* jb = PRG (y* jb ). Next, he 
adds a check at the beginning of the main program such that for v = v*. if u[i\ = 
z* h , the program sets xi = b. The program Adaptive- Samples of Hybrid s _ 1 13 
is replaced by the program Adaptive- Samples: 2 illustrated in Fig. 8. This is 
indistinguishable from the previous hybrid by the security of indistinguishability 
obfuscation, because the programs Adaptive-Samples and Adaptive- Samples: 2 
are functionally equivalent. 
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Adaptive-Samples: 2 

Constants: u* 5 PRF key K[ n \v*}, K 2 1 K' 2 ^ z* b for i E [1, n\ 
and b E {0, 1} 

Input: Program hash u = u[l], ... ,u[n], v. 

1. If v = v* then for i = 1, . . . , n do 

If PRG(ix[i]) = z * 0 let x* = 0, if PRG(ix[i]) = z* x xi = 1, else Xi = _L. 
Go to step 4. 

2. Compute Fi(K[ n \v) = (2/1,0, S/i.i), • • • , (y n ,o,y n ,i)- 

3. For i = 1 , ...,n, if u[i] — yi , o set Xi = 0 else if u[i\ = yi , i set 
Xi = 1 else set Xi = _L 

4. If x E {0, l} n (i.e. no _Ls), output x. 

5. Else set K 3 = F 2 (K 2 ,u\v), r = F 2 (K 2 ,u\v). Output iO(PK 3 ]r ) 
of the program a Pk 3 of Figure 6. 

a Appropriately appended to the maximum of the size of itself and 
P' 

^K 3 ,p*,d* 


Fig. 8. Program Adaptive-Samples: 2 


Hybrid, ?2 : I n Hybrid^ 2 , the output of PRF F\ on input u* is replaced with ran- 
dom. That is for all b E {0,1}, i E [n], he sets y^ {0,l} n . This hybrid is 
indistinguishable from Hybrid,^ by security of the puncturable PRF. 

Hybrid, 3 : Next, the string z* is set uniformly at random. That is, for each 
i E [n],6 E {0, 1}, instead of setting z* b = PRG(y* b ), the challenger sets z* b 

{0, 1} 2A . This hybrid is indistinguishable from Hybrid, 2 by security of the PRG. 
Note that this step “deactivates” the extra check we had added in Hybrid, 1? 
because with overwhelming probability, z* will lie outside the image of the PRG. 

Hybrid, 4 : Once this is done, for u * and v* both fixed uniformly at ran- 
dom as random oracle response to query d*, in Hybrid, 4 the challenger sets 
e = ^2(^2, u^\ v*), e f = F 2 (A 2 , u*\v*), g = iO(P e ,e') and adds an initial check 
in the main program: if input u = and v = v*, then output g and exit. Simul- 
taneously, the challenger punctures the keys K 2 and K' 2 in the main program. 
The modified program Adaptive- Samples: 3 is depicted in Fig. 9. At this point, 
we have hardwired Adaptive- Samples: 3 to output g on input values (u*,v*), 
obtained from the RO on input d*. This is indistinguishable from Hybrid, 3 by 
the security of indistinguishability obfuscation, because the programs Adaptive- 
Samples: 3 and Adaptive-Samples: 2 are functionally equivalent. 

Hybrid, 5 : In this hybrid, the challenger generates e uniformly at random instead 
of the output of the punctured PRF F^. 
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Adaptive-Samples: 3 

Constants: n*, u*,g, PRF keys K[ n ^{v*}, K 2 {u*\v*} : K 2 {u* |v*}, 
z* b for i G [l,n] and b G {0, 1} 

Input: Program hash u = u[l\, ... ,u[n], v. 

1. If u = u* and v = v* output g and stop. 

2. If v = v* then for i = 1, . . . , n do 

If PRG(w[i]) = z* 0 let Xi = 0, if PRG(w[z]) = z* ;1 let Xi = 1, else 
Xi = _L. 

Go to step 4. 

3. Compute Fi(K[ n \v) = ( 2 / 1 , 0 , 2 / 1 , 1 ), • . . , (y n ,o, Vn,i)- 

4. For i = 1, . . . ,n, if u[i\ = 0 set x% = 0 else if u[i] = yi, 1 set 

Xi — 1 else set x* = U 

5. If x G {0, l} n (i.e. no _Ls), output x. 

6. Else set K 3 = F 2 (K 2 ,u\v), r = F 2 (K 2 ,u\v). Output iO{Pk 3 ]t ) 
of the program a Pk 3 of Figure 6. 

a Appropriately appended to the maximum of the size of itself and 
P' 

^ K 3 ,p*,d * 


Fig. 9. Program Adaptive- Samples: 3 


Hybrid^ 6 : In this hybrid, the challenger generates e! uniformly at random instead 
of the output of the punctured PRF F’ 2 . This will be needed in the next few 
hybrids when we start programming the single-use parameters. 

Hybrid^ 7 : Since the (bounded size) program Adaptive-Samples: 3 must remain 
programmable for an unbounded number of samples, we now move the hardwired 
single-use paramters g from the Adaptive- Samples: 3 program to a hidden trigger 
encoding in the output of the random oracle, u *. Specifically, this is done by 
setting for all i G [1 ,n\,z* g . = PRG(?i*[z]) in Hybrid^ 7 . This is made possible 
also by injectivity of the PRG. Once has been programmed appropriately to 
encode the value g , hardwiring g into the program becomes redundant, and it 
is possible to replace Adaptive- Samples: 3 with the previous program Adaptive- 
Samples: 2. 

At this point, we can seal back the punctured keys, un- hardwire g from the 
program and return to the original program Adaptive-Samples in a sequence of 
hybrids, Hybrid^ 8 to Hybrid^ 10 which reverse our sequence of operations from 
Hybrid s l to Hybrid^ 3 . More specifically, Hybrid^ 8 involves generating z[ b for all 
i G [n], b G {0, 1} as outputs of a PRG, and this is indistinguishable by security of 
the PRG. Then Hybrid^ 9 involves generating (y* oiVi 1 • • - Un OiVn 1 as output 

of Fi(K[ n \ v*), and this is indistinguishable by security of the puncturable PRF. 

At this point, hardwiring the z* values becomes redundant, and it is possible 
to go back to program Adaptive- Samples, in Hybrid^ 10 arguing indistinguisha- 
bility via indistinguishability obfuscation. 
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Now, Hybrid,, 10 becomes identical to Hybrid s _ 1?13 except for a trapdoor that 
has been programmed into the random oracle output u * , which outputs specific 
selective single-use parameters. 

Second Step. Now, it is straightforward (following the same sequence of hybrids 
as the selective single-use case) to force the single-use parameters that were 
programmed into u* to output external parameters p*, in hybrids Hybrid^ n 
through Hybrids 13 . Please refer to the full version for a more detailed proof. 

No honest sample violations. At this point, in the final hybrid, whenever the 
adversary queries Ti on any input d, in the final hybrid we set (u,v) = H(d) to 
output the externally specified samples p*. Thus, the correctness requirement 
in the ideal world is always met, and there are no honest sample violations 
according to Definition 4. 

Acknowledgements. The authors would like to thank the anonymous Asiacrypt 2016 
reviewers for their helpful comments, and in particular for pointing out the contents 
of Remark 1. 
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Abstract. The indistinguishability security of a public- key cryptosys- 
tem can be reduced to a computational hard assumption in the random 
oracle model, where the solution to a computational hard problem is 
hidden in one of the adversary’s queries to the random oracle. Usually, 
there is a finding loss in finding the correct solution from the query 
set, especially when the decisional variant of the computational prob- 
lem is also hard. The problem of finding loss must be addressed towards 
tight (er) reductions under this type. In EUROCRYPT 2008, Cash, Kiltz 
and Shoup proposed a novel approach using a trapdoor test that can 
solve the finding loss problem. The simulator can find the correct solu- 
tion with overwhelming probability 1, if there exists a trapdoor test for 
the adopted hard problem. The proposed approach is efficient and can 
be used for many Diffie- Heilman computational assumptions. The only 
limitation is the requirement of a trapdoor test that must be found for 
the adopted computational assumptions. 

In this paper, we introduce a universal approach for finding loss, 
namely Iterated Random Oracle , which can be applied to all compu- 
tational assumptions. The finding loss in our proposed approach is very 
small. For 2 60 queries to the random oracle, the success probability of 
finding the correct solution from the query set will be as large as 1/64 
compared to 1/2 60 by a random pick. We show how to apply the iter- 
ated random oracle for security transformation from key encapsulation 
mechanism with one-way security to normal encryption with indistin- 
guishability security. The security reduction is very tight due to a small 
finding loss. The transformation does not expand the ciphertext size. 
We also give the application of the iterated random oracle in the key 
exchange. 
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1 Introduction 

Security reduction is a kind of reduction techniques in cryptography where we 
construct a simulator that uses an adversary’s attack to solve a mathematically 
hard problem. According to the type of attack and the type of hard problem, 
cryptosystems have the following two popular types of security reduction. 

- Unforgeability security based on a computational hard problem (UF-CHP). 
This type of security reduction has been used to prove the security of digital 
signature schemes. We construct a simulator that uses a forged signature from 
the adversary to solve a computational hard problem. 

- Indistinguishability security based on a decisional hard problem (IND-DHP). 
This type of security reduction has been used to prove the security of encryp- 
tion schemes. We construct a simulator that uses the guess of random message 
in the challenge ciphertext from the adversary to decide whether a solution in 
a given instance is correct or incorrect. 

Roughly speaking, a computational problem is to find a correct solution to a 
given instance, while a decisional problem is to decide whether or not a solution 
in a given instance is correct. A computational hard problem is always harder 
than its decisional variant. However, without any additional assumption, it seems 
impossible to carry out a security reduction for a cryptosystem with indistin- 
guishability security based on a computational hard problem. We call this type 
of reduction IND-CHP for short. This is because the guess from the adversary 
only has two answers: 0 or 1, which cannot provide sufficient information to find 
a correct solution. Fortunately, IND-CHP reduction becomes possible with the 
help of random oracles. Random oracles were first introduced by Bellare and 
Rogaway in [5] for designing efficient protocols. In the random oracle model, at 
least one hash function namely H is treated as a random oracle where responses 
on queries are assumed to be uniformly distributed. Anyone especially the adver- 
sary has no advantage in guessing the hash value of an input before querying 
the input to the random oracle. With the help of this “magical” property, many 
cryptosystems such as asymmetric encryption and key exchange can achieve 
IND-CHP security reduction. 

The IND-CHP security reduction is programmed as follows. Suppose the 
simulator aims to compute C[I,P] as the solution to a given instance / under a 
computational hard problem P. The simulator who controls the random oracle 
programs the simulation using the instance /. In the simulation, the adversary 
must make a set of queries including a challenge query denoted by Q to the ran- 
dom oracle to break the security, and the solution C[/, P] can be extracted from 
this challenge query. Different from UF-CHP and IND-DHP security reductions, 
the simulator solves the hard problem using the adversary’s query set to ran- 
dom oracles instead of the adversary’s forgery or guess. This distinctive security 
reduction arises a very important and interesting question: 

How to find the correct solution from the adversary's query set ? 
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We call this problem as a finding problem and the reduction has a finding 
loss, if the simulator can only succeed in finding the correct solution from the 
query set with a probability less than 1. When the decisional variant of the 
computational hard problem P is easy, there is no finding loss by verifying all 
solutions extracted from each query. However, when the decisional variant is 
also hard, it seems finding loss cannot be avoided. In this work, we focus on the 
non-trivial case that the decisional variant of P is also hard. 

1.1 Finding Loss in Previous Approaches 

In the IND-CHP security reduction, when the adversary can break a scheme 
simulated using an instance /, the challenge query will appear in the adversary 
query set and contain the solution C[7, P] to the instance I. The reduction after 
disclosing the simulation is equivalent to that the adversary who is given an 
instance / will make a set of queries including a challenge query Q = C[I, P]. 
Using this disclosed reduction, we can use the following theories to describe how 
the finding problem is addressed. 

The traditional approach in the literature is described in Theory 1. It has been 
applied to many cryptosystems such as [8] for IND-CHP security reductions. 

Theory 1 (Traditional Approach). Suppose an adversary , who is given an 
instance I generated by the simulator, must make a set of queries (Q) (\Q\ = q) 
including a challenge query Q = C[I, P] to the random oracle. We can construct 
a simulator who controls the random oracle to solve the hard problem P using 
the query set Q in 0(1) time with success probability 1/q. 

It is easy to construct such a simulator. Given an instance /, the simulator 
forwards the instance to the adversary. Then, the challenge query is equal to the 
solution for the simulator. A random pick from the query set with q number of 
queries therefore has the success probability 1/q. 

In the security reduction, the adversary can make a polynomial number of 
queries to the random oracle. The query number q can be as large as q = 2 60 , and 
hence the success probability of finding the correct solution is 1/2 60 . It means 
that all cryptosystems using this traditional approach in reduction will have 
at least 60-bit security loss. In the concrete security of group-based cryptosys- 
tems, we must expand the corresponding group size with 60-bit more security to 
compensate the security loss. This compensation at least requires 120-bit length 
more of security parameter in group choice, and it is therefore accompanied with 
inefficient group operation and large group representation. 

In EUROCRYPT 2008, Cash, Kiltz and Shoup [10] introduced the first novel 
approach for finding loss. They proposed a new computational problem called the 
twin Diffie-Hellman problem. This new problem is as hard as the Computational 
Diffie- Heilman (CDH) problem even given access to a corresponding decision 
oracle. The heart of their approach is a trapdoor test, which allows the simulator 
to simulate an effective decision oracle without knowing any of the corresponding 
discrete logarithms. Their approach can be summarized using a theory described 
as follows. 
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Theory 2 (Cash-Kiltz-Shoup). Suppose an adversary, who is given instances 
(/i , I 2 ) generated by the simulator, must make a set of queries (Q) (\Q\ = q) 
including a challenge query Q = C[I\,P] || C[/ 2 ,P] to the random oracle. We 
can construct a simulator who controls the random oracle to solve the hard prob- 
lem P using the query set Q in 0(q) time with nearly success probability 1, 
if there exists a trapdoor test on solutions to a given instance and a created 
instance under the hard problem P. 


The simulator can be constructed as follows. Given an instance /, the simulator 
sets /1 = /, Then, it randomly chooses a trapdoor and creates the second instance 
I 2 from Ii and the trapdoor. The trapdoor test holds with the property that a 
query Q = Qi 1 1 Q2 can pass the trapdoor test run by the simulator if and only if 
Q 1 = C[I\,P] and Q 2 = C[l 2 ,P] except with a negligible probability. Therefore, 
only the challenge query can pass the test and the simulator can successfully find 
the correct solution C[I,P] without any finding loss after all queries are tested. 

Based on this theory, Cash, Kiltz and Shoup [10] proposed many twin schemes 
based on original schemes using two key pairs, whose IND-CHP security reduc- 
tions are tight (er) without any finding loss. The price to pay for an encryption 
scheme is two times less efficient in terms of key size and computations compared 
to the original one, but the size of ciphertext is not changed. However, this theory 
has a limitation. It can only be applied to those cryptosystems whose underling 
computational assumptions have a corresponding trapdoor test. The trapdoor 
test proposed in [10] is a very special construction and it can be adopted by 
some computational Diffie- Heilman hard problems only. 


1.2 Our Contribution 

We propose a completely new approach for finding loss, namely iterated random 
oracle , which can be applied to all computational hard problems. Instead of using 
a trapdoor test to find the correct solution, the simulator in our approach can 
remove most of useless queries such that a random pick from remaining queries 
will merely have a small finding loss only. The corresponding theory is described 
as follows. 

Theory 3 (Iterated Random Oracle). Let H be a random oracle. Suppose 
an adversary, who is given instances (/i,/ 2 , • • • , I n ) generated by the simulator, 

must make a set of queries (Q) (\Q\ = q) including a challenge query Q* = Q * 
to the random oracle, where Q * is defined as 

= H(Q * || C[Ii,P ] || i : i G [l,n], H(Q^) = 0 e is an empty string. 

We can construct a simulator who controls the random oracle to solve the hard 
problem P using the query set Q in 0(n) time with success probability at least 
1 /(nqi). 
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The simulator construction and probability analysis are given in Sect. 3. We give 
an example in the next subsection to overview the simulator construction and 
the probability analysis. When this theory holds, the success probability is 1/640 
for q = 2 60 and n = 10. We can further increase the success probability to 1/64 
by repeating hash operations for ten times. In comparison with the traditional 
approach with success probability 1 / 2 60 only, our approach significantly improves 
the success probability even with a small integer n. We compare the different 
approaches for finding loss in Table 1 . 

We show how to apply the iterated random oracle in encryption and key 
exchange for tight (er) reduction. In the application to encryption, we show how 
to use a key encapsulation mechanism with one-way security to construct an 
encryption scheme with indistinguishability security against a chosen-plaintext 
attack and a chosen-ciphertext attack. The security transformation from one- 
way security to indistinguishability security will only have a small finding loss. 
Notice that the security reduction for encapsulation mechanism with one-way 
security does not have the finding loss because the adversary must return the 
encapsulation key, which can be programmed as the solution to the computa- 
tional hard problem in the reduction. Therefore, our security transformation is 
equivalent to a provably secure encryption under IND-CHP security reduction 
with a small finding loss. The transformation is n times (n = 10) less efficient 
in terms of key size and computations. However, the transformation does not 
expand the ciphertext size when the generation of key encapsulation is indepen- 
dent of public key. Many encryption schemes such as the ElGamal encryption 
[21] and BF-IBE [8] can be modified into key encapsulation mechanisms captur- 
ing this property. We also study the application of the iterated random oracle in 
an identity-based non-interactive key exchange protocol and other key exchange 
protocols. 

Table 1 . Comparison of different approaches for finding loss. The finding efficiency 
refers to the time cost of picking a query from the query set. The query efficiency 
refers to the time cost of generating the challenge query. Here, q is the size of query 
set including the challenge query and n is the maximum iteration time. 



Theory 1 

Theory 2 

Theory 3 (Ours) 

For all problems 

/ 

X 

/ 

Success probability 

l 

Q 

1 

i 

n-q n 

Finding efficiency 

0(1) 

0(q) 

0(n) 

Query efficiency 

1 

2 

0{n) 


1.3 Overview of the Approach 

For simplicity, we use the concrete CDH problem as an example to describe the 
overview of the approach in the iterated random oracle. Suppose an adversary, 
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who is given instances Ii = (g, g a \ g b ) for all i G [1 , n] generated by the 
simulator, must make a query set Q (|Q| = q) including a challenge query Q = 
A n to the random oracle, where A n is defined as 

Ai = H(Ai-i) || g aib || i \ iG [1,4 H(Ao) = 0 e is an empty string. 

We can construct a simulator to solve the CDH problem using the query set Q 
with success probability at least 1 /(nq™). Given as input an instance ( g,g a ,g h ) 
under a cyclic group G of prime order p, the aim of the simulator is to find 
g ab from the query set generated by the adversary. This reduction is mainly 
composed of two tasks: (1) how to generate the instances Ii = (p, g a \ g b \i G 
[1, n\ for the adversary, namely instance generation and (2) how to pick the query 
from the adversary’s query set, namely query selection. 

Instance Generation. The simulator randomly chooses d G [1, n], ai, < 22 , • • • , 
a d - ii a d + 1 ,--- ,a n G Z p and sets a d = a. Then, it gives Ii = (g, g ai , g b ) 
for all i G [1 , n] to the adversary who is required to make a query set includ- 
ing A n . It requires that the adversary does not know d. Since all instances are 
chosen randomly, this requirement holds trivially. In the instances given to the 
adversary, the simulator can compute g aib = ( g b ) ai for all i G [d + 1, n\ by itself 
since all related ai are known. This is very important in the query selection for 
a small finding loss. 

Query Selection. In this phase, a query is defined as either a candidate query or a 
useless query. The simulator will randomly pick a query from candidate queries, 
after all useless queries are removed. Before introducing what are useless queries 
and how to remove them, we first introduce what all iterated queries look like. 

The query Q = H(Q) || Q || i in the iterated random oracle is an iterated 
query, composed of an oracle response, a weight (the solution will appear here) 
and an iteration time. All iterated queries to the random oracle can be depicted 
in an arbitrary tree, where a node denotes a response on a query and an edge 
denotes a query. The root is an empty string. The edge Q = H(Q) \ \ Q \ \i starts 
from the node H(Q) and ends at the node H(Q), which is depicted at the level 
i. When the maximum iteration time is n, the height of this arbitrary tree is n. 

For example, the two queries Q^l = 0 e WQ^l II 1 an d Q^i = 2 ) WQ^l II 2 

can be depicted in a path from the root to a leaf shown in Fig. 1. 

According to the property of random oracle, if Q = A n appears in the 
query set, all queries Ai, A 2 , • • • , A n must appear in the query set. Now, we can 
roughly describe what are useless queries. First, all queries with iteration time 
which is not equal to d are useless queries. Second, a query Q with iteration 
time equal to d is a useless query if there is no valid path from the node H(Q) 
to a leaf node at the level n. Here, a valid path is the path where all edges for 
i G [d + 1, n\ in this path are valid queries whose weights are equal to g aib . The 
simulator can verify whether a path is valid or not, because g aib = (g b ) ai for all 
i G [d + 1 , n\ are computable using . All queries with iteration time equal to n 
are candidate queries. 
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Fig. 1 . Example 1 


Fig. 2. Example 2 


Probability Analysis. Based on the above instance generation and query selection, 
we can prove there must exist an integer i* E [l,n] satisfying the minimum 
probability 1 /qn. Precisely, for those queries with iteration time i*, the success 
probability of picking a valid query from candidate queries is 1 /qn. The integer i* 
is adaptively decided by the adversary in query set generation, while the integer 
d is randomly chosen by the simulator. When d = i* (i.e. the simulator happens 
to embed the solution in this level), all useless queries with iteration time i* will 
be removed and the corresponding success probability is 1 /qn. Therefore, we 
yield the success probability result by 

n 

Py[suc\ = Pr[suc\d = i\ Pr [d = i\ > Pr[suc\d = i*] Pr [d = i*] = — r . 

i=i m " 

We now give four simple examples where n = 2 and q = 8 to analyze the 
above result. The corresponding success probability of Pr[suc\d = i*] for some i* 
should be at least 1 / y/8. We use a solid line to denote a query at the level i if it 
has a valid weight equal to g aib . Otherwise, we denote the query with a dashed 
line. In this arbitrary tree, denotes a query at the level i. Notice that all 
queries from the same node have at most one query with a valid weight, but all 
queries at the same level i could have more than one valid query whose weights 
are all valid and equal to g aib . 

In these examples, if the adversary only makes two queries at the first level, 
we immediately have Pr[suc\d = 1] = \ when d — 1. Therefore, in the 

following examples, the adversary is assumed to make three queries at the first 

level. 


Suppose the query set can be depicted as the tree in Fig. 1. When d — 1, the 
two queries Q^, will be removed because their nodes do not have a valid 
path such that only one query is remained at this level. Therefore, we have 
Pi[suc\d = 1] = 1 > 

Suppose the query set can be depicted as the tree in Fig. 2. When d = 1, the 
query will be removed because this node does not have a valid path such 
that two queries are remained at this level. Therefore, we have Pr[«s^c|d = 
11 = I > J_ 

iJ 2 — y/8 ’ 
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Fig. 3. Example 3 


Fig. 4. Example 4 


- Suppose the query set can be depicted as the tree in Fig. 3. When d = 2, it is 
easy to see that Pi[suc\d — 2] = | > ^=. 

- Suppose the query set can be depicted as the tree in Fig. 4. The result is 
exactly the same as Fig. 3, where Pr[suc\d = 2] = | > -4=. 


1.4 Other Related Work 

The UF-CHP security reduction with a tight reduction for digital signatures has 
been studied in [1,2,6,13,14,24-26]. A tight reduction requires no abortion in 
signature simulation and enables to solve a hard problem from the forged signa- 
ture. With the help of random oracles, it seems easier to achieve a tight reduction 
by adding a random bit after the message to be signed. In this reduction, the 
simulator uses the bit to control the hash values of messages to be signed and 
to be forged, such that the probability of abortion is very small. 

The IND-DHP security reduction with a tight reduction for encryption has 
been studied in [4, 7, 9, 15, 16, 22,23, 26-28] . To achieve a tight reduction, the simu- 
lator must be able to simulate decryption queries for CCA security and private key 
queries for identity-based encryption and its variants. It also requires the simula- 
tor to program the challenge ciphertext into a one-time pad or an indistinguishable 
ciphertext depending on the given instance. We note that the approaches for tight 
reduction are different. This is because there is no general technique enabling a 
tight reduction for encryption, especially without random oracles. 

The IND-CHP security reduction is a special reduction requiring the help of 
random oracles, where the simulator solves a hard problem using the adversary’s 
queries instead of its direct attack. How to find the correct solution from the 
adversary’s query set is necessary to achieve a tight reduction. The problem 
of finding loss only exists in this reduction type especially when the decisional 
variant is also hard. The traditional approach for finding loss is via a random 
pick, which results in a huge finding loss. The first non-trivial approach was 
introduced by Cash, Kiltz and Shoup [10] in EUROCRYPT 2008. The proposed 
trapdoor test can be used to solve finding loss during the corresponding IND- 
CHP security reductions. They had shown that the proposed approach can be 
applied to Diffie- Heilman key exchange [17], Cramer-Shoup encryption [16], BF- 
IBE [8] and password-authenticated key exchange [3] to achieve the tightness 
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of security reduction. This approach, however, requires that the computational 
hard problem can be embedded with a trapdoor test on solutions to a given 
instance and a created instance. This work has been extended and applied in 
[11,12] but they still have the same restriction. There is no efficient approach for 
finding loss in the IND-CHP security reduction without any restriction on the 
adopted computational hard assumptions. 

The rest of this paper is organized as follows. We use an example to introduce 
how the IND-CHP security reduction works in Sect. 2 . The generalization of 
computational hard problems is also given and discussed. In Sect. 3, we prove the 
correctness of Theory 3. Then, we show how to apply the iterated random oracle 
for encryption in Sect. 4 and key exchange towards tight (er) security reduction 
in Sect. 5. 

2 IND-CHP Security Reduction and Generalized 
Problems 

2.1 An Example of IND-CHP Security Reduction 

Let G be a cyclic group of the prime order p and g be a generator. Let H : 
{0, 1}* — > {0, l} n be a one-way hash function. Considering the following bare 
ciphertext CT without a public/secret key pair, where x,y G 7L V and coin G 
{ 0 , 1 } are chosen randomly and secretly. 

CT = (ci,c 2 ,c 3 ) = (g x , g v , H(g xy ) © ra coin ) 

Suppose there exists an adversary who can distinguish the message m co i n G 
{mo, mi} in CT with a non- negligible advantage e in a polynomial time, where 
the two messages {mo, mi} G {0, l} n are adaptively chosen by the adversary. 
We can construct a simulator to solve the CDH problem in the random oracle 
model, where H is set as a random oracle controlled by the simulator. 

Before we introduce how to program the security reduction, we first introduce 
the nice feature of using random oracle in security reduction. In the random 
oracle model, the message is encrypted with H(g xy ), which is a random string 
from {0, l} n and is independent of its hash input g xy and ( : g x ,g y ). Without 
making a query on g xy to the random oracle, the ciphertext CT is a one-time pad 
encryption on m co i n because H(g xy ) is random and independent of (g x ,g y ) in the 
ciphertext. Then, the success probability of guessing the encrypted message is \ 
only. According to the assumption, the adversary can distinguish the encrypted 
message with probability \ + e. This assumption indicates that the adversary 
ever queried g xy to the random oracle with probability 2e [ 8 ]. That is, one of 
queries in the adversary’s query set is equal to g xy . This query is called challenge 
query, which is used to break the security of cryptosystem. 

The security reduction works as follows. Given (g,g a ,g b ), the simulator aims 
to compute g ab . Upon receiving mo, mi G {0, l} n from the adversary, the simu- 
lator creates the challenge ciphertext as CT = ( 01 , 02 , 03 ) = ( g a , g b , R), where 
R is a random string from {0, l} n . What the simulator will do is to wait for 
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queries from the adversary. Notice that if the adversary does not make a query 
on g ab to the simulator, the adversary cannot either distinguish the message with 
a non-negligible advantage or distinguish the simulation ciphertext from the real 
ciphertext. According to the assumption, the group element g ab will appear in 
one of queries with probability 2e. Suppose the adversary made q queries to 
the random oracle in total. The simulator randomly picks one of queries as the 
solution to the CDH problem. We have the randomly picked element is equal 
to g ab with probability y. That is, the simulator will solve the hard problem 
with probability y in the corresponding security reduction. This completes the 
description of security reduction. This reduction has a finding loss whose corre- 
sponding success probability is in the linear of hash query number q. 

We note that the above bare ciphertext cannot be decrypted by anyone when 
the CDH problem is hard. However, in the real encryption scheme, the encryptor 
and the decryptor know more information than the bare ciphertext. When treat- 
ing g x as the public key and y is the chosen random number by the encryptor, 
we have that the bare ciphertext is equivalent to the hashed ElGamal encryption 
scheme, where the encryptor knows y and the decryptor knows the secret key 
x such that the ciphertext can be created and decrypted respectively. Roughly 
speaking, a secure encryption scheme is constructed in the way that a computa- 
tional hard problem can be easily solved by the encryptor and decryptor with an 
additional secret, while outsiders (adversaries) without knowing a secret must 
solve the computational hard problem in order to break the scheme. 


2.2 Generalized Computational Hard Problems 

We generalize all computational hard problems into the following description. 

/: The input arbitrary string (also known as instance) 

P : The computational problem 

C[/, P]: The solution to the instance I under the computational problem P. 

For example, given an instance I = ( g,g a ,g b ) G G, based on different problems 
P, the solution can be 

C[I,P 1 ]=g ab , C[I,P 2 ]=g*. 

The generalized computational hard problem is defined as 


Pr 


A(I,P) = C[I,P\ 


< e, 


where no adversary who is given (/, P) can find a solution C[/, P] with a non- 
negligible advantage e. Here, e is a function of the security parameter in the 
generation of the instance I. 

For the computational hard problem (/, P), anyone can verify whether a solu- 
tion is correct or not if the decisional variant of this problem is easy. However, 
if the decisional variant is also hard, it seems no one can verify the correctness 
of a solution. However, this observation is not correct because the instance gen- 
erator, who generates the instance, can generate the instance in the way that 
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it knows its correct solution. Taking the CDH problem in a cyclic group as an 
example where the DDH problem is also hard. The instance generator can ran- 
domly choose a, b G and set the instance to be (g,g a ,g 6 ), where the solution 
g ab is computable by the instance generator. Hence, for the computational hard 
problem P, we assume the instance generator enables to generate an instance I 
such that C[J, P] can be efficiently computed. This assumption is necessary to 
support the definition of computational hard problems whose decisional variants 
are also hard. We emphasize the importance of this property here because the 
simulator in the iterated random oracle requires generating some instances indis- 
tinguishable from the challenge instance, such that the simulator can compute 
solutions to all self-generated instances under the challenge hard problem P. 

3 Iterated Random Oracle and Its Proof 

In the iterated random oracle, each query will be programmed using iterations, 
and hence it will be called as an iterated query. An iterated query is composed 
of an oracle response, a weight (the solution to a hard problem will appear here) 
and an iteration time. They are put together using a concatenation symbol “||”. 
Given a hash list recording all iterated queries and their responses, we can depict 
all queries in the hash list using an arbitrary tree. The height of this arbitrary 
tree is n, where n is the maximum time of iteration. The details are described 
in the following subsections. 

3.1 Iterated Query and Tree Representation 

Iterated Query. We define an iterated query Q to the random oracle as 

Q = Response || Weight || Iteration Time = 1Z || Q || i, 

where P is a response on a query from the random oracle H (an empty string 
0 e is assumed as the initialized response), Q is a weight (any arbitrary string) 
chosen by the adversary and i is the iteration time. The iteration time denotes 
the minimum time for making such an iterated query. If i = 1, it means the 
adversary can immediately make such a query. Otherwise, for example, given 
Qi = O e ||Qi||l and Q 2 = P(Qi)| IQ 2 I |2, it requires the adversary to query Qi 
first before Q 2 . We will use the following symbols associated with queries and 
responses in the following representations. 

- Q is an iterated query with the iteration time i. 

- Q^j \ is the weight in the iterated query Q^ k . 

- Q is the set of all queries made by the adversary. 

- QW i s the set of all iterated queries whose iteration time are all equal to i. 

- H(Q ) is the response from the random oracle on the query Q . 
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Tree Representation. Suppose the adversary only makes the above iterated 
queries to the random oracle, and an empty hash list C is used to record all 
queries and responses. We can depict all queries and corresponding responses 
using an artitrary tree (such as Fig. 5), where the root is the empty string 0 e . 

- All edges denote iterated queries and their end nodes denote their correspond- 
ing responses. 

- The query Q^ k = H(Q ^ 1 1 Q^\ \ \ i is the edge with connection between the 

(i— i) ’ (i) 

node H(Q ) and the node H(Q) k ) at the level i. Here, j in this query 

(i-1) 

represents that Q is the j - th query at the level i — 1 counted from left to 
right, and k in this query represents that H(Q^ k ) is the k - th child of H (Q ) 
counted from left to right. 

- The height of the arbitrary tree is the maximum time of iteration in all iterated 
queries. 

The hash list and the tree representation have the following connections. 
First, this is an arbitrary tree because the adversary can make any number of 
iterated queries Q = TZ || Q || i with the same IZ and i. Second, all edges 
starting from the same node are the depiction of queries with the same 7 Z and i 
but distinct weights Q. Third, all iterated queries are different such that all nodes 
are distinct, but the weights in those queries (edges) from different nodes could 

be the same. For example, the weight Q^\ must be different from Q^\ because 
( 2 ) ( 2 ) 

the queries Q 3 1? Q s 2 already have the same oracle response and iteration time. 
(2) (2) 

However, Q 3 2 could be equal to Q\ [ in Fig. 5. This observation is very important 
in the analysis of success probability for the iterated random oracle. Finally, the 
total query number is equal to the total number of edges in this arbitrary tree, 
if all queries are iterated queries. 

In the random oracle model, the adversary can make any arbitrary string 
as a query chosen by itself. However, we focus on the defined iterated queries 
only. We emphasize that our focus does not compromise any problem because 
all other queries that cannot be described in this arbitrary tree must be not the 
challenge query and will be removed from the query set before selection. 

3.2 Proof of Theory 3 

It is complicated to prove this theory directly especially the analysis of success 
probability. We split the proof for this theory into the following steps. 

Simulator Construction. Given as input an instance / and the problem P, 
the simulator aims to compute C[/, P\. The simulator generates (p, p, • • • , P) 
for the adversary as follows. 

- Randomly choose d G [1 ,n] and set Id = /. We have C[p, P] = C[7, P]. 

- Choose random instances p , / 2 , • • • , p_i, P+i, • • • , I n under the problem P 
such that C[p,P] for all i G [1 ,n\/{d} are known by the simulator. 
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Fig. 5. An example of arbitrary tree generated from iterated queries and responses. 

- Set and give (ii, J 2 , • • • , I n ) to the adversary. 

According to the assumption, the adversary will make a query set Q to the 
random oracle including a challenge query Q G Q, where Q = Q\ . Accord- 

(i) 

ing to the definition of Q and the property of random oracles, the adversary 
must ever make all challenge queries , • • • , Q ^ to the random oracle. 

Otherwise, the adversary cannot generate Q G Q. Notice that C[7, P] exists in 

G Q^ d \ The simulator will solve the hard problem by removing all use- 
less queries in picking a random query from the remaining set and 

extracting the weight from the picked query as the solution to the hard problem. 
The success probability of finding the correct solution will be the one given in 
our theory. 

Further Tree Representation. We further define queries and weights in order 
to clarify how to remove all useless queries from . 

- The query Q^ k is a challenge query if Q^ k = . 

- The weight Q^\ is a valid weight if Q^\ =C[Ii,P\. 

- The query Qj k is a valid query if it has a valid weight. 

- A path from a node to a leaf is a valid path if all edges in this path are valid 
queries. 

- The query Q^ k is a child query of Q ^ ^ if Q^ k = H(Q ^ ^)||Q^||i. 

- The query Q- k is a candidate query if there exists a valid path from the 

node H(Q^ k ) to a leaf node at the level n. All queries in are defined as 
candidate queries. 
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- The query Qj k is a useless query if there is no valid path from the node 
H(Qj k ) to a leaf node at the level n. 

We note that all queries that cannot be depicted in this arbitrary tree or can 
only be depicted outside this arbitrary tree are useless queries. The maximum 
number of edges in this tree is q. About the relationship among valid query, 
challenge query and candidate query, we have a challenge query must be both a 
valid query and a candidate query. The definition of valid query and candidate 
query are independent. There must exist one valid path only from the root to a 
leaf at the level n because all queries from the root have only one valid query. 
There could exist more than one valid query in QW for any i > 2, but each 
query has one valid child query at most. In Fig. 5, we use a solid edge to denote 
a valid query and a dashed edge to denote an invalid query. 

We have two important observations in the following two claims. 

Claim 1. If is a candidate query, it must have a valid child query. 

According to the definition of candidate query, there exists a valid path from 

u\ 

the node H(Q ) to a leaf node at the level n. The first edge in this valid path 
is a valid query comprising of the response H(Q ). This is the valid child query 
of Q (i) . 

Claim 2. If is a candidate query and its child query denoted by Q^ +1 ^ is 
a valid query, we have that Q^ +1 ^ is also a candidate query. 

We prove by contradiction. According to the first claim and the tree repre- 
sentation, there exists only one valid child query of denoted by Q^ +1 \ All 
paths starting from the node H(Q ) through invalid child queries of Q must 

f{\ 

be invalid paths. If all paths starting from the node H(Q ) through the edge 
Q^ +1 ^ are invalid paths either, there is no valid path from the node H(Q^) 
to a leaf node. Hence Q is not a candidate query. Therefore, the assumption 
is incorrect and there should exist a valid path starting from the node H(Q^) 
through the edge S * , which implies that Q/ 1 is also a candidate query. 


Lemma 1. If the following rate 

The number of valid queries in QW 1 

The number of candidate queries in QW q £ 

holds for all i G [1 ,n\, the adversary must make more than q candidate queries. 


Proof. Let N = q™ . All queries in QW must be either valid or invalid. Let 
VQi denote the number of valid queries at the level i of tree. Let IQi denote 
the number of invalid queries at the level i of tree. If the rate holds for all 
i G [1 , n], we have the following deduction from the first level to the last level 
based on the above two claims, where only candidate queries are counted. 
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Level 1. All queries are from the root and there is one valid query only, which 
is also a candidate query. That is, VQs = 1 . To make sure the rate is less than 
1 /TV, the adversary must make IQs > [N — 1) • VQs + 1 invalid queries that 
are also candidate queries. The total number of candidate queries in this level 
therefore is VQs + IQs- Hence, according to the Claim 1, the total number of 
valid queries in the next level is VQs -\- IQs - 

Level 2. According to the result in the level 1, the number of valid queries 
is V Q2 = VQi + IQs- According to Claim 2, these valid queries are also 
candidate queries. To make sure the rate is less than 1 / 7 V, the adversary must 
make IQ2 > (N — 1) • VQ2 + 1 invalid queries that are also candidate queries. 
The total number of candidate queries in this level therefore is VQ 2 + IQ2- 
Hence, according to Claim 1 , the total number of valid queries in the next 
level is VQ 2 + IQ2- 

Level 3 . According to the result in the level 2, the number of valid queries 
is VQ 3 = VQ2 + IQ2- According to Claim 2, these valid queries are also 
candidate queries. To make sure the rate is less than 1 / 7 V, the adversary must 
make IQs > (N — 1 ) • VQs + 1 invalid queries that are also candidate queries. 
The total number of candidate queries in this level therefore is VQs + IQs. 
Hence, according to Claim 1, the total number of valid queries in the next 
level is VQs + IQs- 

The result in the level i is the same as the previous analysis. 

Level n — 1. According to the result in the level n — 2, the number of valid 
queries is VQ n -i = VQ n -2-\-IQ n -2 • According to Claim 2, these valid queries 
are also candidate queries. To make sure the rate is less than 1 / 7 V, the adver- 
sary must make IQ n - 1 > (N — 1) • VQ n - 1 + 1 invalid queries that are also 
candidate queries. The total number of candidate queries in this level therefore 
is VQ n - 1 + IQ n - 1 . Hence, according to Claim 1 , the total number of valid 
queries in the next level is V Q n - 1 + IQn- 1- 

Level n. According to the result in the level n — 1 , the number of valid 
queries is VQ n = VQ n - 1 + IQ n - 1 - To make sure the rate is less than 1/AT, 
the adversary must make IQ n > (. N — 1) • VQ n + 1 invalid queries. The total 
query number in this level therefore is V Q n + 1 Qn • All queries are treated as 
candidate queries. 

From the above analysis, we obtain the following results for all i G [1 , n]. 

VQs + IQs = N + 1 
VQi + IQi > VQi + (N - 1 ) • VQi + 1 
= TV • VQi + 1 
>N VQi 

= N-(VQis+IQi- 1). 


Then, we yield 

n 

J2( y Qi + IQi ) > (VQn + IQn) > N n -\VQ 1 + IQi.) > N n = q. 

i= 1 
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This completes the proof of Lemma 1. □ 

Based on the above definitions and explanations, we are ready to give the 
proof of Theory 3. 

Proof of Theory 3. In the simulation, the number d is randomly chosen by the 
simulator and all instances (ii,/ 2 , • • • ,/ n ) are indistinguishable. The adversary 
therefore does not know d. The query set Q generated by the adversary hence is 
independent of d. 

According to Lemma 1, if the adversary makes q queries at most, there must 
exist an integer i* E [1 , n] satisfying 

The number of valid queries in > 1 

The number of candidate queries in ) — q™ 

When d = i*, the simulator can remove all useless queries in because 

C[Ii,P] for all i E [d + l,n] are computable by the simulator. Then, the success 
probability of picking a valid query from all candidate queries is at least 1 /qn. 
The success probability Pr [size] given in Theory 3 holds because 

n 

Py[suc\ = Pr[suc\d = i\ Pr [d = i] 

i = 1 

> Pi[suc\d = i*] Pr [d = $*] 

1 1 

qi n 

This completes the proof of Theory 3. □ 

3.3 Variant 

The success probability given in Theory 3 is the lower bound probability because 
the probability Pr[suc\d = i] > 0 holds for all i ^ i* . We can repeat hash 
operations in the iterated random oracle to obtain a larger lower bound success 
probability. 

Theory 4 (Improved Iterated Random Oracle). Let H be a random ora- 
cle. Suppose an adversary, who is given instances I n ) generated by 

the simulator, must make a set of queries Q (\Q\ = q) including a challenge 

query Q* = to the random oracle, where Q ^ is defined as 

= H k (Q* 1 ^ ) ) || C[Ii,P ] || i : i E [1, n], H(Q^) = 0 e is an empty string. 

We can construct a simulator who controls the random oracle to solve the hard 
problem P using the query set Q with success probability at least k/(nq™). Here, 

H l (Q) is to repeat hash operation on Q fori times. H l (Q) = and 

H°(Q) = Q. 
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H k -\Qi n> ) 



h(q n 

Q» 




H(Q i n_1) ) 








tf fc - 2 (Q!U 


H(Q i 2) ) 

si 2) 


H k ~ 2 (Q i 1 ') 


H(Q i 1} ) 

sl 1} 


In this theory, the adversary must make k • n queries to obtain the challenge 

query Q* = H k ~ 1 (Q^_) G Q. _ 

The query on H l (Q) requires the adversary to make a query on iT _1 (Q) 

— U) 

first. In particular, the query on Q * requires the adversary to make a query on 
H k ~\Qi j ^ ) to obtain H k (Q to compose The proof of this theory 

is based on a slightly different lemma where the rate is k/q™ . This is because the 
total number of queries in each level is k-(V Qi+IQi) instead of (VQi+IQi). The 
other analysis is similar and we omit them here without redundancy. Therefore 
we have the success probability shown in the theory. 


3.4 Comparison of Success Probability 

We compare the success probability of finding the solution from the query set 
among the traditional approach, the Cash-Kiltz-Shoup approach and the iterated 
random oracle, where concrete integers n = 10 and k = 10 are chosen. The 
result is given in Table 2. It shows that the iterated random oracle has a very 
small finding loss compared to the traditional approach even the iteration time 
n is very small. With a proper hash repeating time fc, it further improves the 
success probability. Notice that the Cash-Kiltz-Shoup’s approach is the most 
efficient approach, but it is not a universal approach for any computational hard 
problem. 


Table 2. Comparison of success probability. 



►C5 

II 

to 

o 

q = 2 50 

q = 2 60 

Traditional approach 

1 

2 40 

1 

2 50 

1 

2 60 

Cash-Kiltz-Shoup [10,11] 

1 

1 

1 

Iterated random oracle with n = 

10, = 1 

1 

160 

1 

320 

1 

640 

Iterated random oracle with n = 

10, k = 10 

1 

16 

1 

32 

1 

64 


3.5 Comparison of Query Efficiency and Finding Efficiency 

The price to pay for small finding loss from the iterated random oracle is the 
efficiency loss in the generation of challenge query. Recall that the challenge 
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query is associated with one instance computation in the traditional approach 
(Theory 1 ) and two instance computations in the Cash-Kiltz-Shoup [10,11] app- 
roach (Theory 2). The challenge query in the iterated random oracle is associated 
with n instance computations and n queries or n-k queries. The efficiency loss is 
in the linear of n. Fortunately, n can be as small as 10 in the iteration. Further- 
more, when the efficiency is mainly dominated by the computation of C[/i,P], 
they can be performed in parallel because all computations are independent. 

In the iterated random oracle, the simulator needs to compute C[Ii,P\ for 
all i £ [d + l,n], where d is randomly chosen from [1 , n] 1 , in order to remove 
all useless queries. Then, the simulator randomly picks one query from all can- 
didate queries. Hence, the time cost of finding a solution is mainly dominated 
by instance computations and the time complexity is 0(ri). In comparison with 
the other two approaches, the simulator in the traditional approach (Theory 1) 
directly picks one solution in a random way and the time complexity is 0 ( 1 ). 
The simulator in the Cash-Kiltz-Shoup [10,11] approach (Theory 2 ) has to test 
each query until it finds the correct solution. Therefore, their time complexity is 
(q) more expensive than the iterated random oracle. 

3.6 Remarks of Simulation Based on Theories 

The introduced three theories for finding loss can be described as follows in a 
general summary. Suppose an adversary, who is given an instance I a generated 
by the simulator, must make a set of queries Q (|Q| = q) including a challenge 
query Q = C[l^ Pj] to the random oracle. Here, C[l^ Pj] is the solution to 
the instance I a under the computational hard problem P 4 which is defined by 
the simulator. We aim to construct a simulator to solve a hard problem P using 
the query set Q. 

In the corresponding simulator construction, the simulator is given an 
instance I under the hard problem P and aims to solve it with the help of 
the adversary. The simulator should construct an instance I a. for the adversary 
using the given instance I and define the hard problem P 4 such that C[/, P] will 
appear in the query set. The resulting results (J^, P 4 ) from the traditional app- 
roach, Cash-Kiltz-Shoup’s approach and our approach are different. We remark 
that the successful construction of such a simulator is not the end of simulation. 
It merely introduces the approach of how to find the correct solution from the 
adversary’s query set. To complete the reduction, the simulator must enable to 
use the created instance I a to simulate the proposed cryptosystem and make 
sure the challenge query including C[Ia, P 4 ] will appear in the query set. This 
is required in the security reduction because the adversary is not to solve a hard 
problem for the simulator but is going to break a cryptosystem. 


When d = n, the simulator does not need to compute any C[I, P]. 


1 
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4 Tight Security in Security Transformation 
for Encryption 

The principle application of the iterated random oracle is the security trans- 
formation from a key encapsulation mechanism with one-way security to an 
encryption with indistinguishability security, whose reduction is tight. In this 
section, we show how to achieve such a security transformation without expand- 
ing ciphertext size. 

A key encapsulation mechanism (KEM) is an asymmetric encryption whose 
encryption algorithm will generate a random key (a.k.a. the encapsulation key), 
together with a corresponding ciphertext (a.k.a. the encapsulation). The random 
key is then used for symmetric encryption while the encapsulation forms part of 
the message ciphertext to deliver the random key in an asymmetric manner. Any 
receiver who owns a valid secret key can decapsulate the random key from the 
encapsulation. In the definition of one-way security for KEM, the challenger gen- 
erates a challenge ciphertext CT* for the adversary and the aim of the adversary 
is to return the corresponding challenge random key. 

We observe that any KEM with one-way security does not have a security loss 
in finding a correct solution, if the random key is the solution to a computational 
hard problem in security reduction. This is because the adversary only returns 
one answer to the simulator, which is the correction solution to a hard problem. 
However, in the IND-CHP security reduction with the help of random oracles, 
the correct solution is hidden in a large query set made by the adversary. In this 
section, we show how to fill this gap by using the iterated random oracle. 

Our security transformation is based on the KEM of functional encryp- 
tion, namely functional key encapsulation mechanism (FKEM). The functional 
encryption can be seen as a generalized asymmetric encryption including pub- 
lic key encryption, identity-based encryption and attribute-based encryption. 
We adopt the FKEM because the iterated random oracle is a general approach 
fitting for all asymmetric encryptions. 

Our security transformation can be applied to any FKEM. However, this 
generic transformation could be accompanied with a long ciphertext under iter- 
ated random oracles. This is because the challenge ciphertext must be associated 
with n different instances using the iterated random oracle, where the adversary 
is required to compute n solutions to different instances. To obtain a short cipher- 
text after transformation, these n instances must have shared input parameters. 
We extract one special type of FKEM from all FKEM with the following two 
properties. 

- Firstly, global system parameters Pa ram will be defined for FKEM, where 
many master key pairs (mpk x , mski), (mpk 2 , msk2), • • • , (mpk n , msk n ) can be 
generated with this global parameters. We note that these global system para- 
meters are very common in an asymmetric encryption. It could include the 
definitions of pairing group, chosen generator and hash functions. All of these 
parameters are shared and used by different users or authorities. 
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- Secondly, the ciphertext encapsulation is computed without the input of mas- 
ter public keys, which will be the shared input parameters for all generated 
master key pairs. We note that many asymmetric encryptions fall into this 
type, such as the ElGamal public-key encryption scheme [21], the Boneh- 
Franklin identity-based encryption scheme [8] and the Waters identity-based 
encryption scheme [30]. One instantiation is given at the end of this section. 

In the remaining of this section, we first give the definition of FKEM under 
our chosen type, and then show how to transform the FKEM with one-way 
security to a functional encryption with indistinguishability security against a 
chosen-plaintext attack (CPA) and a chosen-ciphertext attack (CCA). 


4.1 Functional Key Encapsulation Mechanism 

The functional key encapsulation mechanism (FKEM) is defined as follows. 


Functional Key Encapsulation Mechanism 

- Pa ram SysGen(l A ). This algorithm takes as input the security para- 

meter A and outputs the global system parameters Pa ram. 

- (mpk, msk) Setup(Param). This algorithm takes as input Param and 
outputs the master key pair (mpk, msk). 

s 

- usk KeyGen(Param, mpk, msk, upk). This algorithm takes as input 
Param, the master key pair (mpk, msk) and upk ( will be explained later ) 
and outputs the user secret key usk. 

- (C, K) <— Encap(Param, mpk, str, r). This algorithm consists of two sub- 
algorithms. 

- C <— Encap c (Param, str, r). This sub-algorithm takes as input Param, 
a string str ( will be explained later), a randomness r and outputs 
the encapsulation C. The encapsulation generation is independent of 

mpk. 

- K <— Encapk(Param, mpk, str, r). This sub-algorithm takes as input 
(Param, mpk, str, r) and outputs the encapsulation key K. 

- K <— Decap(Param, mpk, upk, usk, C). This algorithm takes as input 
(Param, mpk, upk, usk) and the encapsulation C, and outputs the encap- 
sulation key K or _L. 


$ 

Definition 1 (Correctness). For any (C, K) <— Encap(Param, mpk, str, r) and 
usk <— KeyGen(Param, mpk, msk, upk), we have that, 


Decap(Param, mpk, upk, usk, C) 


K F(upk, str) = 1, 

_L otherwise , 
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where Param ^SysGen(l A ) and (mpk, msk) <— Setup(Param). The function F 

evaluates the relationship between the upk and the string str. 

The key pair (mpk, msk), (upk, usk), the string str and the function F have 

different representations in specified asymmetric encryptions. For example, 

- In a public-key encryption, mpk = upk is the public key while msk = usk is the 
corresponding secret, str is also a public key and the function F(upk, str) = 1 
if and only if str = mpk = upk. 

- In an identity-based encryption, upk is the identity of user and str is the 
identity of receiver. The function F(upk,str) = 1 if and only if str = upk. 

- In an identity-based broadcast encryption, upk is the identity of user and str 
is the identity set of receivers. The function F(upk, str) = 1 if and only if upk 
is one of identities in the identity set str. 

- In a ciphertext-policy attribute-based encryption, upk is an attribute set of a 
user while str is an access policy. The function F(upk, str) = 1 if and only if 
the access policy str accepts the attribute set upk. 

- In a key-policy attribute-based encryption, upk is an access policy for a user 
while str is an attribute set. F(upk, str) = 1 if and only if the access policy 
upk accepts the attribute set str. 

- In an inner-product encryption, both upk and str are vectors. F(upk, str) = 1 
if and only if the inner product upk • str = 0. 


Definition 2 (One-Way FKEM). A functional key encapsulation mechanism 
(SysGen, Setup, KeyGen, Encap, Decap} is one-way secure if for any PPT adver- 
sary A, 


^ v AFKEm(^) — P r 



Param SysGen(l A ); 

(mpk*, msk*) S- Setup(Param); 
str* e- A° k{ '\ Param, mpk*); 

(C*, K*) Encap(Param, mpk, str*, r*); 
K' «= ^°^ ( ) (Param, mpk, str*, C*) 


< negl(A), 


where Ok(- ) is a key generation oracle that on input of any upk, returns 
usk <— KeyGen(Param, mpk, msk, upk) on the condition that F(upk, str*) ^ 1. 


The definition of function encryption is similar with the FKEM except the 
encryption algorithm and the decryption algorithm. The encryption algorithm 
additionally takes as input a message and returns a ciphertext for the message 
directly. While the decryption algorithm directly returns the message or outputs 
failure. The corresponding security model under indistinguishability against a 
chosen-plaintext attack and a chosen-ciphertext attack is also similar except that 
the adversary outputs str*, mo, mi for challenge and the challenge ciphertext is 
encrypted with a random message from {mo, mi} chosen by the simulator. We 
define IND-CCA for FE in the following definition. The definition of IND-CPA 
is the same as IND-CCA except that the adversary cannot access the decryption 
oracle in the security model. 
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Definitions (IND-CCA FE). A functional encryption fSysGen, Setup, 
KeyGen, Encrypt, Decrypt^) is IND-CCA secure if for any PPT adversary A, 


Adv 


IND-CCA 
.4, FKEM 


(A) = Pr 


coin' 

coin 


Param A- SysGen(l A ); 

(mpk*,msk*) A- Setup(Param); 

(str* , m 0 , mi) <- ^°k( ) .°d(0 (Param, mpk*); 
coin A- {0, 1} 

CT* A- Encypt(Param, mpk, str* , r* , m co j n ); 
coin' dO (Param, mpk, str* , CT*) _ 


< negl(A), 


where Ok (- ) is a key generation oracle that on input of any upk, returns 

usk <— KeyGen(Param, mpk, msk, upk) on the condition that F(upk, str*) ^ 
1 and Od(-) is a decryption oracle that on input of any str, CT, returns 

{m, _L} <— Decrypt(Param, mpk, upk, usk, CT) on the condition that str ^ str* or 
CT 7 ^ CT*. 


4.2 Generic Conversion from OW-FKEM to IND-CPA-FE with 
Tight Reduction 

Let Para mow be the global system parameters of FKEM with one-way security. 
Let (mpk i5 msk^) for all i G [1, n] be n master key pairs of FKEM and usk^ be the 
secret key of upk generated from (mpk i7 msk^). Here, n can be as small as n = 10 
depending on the choice of security loss. We choose n pairs in order to compute 
a different encapsulation key under each key pair, such that all n encapsulation 
keys can be iterated together following the iterated random oracle approach to 
generate the final encapsulation key. The functional encryption with IND-CPA 
security is constructed as follows. 


SysGen: Choose a secure one-way hash function H : {0, 1}* — > {0,1}^, 
where the message space is {0, 1 Y - The global system parameters of FE are 

Parama = (Paramow,#)- 

Setup: Set the master public key mpk and the master secret key msk of FE 
as 

mpk = (mpk-L, mpk 2 , • • • , mpk n ), msk = (mski, msk 2 , • • • , msk n ). 

KeyGen: Taking as input Param, mpk, msk, upk, run the key generation 

algorithm KeyGen(Param, mpkj, mskj, upk) uskj for all i G [1, n\ and output 
the private key usk for upk as 

usk = (uski, usk 2 , ..., usk n ). 

Encrypt: Taking as input Param, mpk, str and a message m G {0,1}^, create 
the ciphertext CT for upk as follows 
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- Choose a random r for the Encap algorithm. 

- Compute Ci = EncapJParamow, str, r). 

- Compute Kj = EncapJParamow, mpkj, str, r) for all i G [1 ,n\. 

- Compute the iteration as 

Ai = H(Ai-i) || Kj || i: i G [l,n], where H(A 0 ) = 0 e . 

- Set C 2 = H(A n ) 0 m. 

The output ciphertext is CT = (Ci, C2). 

Decrypt: Taking as input Param, mpk, str, upk, usk and a ciphertext 
CT = (Ci, C2), decrypt the message as 

- Compute Kj = Decap (Para mow, mpkj, upk, uskj, Ci) for alii G [1 , n]. 

- Compute the iteration as 

Bi = H(B i - 1 )\\K\\\i : i G [l,n], where H(B 0 ) = 0 e . 

- Compute m = C2 0 H(B n ). 

This completes the description of FE construction. Without counting the 
size of the encrypted message, the ciphertext size is the same as FKEM. That 
is, the generic conversion from OW-FKEM to IND-CPA-FE does not expand 
the ciphertext size. This conversion without expanding ciphertext requires that 
the encapsulation is independent of the master public key mpk. Otherwise, the 
ciphertext is composed of n number of distinct Ci generated under a different 
mpk^. In the following theorem, we prove that the IND-CPA security of FE can 
be tightly reduced to one-way security of an FKEM. 

Theorem 1. Let H be a random oracle. If there exists an adversary A who 
makes q queries to H has an advantage e in the IND-CPA security model against 
the constructed encryption scheme, then we can construct a simulator B that has 
advantage Adv^ KEM (A) = in breaking the underlying FKEM in the one- 

’ nqn 

way security model. 

Proof. Suppose there exists an adversary A who can break the above encryption 
scheme with an advantage e. We construct a simulator B to break the one-way 
security of the underlying FKEM. The reduction works as follows. 

- — * 

Setup: B first obtains (Paramow, m pk ) from FKEM. It then picks a random 
d G [l,n], and runs the setup algorithm Setup(Param 0W ) (mpkj,mskj) for all 
i G [l,n]\d to generate master key pairs. Finally, it sets mpk = (mpk l5 ..., mpkj 
where 



mpkj if i J d, 
mpk otherwise , 
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and Pa ram = Para mow where H is treated as a random oracle controlled by the 
simulator. Finally, the simulator returns (Param, mpk) to A. 

H-Query: B maintains a hash list L to record all queries to the random oracle 

H . If a query Q has been made and appears in the list (Q, 7£), B responds with 
the same response 7 Z. Otherwise, the simulator randomly chooses 7 Z from { 0 , 1} £ 
as the response 7 Z = H(Q ) and adds (Q, 1Z) into the list. 

Phase 1: A requests the secret key of upk in this phase, which is adaptively 
chosen by the adversary. The simulator B first queries upk to the key generation 
oracle Ok(') which returns usk and sets uskd = usk. For all other i G [1 , n]\d, B 
runs KeyGen( Param, mpk h mskj, upk) —> usk; by itself to compute usk^. Finally, it 
sets usk = (uski, usk 2 , ..., usk n ) and returns usk to A as the query response. 

Challenge: A outputs two distinct challenge messages mo, mi from { 0 , l} n and 
a challenge string str* with the restriction that for any upk queried in the Phase 

I , F(upk, str*) 7 ^ 1 . B then forwards str* to FKEM and obtains the challenge 
encapsulation ciphertext C*. Finally, B randomly chooses R G {0,1}^ and sets 
the challenge ciphertext as 

CT* = (C*,R). 

Phase 2: A issues more secret key queries on any chosen upk such that 
F(upk, str*) 7 ^ 1 . B responds the same as in the Phase 1 . 

Output: Finally, A outputs its guess coin' G {0, 1}. B then follows the approach 
in Theory 3 to find the underlying key K* from the recorded hash list L to break 
the FKEM. 

This completes the description of simulation and solution. All master key 
pairs are generated from the setup algorithm of FKEM. They are therefore 
indistinguishable from the view of the adversary, such that the adversary has 
no advantage in guessing d. The random oracle is simulated using truly ran- 
dom string, and hence the simulator performs a correct simulation on the ran- 
dom oracle. Let C* = Encap c (Paramow, str*, r*). Since C* is generated from the 
encapsulation algorithm and R* is randomly chosen, the challenge ciphertext is 
a one-time pad unless the adversary queries A* , which is defined as 

A* = || Encapk(Paramow, mpkj,str*, r*) || i : i G [1, n], 7L(Aq) = 0 e . 

We have 

7F* = Encapk(Paramow, nipk d , str*, r*) = Encapk(Paramow, mpk , str*,r*), 

in A^ is the solution to the FKEM. The approach of finding the correct encapsu- 
lation key exactly falls into Theory 3 where the simulator can successfully pick a 
valid query with probability l/(nq™). According to the definition of advantage, 
the adversary will make such a query with probability 2 e to the random oracle. 
We therefore yield Theorem 1. □ 
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4.3 Generic Conversion from OW-FKEM to IND-CCA-FE 

Given an FKEM composed of 


C = Encap c (Paramow, str, r), 

Kj = Encapk(Paramow, mpkj, str, r) : i G [1, n], 


we have shown how to construct an IND-CPA FE via 

CT = ^Encap c (Param 0W ,str, r), iL(A n )0m^, 


where Ai = H(Ai- 1) || Kj || i : i G [1, n], andiL(Ao) = 0 e . 

We can further transfer the conversion from FKEM to FE with IND-CCA 
security by applying the Fujisaki-Okamoto transformation approach [19,20]. This 
approach requires two more one-way secure hash functions iLi, H 2 in the global 
system parameters and they are also treated as random oracles in the security 
proof. The first hash function Hi has the same output space as the randomness 
r and the second one H 2 has the same output space as H. 

Taking as input Param, mpk, str and a message m G {0,1}^, the encryption 
algorithm for IND-CCA security works as follows. 

- Choose a random string a G {0, 1} £ and compute r = Hi (cr, m). 

- Run the IND-CPA encryption algorithm using the randomness r to encrypt 
cr, which returns 



In the corresponding decryption algorithm, the decryptor first runs the IND- 
CPA decryption algorithm to obtain cr, and then it computes H 2 (a) 0 C3 to 
obtain m. Finally, it outputs the message m if Ci is the generation using the 
randomness Hi(cr, m). Otherwise, it simply returns _L. 

It is not hard to obtain the security proof based on the proposed security 
reduction for CPA security and the Fujisaki-Okamoto transformation. First, all 
key queries will be generated the same as the proof in Theorem 1; Second, all 
decryption queries will be responded using the Fujisaki-Okamoto transformation 
approach. Finally, the challenge ciphertext is simulated using (C*, Ri, R 2 ), where 
C* is the challenge encapsulation from FKEM and Ri, R 2 are random strings. 
From the view of the adversary, if the adversary has an advantage in distin- 
guishing the encrypted message, it must make a query on cr. The probability 
of obtaining a is bounded by a random guess which is negligible for a large 
i and bounded by breaking the IND-CPA construction. While the probability 
of breaking the IND-CPA construction is bounded by making a query on A n . 
Therefore, if cr appears in the query list with probability 2e, the probability of 
querying A n is nearly 2e. The simulator then is able to break the underlying 
FKEM with probability 2e/(nq 1 ' n ) by applying the approach in Theory 3. 
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4.4 Identity-Based Key Encapsulation Mechanism 

At the end of this section, we give an instantiation using the Park-Lee identity- 
based encryption [28] , which can be modified to a key encapsulation mechanism 
satisfying the requirement for short ciphertext in transformation. We choose this 
scheme as an example because there is no security loss during the private key 
simulation. By using the iterated random oracle, the corresponding encryption 
with indistinguishability security can be tightly reduced to solve the Bilinear 
Difhe- Heilman problem. 


SysGen: This algorithm takes as input the security parameter A. It selects 
a pairing group PG = (G, G t, e) and one secure one-way hash function 

Hi : {0, 1}* — ► G. Then it randomly chooses u G G. The global system 
parameters Pa ram are 

Param = (PG, iq Hi). 

Setup: It randomly chooses a G Z p and computes e(g,g) a . The algorithm 
returns a master public/secret key pair (mpk, msk) as 

mpk = e(g, g) a , msk = a. 

Key Gen: The key generation algorithm takes as input Param, an identity 
ID G {0, 1}* and the master key pair (mpk, msk). It randomly chooses s, tk E 
Z p and creates the private key as 

diD = (do,di,d2,d 3 ) = (i*, g s , (ffi (/£>)«**)' 

It requires that the random number tk for ID is the same in the private key 
generation. 

Encap: The encryption algorithm takes as input Param, the master public 
key mpk and an identity ID. It randomly chooses r, t c G Z p and creates the 
ciphertext and the encapsulation key as follows. 

C = Encap c (Param, ID, r) = (t c , (IT 1 (/D)u te ) r , g r ), 

K = Encapk(Param, mpk, ID, r) = e(g,g) a ' r . 

Decap: The decryption algorithm takes as input Param, the master public 
key mpk, an identity ID, a private key dm and a ciphertext C = (Co, Ci, C 2 ). 
It computes the random key as 


K = e(d 3 , C 2 ) 


/ e(Ci, d\) 

\e(C2, cfe) 



Iterated Random Oracle: A Universal Approach for Finding Loss 771 


The correctness of the decapsulation is showed as follows. 


K = e(d 3 , C 2 ) 


f e(Ci, di) 
Ve(C 2 , d^) 


1 



= e(g a u s ,g r ) 

= e(g,g) ar -e 
= e(g,g) ar - 


e({Hi{ID)u tc ) r , g s ^ 


ID)u^y 
{u, g y s ■ (e{u, g y s ^-^y^ k 


Theorem 2. Let Hi be a random oracle. If there exists an adversary who can 
break the Park-Lee identity -based key encapsulation mechanism with (t, # 1 , e) 
in the one-way security model , where the adversary makes q\ queries to Hi and 
qk numbers of private keys, then we can construct a simulator to solve the BDH 
problem with (t + T s , e) where T s denotes the time cost of simulation. 


Proof. Suppose there exists an adversary A who can break the identity-based 
encryption scheme. We can construct a simulator B to solve the BDH problem. 
Given as input the instance (g,g a 1 g b 1 g c ) in the pairing group PG, the simulator 
aims to compute e(g,g) abc . B interacts with the adversary as follows. 

Setup: B picks a random 2 G Z p , sets u = g z ~ a , a = ab and computes e(g, g) a = 
e(g a ,g b ). Then, it gives Param = (PG ,u) and mpk = e(g,g) a except Hi to the 
adversary, where Hi is treated as a random oracle controlled by the simulator. 

H-Query: B maintains a hash list Li to record all queries to the random 
oracle Hi. If a query IDi has been made and (IDi, Xi, yi, Hi(IDi)) is in the 
list, B responds with Hi(IDi). Otherwise, B randomly chooses Xi,yi G Z p , sets 
Hi(IDi) = g x i a +yi and adds (IDi,Xi,yi, Hi(IDi)) into the hash list. 

Phase 1: A requests private keys of identities in this phase. For the query on ID , 
B first runs the Hi query to get the corresponding ( ID , x, y , Hi(ID )), randomly 
chooses s G 7L V and computes the private key as 


do tfe x 

di = g b+s 

d 2 = gKv+xz)+s(y+xz) 

1 „zs-\-zb— sa 

a 3 —9 5 


which can be computed by the simulator. Let s' = b + s and H—x. We have 


(di,d 2 ,d 3 ) = (/ f {HyiD^y ' , g a u s ') 

_ ^ gb+s ^gXCL+y gX(z-a)^b+s gbcig(z-a) (fe+s) 

— ( A+ s J)(y+xz)+s(y+xz ) 


zs-\-zb— sa 
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Therefore, dm = (do, di, <^ 2 , cfe) is a valid private key of ID. 

Challenge: The adversary *4 outputs an identity /D* for challenge, where the 
adversary never requested the private key of ID*. Let the query response of 
ID in the random oracle be (ID* ,x* ,y* ,Hi(ID*)). The simulator B sets the 
challenge encapsulation as 

c* = (x*, g(y+ x * z ) c , g c ^j . 

Ler r — c and t c = x*. We have 

C* = (t c , g r ) 

= (**, 9 C ) 

= (V, 5 (y+x * z)c , 5°) • 

Therefore, C* is a valid challenge encapsulation whose corresponding key K* is 

e(g,g) ar = e(g,gr bc . 

Output: Finally, A outputs K* and the simulator outputs K* as the solution to 
the BDH problem. 

This completes the simulation and solution. We have that a,z are chosen 
randomly and independently such that both Param and mpk are indistinguishable 
from the real scheme, x, y are chosen randomly and independently such that the 
random oracle simulation is correctly performed, x*, c are chosen randomly and 
independently such that the challenge ciphertext is indistinguishable from the 
real scheme. According to the definition of advantage and the assumption, we 
have the adversary will output K* with probability e and the simulator will solve 
the BDH problem with probability e. This completes the proof of Theorem 2. □ 

5 Tight Reduction for Key Exchange 

The iterated random oracle can also be applied in the key exchange for tight (er) 
reduction in the IND-CHP security reduction. However, we observe that the 
application is a little complicated due to many different definitions of key 
exchange protocols. In this section, we discuss how to apply the iterated random 
oracle for this cryptographic primitive and what will occur during the applica- 
tions. 

Identity-Based Non- Interactive Key Exchange (IB-NIKE). In the 

Sakai-Ohgishi-Kasahara IB-NIKE protocol [29], the private key of ID is dm = 
Hi(ID) a , where a E 7L V is the master secret key and Hi : {0,1}* —> G is a 
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collision-resistant hash function. Here, the IB-NIKE is constructed over a pair- 
ing group. The NIKE between ID a and IDb is defined as 

K = H(e(d IDA ,H 1 {ID B ))) 

= H(e{d IDB ,H 1 (ID A )i ) 

= H(e(H 1 (ID A ),H 1 (ID B j ) a ), 

where H : {0, 1}* — > {0, 1} £ is another secure one-way hash function. 

The above IB-NIKE protocol is provably secure in the random oracle model 
(assuming H\,H are random oracles) under the BDH assumption. The finding 
loss exists because the simulator cannot decide which query in the adversary’s 
query set is the correct solution to the BDH problem. We can apply the iterated 
random oracle by iterating the section keys as follows. 

- Compute the private key diD of ID as 

- Compute the i-th intermediate key between ID a and IDb as 

K i = e(H 1 (ID A ,i),H 1 ( !£>*,*))“ 

- The final section key between ID a and IDb is H(EK n ) where 

EKi = H(EKi-i) \\ Ki \\ i : i e [l,rc], where H(EKq) = 0 e . 

It is not hard to prove its security when the simulator can simulate all private 
keys except H(IDa , d) a and H(IDb , d) a where e(^Hi(IDA, d), Hi(IDb, d)^ is 
programmed as the solution to the BDH problem. By applying Theory 3, we 
have the final security reduction will have a very small finding loss. 

In comparison with the original scheme, ours gives a tighter reduction. We 
admit that our scheme requires each user to store n private keys. Although 
n can be as small as 10, the final key length is still longer compared to the 
length of original scheme by expending group size for security loss. Therefore, 
this construction is somewhat theoretically interesting only for short length. 
However, when parallel computation is allowed, all pairing computations and 
hash group operations in our scheme can be completed in parallel within a 
group. Our scheme will reduce the time cost because there is no need to expand 
group size for security loss. 

Other (Authenticated) Key Exchange. Similarly, we can utilize the above 
approach to solve the finding loss in other key exchange protocols by generating 
n keys for each user instead of one. Only the d-th sub-key can be programmed 
to solve a hard problem while the others can be simulated or computed by 
the simulator. However, it seems that we still have to resort to the help of 
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decision oracle [18] because the simulator cannot simulate some section keys for 
the adversary. Let upkA and upke be the challenge public keys. In the security 
model for key exchange, the adversary is allowed to launch section key query 
between for example upkA and a corrupted user namely upko Notice that the 
secret key of uskA is unknown (only the d - th sub-key is programmed as unknown). 
When the secret key of uskc is also unknown, the simulator cannot simulate the 
section keys correctly for the adversary especially on the random oracle without 
the help of decision oracle. If the assumption still needs a decision oracle, there 
is no finding loss in security reduction because the simulator can use the decision 
oracle to find the correct solution. 

We emphasize that there is still a benefit of applying the iterated random 
oracle for key exchange, whose security assumption is a strong computational 
assumption with a decision oracle. Notice that the iterated random oracle will 
exponentially consume the hash queries from the adversary if it wants to hide 
the challenge query. Then, the simulator can make less number of queries to the 
decision oracle especially when the simulator wants to simulate the section key 
and find the correct solution. That is, by applying the iterated random oracle, 
we can adopt a strong computational assumption where the access time to the 
decision oracle is bounded with a small number. This assumption is better than 
the assumption with q times access to the decision oracle. 

6 Conclusion 

Finding loss is a common security loss in those security reductions for indistin- 
guishability security under computational hard assumptions, when their deci- 
sional variants are also hard. This security loss will result in a significant loose 
reduction by a random pick because the number of queries can be as large as 
2 60 . The novel Cash-Kiltz-Shoup’s approach is efficient without any finding loss, 
but can only be applied to a computational hard problem with a trapdoor test. 
We proposed a completely new approach, namely the iterated random oracle, 
as a universal approach for finding loss, which can be applied to any computa- 
tional hard problem without any restriction on the adopted hard problem. The 
finding loss in this approach is very small. The corresponding success probabil- 
ity is ^ compared to p by a random pick. This approach has been applied 
to achieve a security transformation for encryption and key exchange towards 
tight (er) reductions. 
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Abstract. Motivated by the subversion of “trusted” public parameters 
in mass-surveillance activities, this paper studies the security of NIZKs 
in the presence of a maliciously chosen common reference string. We 
provide definitions for subversion soundness, subversion witness indis- 
tinguishability and subversion zero knowledge. We then provide both 
negative and positive results, showing that certain combinations of goals 
are unachievable but giving protocols to achieve other combinations. 


1 Introduction 

The summer of 2013 brought shocking news of mass surveillance being conducted 
by the NS A and its counter-parts in other countries. The documents revealed new 
ways in which the adversary compromises security, ways not covered by standard 
models and definitions in cryptography. This opens up a new research agenda, 
namely to formalize security goals that defend against these novel attacks, and 
study the achievability of these goals. This agenda is being pursued along several 
fronts. The front we pursue here is parameter subversion , namely the compromise 
of security by the malicious creation of supposedly trusted public parameters 
for cryptographic systems. The representative example is the Dual EC random 
number generator (RNG). 

Dual EC. Dual EC is an NSA-designed, elliptic-curve-based random number 
generator, standardized as NIST SP 800-90 and ANSI X9.82. BLN [14] say that 
its story is “one of the most interesting in modern cryptography.” The RNG 
includes two points P, Q on an elliptic curve that function as public parameters 
for the algorithm. At the Crypto 2007 rump session, Shumow and Ferguson noted 
that anyone who knew the discrete logarithm of P to base Q, meaning a scalar s 
such that P = sQ, could predict generator outputs. In a Wired Magazine article 
the same year, Schneier warned against Dual EC because it “just might contain 
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a backdoor for the NSA.” The NSA’s response was that they had “generated 
P, Q in a secure, classified way.” But the Snowden revelations (documents from 
project Bullrun and SIGINT) show that Dual EC was part of a systematic 
NSA effort to subvert standards. And in 2014, CNEGLRBMSF [24] showed the 
practical effectiveness of the subversion by demonstrating how the backdoor 
could be exploited to break TLS. 

Two things are remarkable. The first is that the “trusted” public parame- 
ters were in fact subverted. The second is the effort put into ensuring that the 
subverted parameters were standardized and used. NSA-based pressure and lob- 
bying not only lead to Dual EC remaining a US standard but even to its being 
in an international standard, ISO 18031:2005. In 2013 Reuters reported that the 
NSA paid RSA corporation $10 million to make Dual EC the default method 
for random number generation in their BSafe library. 

Cryptography resistant to parameter subversion. The lesson to take 
away is that a cryptographic system that relies on public parameters assumed to 
have been honestly generated, say by some “trusted” party, is at great practical 
risk from the possibility that the parameters were in fact maliciously generated 
with intent to subvert security of their use. We suggest that in response we should 
develop cryptography that is resistant to parameter subversion. This means that 
it should provide its usual security with trusted parameters, but retain as much 
security as possible when the parameters are maliciously generated. 

Parameters arise in many places in cryptography, but a prominent one that 
springs to mind are non-interactive zero-knowledge (NIZK) systems, where the 
common reference string (CRS) is assumed to be honestly generated. NIZKs are 
not only important in their own right but used in a wide variety of applica- 
tions, so their security under parameter subversion has far-reaching effects. This 
paper provides a treatment of resistance to parameter subversion for NIZKs, 
with definitions, negative results and positive results. 

NIZKs. Non-interactive zero-knowledge systems originate with BFM [17] and 
BDMP [16] and have since seen an explosion in constructions and applications. 
The Groth-Sahai framework for efficient NIZKs [44] is widely utilized and we 
are seeing not only efficient NIZKs but also their implementation in systems [12, 
13,31,39,44]. Structure-preserving cryptography [1,2,40] was developed to allow 
these NIZKs to be used for efficient applications. 

The NIZK model postulates a common reference string (CRS) that has been 
honestly generated according to some distribution. The pragmatics of how this 
is done receives little explicit attention. Some early works talk of using digits of 
7 r and others speak whimsically of “a random string in the sky,” but for the most 
part the understanding is that a trusted party will generate, and make public, 
the CRS. In light of the above, however, we must be concerned that the CRS is 
in fact maliciously generated. This is the issue addressed by our work. 

An immediate avenue of attack that may come to mind is the following. 
NIZK security requires that there is a simulator that generates a simulated CRS 
(indistinguishable from the honest one) together with a trapdoor allowing the 
simulator to generate proofs without knowing the witness. What if the subvertor 
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generates the CRS via the simulator, so that it knows the trapdoor? Since this 
CRS is indistinguishable from an honestly generated one, the subversion will not 
be detected. Now, what does the subvertor gain? This seems to depend on the 
particular system and its properties. For example, the subvertor may be able 
to generate proofs of false statements and violate soundness. In some cases the 
trapdoor permits extraction of witnesses from honest proofs, in which case the 
subvertor would be able to violate zero knowledge. What we see here is that 
features built into the standard notions and constructions of NIZKs turn out to 
be potential liabilities in the face of subversion. Put another way, current NIZKs 
have the possibility of subversion effectively built into the security requirement 
because the simulator works by “subverting” the CRS. 

Two remarks with regard to the above. (1) First, if it is unclear what is 
going on, or what conclusion to draw, there is a good reason, namely that we 
are trying to think or talk about what subversion does in the absence of a clear 
understanding of the subversion-resistance goal, effectively jumping the gun. To 
be able to effectively assess security we first need precise definitions of the new 
goal(s) underlying resistance to CRS subversion. Providing such definitions is 
the first contribution of this paper. ( 2 ) Second, while the above discussion may 
lead one to be pessimistic, we will see that in fact a surprising amount of security 
can be retained even under a maliciously generated CRS. 

NIZK security, NOW. To discuss the new goals in subversion-resistant NIZKs 
we first back up to recall the standard goals in the current model where the CRS 
is trusted and assumed to be honestly generated. We distinguish three standard 
goals for a non-interactive (NI) system I"1 relative to an NP relation R defining 
the language L( R) G NP. The formalizations are recalled in Sect. 4. 

SND: (Soundness) It is hard for an adversary, given an honestly generated crs, 
to find an x ^ L(R) together with a valid proof i r (meaning one that the verifi- 
cation algorithm ITV accepts) for x relative to crs. 

WI: (Witness indistinguishability) Assuming crs is honestly generated, an adver- 
sary can’t tell under which of two valid witnesses an honest proof (i.e., generated 
by the prover algorithm n.P under crs ) for an instance x was created, and this 
even holds for multiple, adaptively chosen instances depending on crs. 

ZK: (Zero-knowledge) There is a simulator IT Sim. crs returning a simulated CRS 
crso and associated trapdoor std, and an accomplice simulator n.Sim.pf taking 
an instance x G L( R) and std and returning a proof, such that an adversary 
given crsb cannot tell whether a proof it receives was created honestly (with 
the honest prover algorithm, an honest crsi and a witness; the b = 1 case) or 
via n.Sim.pf (the b = 0 case). Moreover this holds even for multiple, adaptively 
chosen instances depending on crs 5 . 

NIZK SECURITY UNDER subversion. The key change in our model is that the 
adversary generates the CRS. It can retain, via its coins r, some kind of “back- 
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door” related to this CRS. In Sect. 4 we formalize the following goals: 

S-SND: (Subversion soundness) It is hard for the adversary to generate a (mali- 
cious) CRS crs together with an instance x 0 L(R) and a valid proof i r for x 
relative to crs. (The goal of the subvertor here is to create a CRS that allows it 
to give proofs of false statements.) 

S-WI: (Subversion witness indistinguishability) Even if the adversary creates crs 
maliciously and retains the corresponding coins r, it can’t tell under which of two 
valid witnesses an honest proof (meaning one generated by the prover algorithm 
n.P under the subverted crs ) for an instance x was created, and moreover this 
holds even for multiple, adaptively chosen instances depending on crs. 

S-ZK: (Subversion zero knowledge) For any adversary X creating a malicious 
CRS crsi using coins rq, there is a simulator S.crs returning not only a simu- 
lated CRS crso and associated trapdoor std but also simulated coins ro, and an 
accomplice simulator S.pf taking an instance x G L( R) and std and returning 
a proof, such that an adversary A given crs^,r& cannot tell whether a proof it 
receives was created honestly (with n.P using crsi and a witness; the b = 1 case) 
or via S.pf (the 6 = 0 case). Moreover this holds even for multiple, adaptively 
chosen instances depending on crsb,rv 

The right side of Fig. 1 may help situate the notions. It shows the obvious rela- 
tions: S-X implies X; ZK implies WI and S-ZK implies S-WI. 

Achievability. Is subversion resistance achievable? This question first needs 
to be meaningfully posed. The subversion resistance goals are easy to achieve 
in isolation. For example, S-SND is achieved for any NP relation by having the 
prover send the witness, but this is not ZK. S-ZK is achieved by having the prover 
send the empty string as the proof and having the verifier always accept, but 
this is not SND. Such trivial constructions are un-interesting. The interesting 
question is whether meaningful combinations of the goals are simultaneously 
achievable. A pragmatic viewpoint is that we already have systems achieving 
SND+WI+ZK. We want to “upgrade” these to get some resistance to subversion. 
While retaining SND, WI and ZK, what can be added from the list S-SND, S-WI, 
S-ZK? Can we have them all? Are things so bad that we can have none? We 
will be able to completely categorize what is achievable and what is not and will 
see that the truth is somewhere between these extremes and on the whole the 
news is perhaps more positive than we might have expected. Our core results are 
summarized in the table on the left side of Fig. 1. In any row, we are considering 
simultaneously achieving the notions indicated by the bullets. The last column 
indicates whether or not it is possible. We now discuss these results, beginning 
with the negative result of the first row. 

Negative result. We first ask whether we can achieve S-SND (soundness for 
a malicious CRS) while retaining what we have now, namely SND, WI and 
ZK. Result N (the first row of Fig. 1) indicates that we cannot. It says that 
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P2 
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/ Thm. 5 

P3 
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• 



• 

/ Thm. 6 


Fig. 1. Left: Achievability chart showing our negative result N and positive results 
PI, P2, P3. In a row we refer to simultaneously achieving all selected notions. Right: 
Relations. 


there is no NI system that achieves both ZK and S-SND. (More precisely, this is 
only possible for trivial NP-relations, i.e., where verifiers can check if x G L(R) 
themselves.) We stress that ZK here is the standard notion where the CRS 
is honest. We are not asking for S-ZK but only to retain ZK. The proof of 
Theorem 1 establishing this uses the paradigm of GO [36] of using the simulator 
to break soundness. 

Positive results. Figure 1 lists three positive results that we discuss in turn: 

PI: The most desirable target is S-ZK. By result N it cannot be achieved in com- 
bination with S-SND. The next best thing would be to get it in combination with 
SND. We show in Theorem 3 that this is possible. Since S-ZK implies ZK, S-WI 
and WI, this yields result PI of the table of Fig. 1, showing we can simultaneously 
achieve all notions but S-SND. Theorem 3 is based on a knowledge-of-exponent 
assumption (KEA) in a group equipped with a bilinear map. The assumption 
is certainly strong, but (1) this is to be expected since our goal implies cer- 
tain forms of 2-move interactive ZK that have themselves only been achieved 
under extract ability assumptions [15], (2) similar assumptions have been made 
before [39], and (3) unlike other knowledge assumptions [15], our assumption 
is not ruled out assuming indistinguishability obfuscation. See the beginning of 
Sect. 6.1 for a high-level description of the ideas of our construction. 

P2: The question left open by PI is whether there is some meaningful way to 
achieve S-SND. (It is the one item missing in row PI.) We know from result N 
that we cannot do this in combination with ZK. Result P2 of the table of Fig. 1 
says that we can do the best possible given this limitation. Namely we can simul- 
taneously achieve both S-SND and S-WI (and thus SND and WI). Theorem 5 
establishing this is under a standard assumption, namely the decision-linear 
assumption (DLin). It follows easily from the existence of a SND and WI NI 
system with trivial CRS under DLin [42] and the observation (Lemma 4) that 
any such system is obviously also S-SND and S-WI. 
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P3: Result P3 of the Fig. 1 represents “hedging.” The system has the desired 
properties (SND, WI, ZK) under an honest CRS. When the CRS is maliciously 
chosen, it does not break completely; it retains witness indistinguishability in 
the form of S-WI. In practice this offers quite a bit of protection. Our hedg- 
ing construction combines a PRG with a zap. (A zap is a 2-move witness- 
indistinguishable interactive protocol [30].) 

Result P3 may seem redundant; isn’t it implied by PI? (Indeed it selects a 
strict subset of the notions selected by PI.) While PI uses strong (extractabil- 
ity) assumptions, P3 is established in Theorem 6 under the minimal assumption 
that some SND+WI+ZK NT system exists. Our hedging thus adds no extra 
assumptions. This is because a zap can be built from any SND+ZK NI sys- 
tem [30]. 

Full achievability picture. The broad question we have asked is, which 
combinations of the six notions SND, WI, ZK, S-SND, S-WI, S-ZK are simulta- 
neously achievable? Fig. 1 looks at four combinations. But there are in principle 
2 6 combinations about which one could ask. In the full version [6] we go system- 
atically over all combinations and evaluate achievability. We are able to give the 
answer in all cases. Briefly, Fig. 1 covers the interesting cases, which is why we 
have focused on those here, and other cases are dealt with relatively easily. 

Other notions. We have been selective rather than exhaustive with regard 
to which notions to consider in this setting, focusing on the basic soundness, 
witness indistinguishability and zero knowledge. There are many other notions 
in this area that could be considered including robustness, simulation soundness 
and extractability [26,28,38,41] but it seems fairly apparent that these stronger 
notions will be subject to commensurately strong negative results with regard 
to security under CRS subversion. For example, extractability asks that the 
simulator can create a CRS such that, with a trapdoor it withholds, it can 
extract the witness from a valid proof. But if so, a subvertor can create the CRS 
like the simulator so that it has the trapdoor and can also extract the witness. 

2 Discussion and Related Work 

Relation to 2-move protocols. There is a natural connection between NI 
systems and 2-move interactive protocols in which NI system n corresponds to 
the protocol 2MV in which the verifier first sends the CRS and the prover sends 
the proof in the second move. We can then think of the following correspondence 
of notions for I"1 and 2 MV: S-WI ZAP; ZK <-> honest-verifier ZK; S-ZK <-> 
full (cheating- verifier) ZK. This analogy provides intuition and insight and opens 
up connections we exploit for both positive and negative results, but one must be 
wary that the analogy is not fully accurate in either direction. We look separately 
at this for negative and positive results. 

On the negative side, many forms of 2-move ZK are impossible [4,36]. This 
does not directly imply that S-ZK is impossible because S-ZK does not imply 
these particular forms of 2-move ZK. For example, S-ZK does not incorporate 
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auxiliary inputs and thus does not imply auxiliary- input 2-move ZK, so the 
fact that the latter is ruled out [36] does not mean the former is ruled out. 
(Why does our definition of S-ZK not incorporate auxiliary inputs? One reason 
was exactly to avoid the impossibility results. But also, an important reason to 
introduce auxiliary inputs in the interactive case was to be able to prove that 
ZK for multiple instances is provided, by sequential composition. But our S-ZK 
formulation already and directly requires security for multiple, adaptively chosen 
instances, removing the main motivation for auxiliary inputs.) 

On the positive side, some forms of 2-move ZK are possible [4,5,15,50]. A 
natural question is whether one can obtain S-ZK-fSND (the goal of PI) from 
them by the obvious transformation, namely to make the verifier’s move the CRS. 
Unfortunately, this does not in general achieve S-ZK. In particular the simulation 
requirement for S-ZK is stronger than for ZK because the simulated CRS must 
be produced upfront without knowing the instance, and then the simulator must 
be able to adaptively produce simulated proofs for multiple instances. 

So 2-move ZK as claimed and proven by [4,5,15] does not directly yield 
S-ZK. The next natural question is whether the protocols of these papers can, 
nonetheless, be directly shown to have the stronger properties needed to obtain 
S-ZK. This appears to be the case for the protocols of [4,15,50], because the 
verifier’s first message does not depend on the instance. Starting from BLV [4], 
the assumption would be that Micali’s conjecture [48] (there exist CS proofs or 
two-round universal arguments) is true. Starting from BCPR [15], the assump- 
tion would be the existence of privately verifiable P-delegation, 1-hop FHE, 
and a complexity-leveraging commitment scheme. In this light, we have cho- 
sen to present our knowledge of exponent based PI construction as a concrete, 
self-contained illustration of one simple route to S-ZK+SND from a plausible 
assumption, but other routes are possible. We do note that BLV [4] themselves 
view their assumption as so strong that they hesitate to call their result a positive 
one, instead referring to it as “a negative result on negative results.” 

BP [5] build one- message ZK arguments, but the simulation is super polyno- 
mial time. (This is also true of the construction of Pass [50].) These would thus 
yield S-ZK with super-polynomial-time simulation. But we require simulation 
for S-ZK to be polynomial time. This is in keeping with the intuition behind 
zero-knowledge that the entity running the verifier in the protocol should be 
able to run the simulator to produce a similar view. 

Finally, in the bare public- key model of [21], Wee [56] constructs a weak 
non-uniform non-interactive zero-knowledge argument. This can be turned into 
a NI system by using the verifier’s public key as the CRS. However this form 
of ZK allows a super-polynomial simulator whose size depends on the size of 
the distinguisher and the distinguishing gap, and this is weaker than S-ZK. Also 
Wee’s [56] construction is only proved for one instance, while in S-ZK we require 
security for multiple, adaptively- chosen instances. 

Context. Resistance of NIZKs to parameter subversion may not be of immedi- 
ate practical relevance but we believe it is an important long-term consideration 
for this technology. The foundational tradition has always had as its stated goal 
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to model and capture realistic, practical attacks and then investigate theoreti- 
cally whether or not security can be achieved. Parameter subversion is such a 
realistic attack not previously considered, and it leads us to revisit the founda- 
tions of NIZKs to bring it into the picture. We are seeing large efforts in the 
creation of efficient NIZKs and their implementation in systems towards even- 
tual applications [11-13,31,39,44]. For security, parameter subversion must be 
kept in mind from the start. 

A standard suggestion to protect against CRS subversion is to generate the 
CRS via a multi-party computation protocol so that no particular party controls 
the outcome. This is pursued in [11]. The effectiveness and practicality of this 
solution are not very clear. What parties would perform this task, and why 
can we trust any of them? The Snowden revelations indicate that corporations 
cooperate with the NS A toward subversion, either willingly or due to court 
orders. NIZKs with built-in resistance to subversion, as we define and achieve, 
provide greater protection. 

One might note that in some applications, such as the use of NIZKs for 
signatures [7,23,28] and IND-CCA encryption [29,49], users can pick their own 
CRS and be confident of its quality. However this blows up key sizes and increases 
system complexity. It would be more convenient if there were a single, global 
CRS, in which case resistance to subversion matters. 

CPs [22] study UC-secure computation in a model where the CRS is drawn 
from a distribution that is adversarially chosen subject to several restrictions, 
including that it has high min-entropy and is efficiently sampleable via an algo- 
rithm known to the simulator. They do not consider NIZKs, and in their model 
the CRS is not chosen fully maliciously, with no restrictions, as in our model. 
GO [41] studied the “multi-CRS” model where the adversary can substitute t 
out of m CRSs, GGJS [33] consider replacing a single trusted setup in UC with 
multiple, untrusted ones and KKZZ [46] consider distributing the setup for UC- 
secure multi-party computation. Concern with trust in a CRS is exhibited in the 
context of elections by KZZ [47], who have the CRS generated by the election 
authority using the voter’s coins. 

Algorithm-substitution attacks, studied in [3,9], are another form of subver- 
sion, going back to the broader framework of kleptography [57,58]. Back-doored 
blockciphers were studied in [51-53]. DGGJR [27] provide a formal treatment 
of back-dooring of PRGs in response to the Dual EC debacle. The cliptography 
framework [54] aims to capture many forms of subversion. 

3 Notation 

The empty string is denoted by 5. If x is a (binary) string then \x\ is its length. 
If S' is a finite set then |S| denotes its size and s $ S denotes picking an ele- 
ment uniformly from S and assigning it to s. We denote by A G N the security 
parameter and by 1 A its unary representation. Algorithms are randomized unless 
otherwise indicated. “PT” stands for “polynomial time”, whether for random- 
ized or deterministic algorithms. By y <— A(x i, . . . ; r) we denote the operation 
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of running A on inputs Xi , . . . and coins r and letting y denote the output. By 
y A(x i, . . .), we denote letting y <— A{pc i, . . . ; r) for random r. We denote by 
[A(xi, . . .)] the set of points that have positive probability of being output by A 
on inputs aq, . . . Adversaries are algorithms. Complexity is uniform throughout: 
scheme algorithms and adversaries are Turing Machines, not circuit families. 

For our security definitions and some proofs we use the code-based game 
playing framework of [10]. A game G (e.g. Fig. 2) usually depends on some scheme 
and executes one or more adversaries. It defines oracles for the adversaries as 
procedures. The game eventually returns a boolean. We let Pr[G] denote the 
probability that G returns true. 

4 Security of NIZKs Under CRS Subversion 

We first recall and discuss standard notions of NIZK security in the setting used 
until now where the CRS is trusted. We then formulate new notions of NIZK 
security in the setting where the CRS is subverted, starting with the syntax. 


4.1 NP Relations and NI Systems 

NP relations. Proofs pertain to membership in an NP language defined by 
an NP relation, and we begin with the latter. Suppose R: {0, 1}* x {0,1}* - 
{true, false}. For x E {0,1}* we let R(x) = {w : R (x,w) = true} be the witness 
set of x. We say that R is an NP relation if it is PT and there is a polynomial 
R.wl: N — > N called the maximum witness length such that every w in R(x) has 
length at most R.wl(|x|) for all x E {0,1}*. We let L( R) = {x : R(x) ^ 0 } 
be the language associated to R. The fact that R is an NP relation means that 
L(R) E NP. We now go on to security properties, first giving formal definitions 
and then discussions. 

NI systems. A non-interactive (NI) system specifies the syntax of the proof 
system. We can then consider various security attributes, including sound- 
ness, zero knowledge and witness indistinguishability. Formally, a NI system 
n for R specifies the following PT algorithms. Via crs n.Pg(l A ) one gen- 
erates a common reference string crs. Via 7r n.P(l A , crs, x, re) the honest 
prover, given x and w E R(x), generates a proof 7 r that x E L( R). Via 
d n.V(l\ crs, x,tt) a verifier can produce a decision d E {true, false} indicat- 
ing whether tt is a valid proof that x E L( R). We require (perfect) completeness, 
namely n.V(l A , crs,x, n.P(l A , crs, x, w)) = true for all A E N, all crs E [n.Pg(A)], 
all x E L( R) and all w E R(x). We also require that IT V returns false if any of 
its arguments is _L. 


4.2 Notions for Honest CRS: SND, WI and ZK 

Soundness. Soundness asks that it be hard to create a valid proof for x 0 T(R). 
Formally, we say that fl is sound for R, abbreviated SND, if Adv^p A (-) is 
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negligible for all PT adversaries A, where Adv^p A (X) = Pr[SNDn,R,A(A)] and 
game SND is specified in Fig. 2. This is a computational soundness requirement 
as opposed to a statistical one, as is sufficient for applications. 

WI. This notion [32] requires that a PT adversary, which chooses two wit- 
nesses, cannot tell which one was used to create a proof. Formally, we say that 
n is witness-indistinguishable (WI) for R, if Advj^p A (-) is negligible for all PT 
adversaries A, where Advj^p a (A) = 2 Pr[WIn,R,A(A)] — 1 and game WI is speci- 
fied in Fig. 2. In this game, an adversary A can request a proof for x under one of 
two witnesses rco, w\. It is returned an honestly generated proof under where 
b is the challenge bit. It can adaptively request and obtain many such proofs 
before outputting a guess b' for b. The game returns true if this guess is correct. 

ZK. We say that II is zero-knowledge for R, abbreviated ZK, if II specifies addi- 
tional PT algorithms n.Sim.crs and n.Sim.pf such that Advn k R A (-) is negligible 
for all PT adversaries A, where Advp k RA (A) = 2 Pr[ZKn,R,A(A)] — 1 and game 
ZK is specified in Fig. 2. Adversary A can adaptively request proofs by supplying 
an instance and a valid witness for it. The proof is produced either by the honest 
prover using the witness, or by the proof simulator n.Sim.pf using a trapdoor 
std. The adversary outputs a guess b' as to whether the proofs were real or 
simulated. 

DISCUSSION. The classical definitions of soundness and zero knowledge for proof 
systems [37] were in what we will call the complexity-theoretic style. The sound- 
ness condition said that for all x 0 L(R), the probability that a dishonest prover 
could convince the honest verifier to accept was low. Zero knowledge, similarly, 
looked at distributions associated to a fixed x £ L( R) and then at ensembles over 
x. The first definition for NIZK was similar [16]. But over time, NIZK definitions 
have adapted to what we call a cryptographic style [26,43]. This is the style we 
use because it seems more prevalent now and it works better for applications. 
Here x is not quantified but chosen by an adversary. The definitions directly 
capture proofs for multiple, related statements. All adversaries are PT, meaning 
all metrics are computational. 

One consequence of the complexity-theoretic style was a need for non-uniform 
complexity for adversaries and assumptions [35,37]. In [34] Goldreich made a case 
for uniform complexity. The cryptographic style we adopt is in this vein, and in 
our setting all complexity (adversaries, algorithms, assumptions) is uniform. 

4.3 Notions for Subverted CRS: S-SND, S-WI and S-ZK 

A core assumption in NIZKs is that the CRS is honestly generated. In light 
of subversion of parameters in other contexts as part of the mass-surveillance 
revelations, we ask what would happen if the CRS were maliciously generated. 
We will define subversion-resistance analogues S-SND, S-WI and S-ZK of the 
SND, WI, ZK goals above. The key difference is that the CRS is selected by an 
adversary rather than via the CRS-generation algorithm fl.Pg prescribed by fl. 
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Game SND n ,R,A(A) 

Game S-SND n , R ,A(A) 

crs $ n.Pg(l A ) 

(x, 7 r) $ A(1 A , crs) 

Return ( x 0 L( R) and IT V(1 A , crs, ir, 7r)) 

(crs, x, 7r) $ A(1 a ) 

Return (x 0 L(R) and n.V(l A , crs, a:, 7r)) 

Game WIn,R,A(A) 

{0,1} 

crs n.Pg(l A ) 

b' a Prove (1\ crs) 

Return (b = b') 

Prove(x, ico, w\) 

If R(x,wo) = false or R(x,w±) = false 
then Return T 

7 T <r~ $ n.P(l\ CrS, X, Wb) 

Return 7 r 

Game S-WI n ,R, A (A) 
b^$ {0,1} 

(crs, st) V- $ A(1 A ) 
b' A PROVE (l A ,crs,st) 

Return (6 = b') 

Prove(x, wo, w\) 

If R(x,wo) = false or R(;r,u;i) = false 
then Return _L 

7 T ^— $ n.P(l A , crs, X , Wb) 

Return ir 

Game ZK|-|,r,a(A) 

Game S-ZK n , R ,x,s,A(A) 

{0,1} 

crsi «-$ n.Pg(l A ) 

( crso,std ) $ n.Sim.crs(l A ) 

b' a Prove ( 1 a , crsb) 

Return (b = b r ) 

Prove(x, w) 

If R (Xjw) = false then Return T 

If b = 1 then ir $ I1.P(1 A , crsi, x, w ) 

Else 7T V- $ n.Sim.pf(l A , crso, std, x) 

Return i r 

b $ {0, 1} 

7*1 V- $ {0, l} x - rl ( A ) ; crsi V- X(1 A ; n) 

(crso, ro, std) $ S.crs(l A ) 
b' a Prove ( 1 a , crsb, rb) 

Return (b = b') 

Prove(x, w) 

If R(x, w) = false then Return _L 

If b = 1 then n $ I1.P(1 A , crsi, x, w) 

Else 7 r <— $ S.pf(l A , crso, std, x) 

Return 7 r 


Fig. 2. Games defining standard (left) and subversion (right) security of NI system I"1 . 
Top to bottom: Soundness, witness indistinguishability, zero knowledge. 


Subversion soundness. Subversion soundness asks that if a subvertor cre- 
ates a CRS in any way it likes, it will still be unable to prove false state- 
ments under that CRS. Formally, we say that II is subversion-sound (abbre- 
viated S-SND) for R if Adv^^O is negligible for all PT adversaries A, where 
Advn" S R^(A) = Pr[S-SNDn,R,A(A)] and game S-SND is specified in Fig. 2. Com- 
pared to the honest-CRS game SND to the left of it, the adversary now not only 
generates x and i r, but itself supplies crs, modeling a malicious choice of the 
latter. 

Subversion WI. Subversion WI asks that if a subvertor creates a CRS in any 
way it likes then it will still be unable to tell which of two witnesses was used to 
create a proof, even given both witnesses. Formally, we say that fl is subversion 
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witness-indistinguishable (S-WI) for R if Advn^ A (-) is negligible for all PT 
adversaries A, where Adv^^A) = 2 Pr[S-WIn,R,A(A)] — 1 and game S-WI 
is specified in Fig. 2. Compared to the honest-CRS game WI, the CRS crs is 
now generated by the adversary in a first stage, along with state information 
st passed to its second stage. In the latter, via its Prove oracle, it adaptively 
obtains proofs for instances of its choice under a challenge witness, and outputs a 
guess b' for the challenge b. The state can contain the coins of A or any trapdoor 
associated to crs that A chooses to put there helping its distinguishing task. 

Subversion ZK. Subversion ZK asks that for any CRS subvertor X creating a 
CRS in any way it likes there is a simulator able to produce the full view of the 
CRS subvertor, including its coins and proofs corresponding to adaptively chosen 
instances, without knowing the witnesses. Formally, a simulator S for X specifies 
PT algorithms S.crs and S.pf. Now consider game S-ZK of Fig. 2 associated to 
n, R, X, S and an adversary A. We let Adv^R x s a (A) = 2 Pr[S-ZKn,R,x,s,A(A)] — 
1. We say that I"1 is subversion zero-knowledge (S-ZK) for R if for all PT CRS 
subvertors X there is a PT simulator S such that for all PT A the function 
Adv n, Z R,x,s,A(-) is negligible. 

In this game, if the challenge bit b is 1 then the CRS crsi is generated via 
X with the coins rq made explicit. Otherwise, if b = 0, the first stage S.crs of 
the simulator is run to produce simulated versions crso,ro not only of the CRS 
but also of the coins of X. Alongside, S.crs produces a simulation trapdoor std 
as in ZK to allow its second stage to simulate proofs. Now, A gets to request its 
Prove oracle for proofs of instances of its choice. If b = 1, these are produced 
by the honest prover with the given witness; but if b = 0, they are produced via 
the second stage S.pf of the simulator using the simulation trapdoor std and no 
witness. Adversary A produces its guess b' and wins of b' = b. 

The definition reflects that X here is like a cheating verifier in classical 
ZK [37]. The simulator thus needs to produce its coins as well as the tran- 
script of its interaction with its oracle. But also, to reflect the ZK requirement 
of non-interactive systems above, more is required, namely that the simulator 
must first produce the simulated CRS and coins, and then, in its second stage, be 
able to produce simulated proofs. The definition is thus quite demanding. Note 
that the simulator can depend (in a non-blackbox way) on X, but not on A. The 
latter is important to ensure that S-ZK implies ZK. 

4.4 2-Move Protocols 

We will have many occasions to refer to and use 2-move interactive protocols, 
so we fix a syntax for them. A 2-move protocol 2MV for NP relation R spec- 
ifies PT algorithms 2MV.V, 2MV.P, 2MV.D. Via (mi,st) $ 2MV.V(1 A , x) the 
honest verifier generates the first move message mi on input x, retaining asso- 
ciated state information st. Via m 2 2MV.P(1 A , x, re, mi) the honest prover 
generates a reply computed from x, a witness w E R(x) and the first move mes- 
sage mi. Deterministic decision algorithm 2MV.D takes x, mi, m 2 , st and returns 
a boolean decision. Security notions will be discussed as needed. 
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5 Negative Result: ZK and S-SND Are Not Compatible 

All the different forms of subversion security (S-SND, S-WI, S-ZK) are easy to 
achieve in isolation. For example sending the witness as the proof achieves S- 
SND (but this is not ZK). Having the verification algorithm always accept and 
sending the empty string as the proof achieves S-ZK (but not SND). These kinds 
of results are not interesting. We want to study the simultaneous achievability 
of meaningful combinations of the notions, meaning some kind of soundness 
together with some kind of zero knowledge or witness indistinguishability. 

We already have NI systems that are SND+ZK and we do not want to degrade 
this. If now the CRS is subverted, what more can we have without losing the 
initial properties? The first question we ask is, can we up the ante for soundness, 
meaning add S-SND? That is, we want subversion soundness while retaining ZK. 
We will show that this is not possible. 

An impossibility result in this domain means no NI system satisfying the 
conditions exists unless the relation R is trivial. Roughly, trivial means that the 
verification algorithm can decide membership in L ( R) on its own. Impossibility 
results of this type begin with Goldreich and Oren (GO) [36]. Their definition 
of R being trivial was simple, namely that it is in BPP. This will not suffice 
here, so we begin with a more precise definition of relation triviality and an 
explanation of why it is needed. 


Game DECig,r,m(A) 

(x,w) <—• $ IG(1 a ) ; di <— R(x,ie) 

If (x £ L( R) and d\ = false) then return false 
do M(1 a ,x) ; return (do ^ d\) 


Fig. 3. Game defining language triviality 


Relation triviality. The definition of a relation R being trivial if L ( R ) £ 
BPP works when the formulations of ZK and soundness are in the complexity- 
theoretic style, meaning the conditions refer to universally quantified inputs. As 
discussed in Sect. 4.2 however, our formulations, following modern treatments of 
NI systems in the literature, are in the cryptographic style, which is better suited 
for applications. Here the only instances that come into play are those that can 
be generated by PT algorithms, and the only positive instances that come into 
play are those generated with witnesses. In this setting, BPP will not work as 
a definition of triviality because membership in standard complexity classes like 
BPP refers to arbitrary inputs, not merely ones that one can generate in PT. For 
our purposes we thus give a definition of a language (actually an NP relation) 
being trivial, which can be seen as defining a cryptographic version of BPP. 

Let R be an NP relation. An instance generator is a PT algorithm that on 
input 1 A returns a pair (x,w). Here x is a challenge instance that may or may 
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not be in L( R), and w should be in R(x) if x G L( R). Let M be an algorithm 
(decision procedure) taking l A ,x and returning a boolean representing whether 
or not it thinks x is in L( R). Consider game DEC of Fig. 3 associated to IG, R, M 
and let Adv^ c R M (A) = Pr[DECiG,R,ivi(A)]. We say that algorithm M decides R if 
for every PT IG the function Advj^R m(‘) negligible. We say that R is trivial if 
there is a PT algorithm M that decides R. Intuitively, in game DEC, think of IG 
as an adversary trying to make M fail. The game returns true when IG succeeds, 
meaning M returns the wrong decision. A technical point is that if IG generates a 
positive instance x, the game forces it to lose if the witness w is not valid. Thus 
we are asking that M is able to decide membership in PT for instances that can 
be efficiently generated with valid witnesses if the instance is positive. But this 
does not mean it can decide membership on all instances. Thus if L( R) G BPP 
then R is certainly trivial, but the converse need not be true. 

Result. We show that ZK and subversion soundness (S-SND) cannot co-exist, 
meaning only trivial relations will have NI systems with both attributes. We 
stress that we are not asking here for subversion ZK but just plain ZK. 

Theorem 1. Let n be a NI system satisfying zero knowledge (ZK) and subver- 
sion soundness (S-SND) for an NP relation R. Then R is trivial 

The proof follows the basic paradigm of GO [36]. We use the simulator to build 
a cheating prover that violates soundness. In our case this works if soundness 
holds relative to a simulated CRS, but S-SND guarantees this. 


Proof. (Theorem 1). Define the following decision procedure M: 
Algorithm M(l A ,x) 

(crso, stdo) n.Sim.crs(l A ) ; 7 r n.Sim.pf (1 A , crso, stdo, x) 

Return f1.V(l A , crso, x, tt) 


Thus, to decide if x G L(R), algorithm M runs the simulator to get a simulated 
CRS and simulation trapdoor, uses the latter to generate a simulated proof, and 
decides that x G L( R) if this proof is valid. Let IG be any PT instance generator. 
We will show below that Advf^ c R M (-) is negligible. This shows that R is trivial. 

To show Advf^ R M (-) is negligible, below we will define PT adversaries A, B 
such that 

^^ v ig, C r,m(^) < Acl v n k R,A(A) + Advn ? s R ^(A) (1) 


for all A G N. By assumption, fl satisfies ZK and S-SND for R, so the func- 


tions Advp k RA (-) and Advn" s R g (•) are both negligible. Thus Eq. (1) implies 
that Advf(? c R M (-) is negligible, as desired. 

Consider games Go,Gi,G 2 of Fig. 4. Game Go is defined ignoring the box, 
while game Gi includes it. Games Go and Gi split up the decision process 
depending on whether or not x G L( R). Game G 2 switches to a real CRS and 
proofs, which it can do since the instance generator provided a witness. 

Game DEC returns true iff ((x 0 L(R)) AND ( d 0 = true)) OR ((x G L( R)) 
AND (di = true) AND (do = false)). The first condition in the OR is when game 
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Games Go, [Gil 

Game G 2 

(x,w) <— $ IG(1 a ) ; di R (x,w) 

(x,w) e-$ IG (1 A ) ; di «— R (x,w) 

(crs, std) <—■ $ n.Sim.crs(l A ) 

crs <— $ n.Pg(l A ) 

7 r <— $ n.Sim.pf(l A , crs, std, x) 

7r <(— $ n.P(l A , crs, x , ir) 

do n.V(l\ crs, x,tt) 

do n.V(l A , crs, t, 7r) 

b ((x 0 L(R)) A (do = true)) 

b 4 — ((di = true) A (do = false)) 

\b <— ((d± = true) A (do = false)) 

Return b 

Return b 



Fig. 4. Games for proof of Theorem 1 


Go returns true. The second condition in the OR is equivalent to ((di = true) 
AND (do = false)), which is the condition under which game Gi returns true. 
Furthermore the conditions are mutually exclusive. We thus have 


Adv{^ c R?M (A) — P r [Go] + Pr[Gi] — Pr[Go] + Pr[G 2 ] + (Pr[Gi] — Pr[G 2 ]) (2) 

Notice that by completeness of I"1 we have 

Pr[G 2 ] = 0 . (3) 


Now we specify the adversaries A, B as follows: 
Adversary a Prove ( 1 a , crs ) 

(x,w) IG(1 A ) ; di R (x,w) 

7 r Prove(x, w) ; do n.V(l A , crs, x, it) 

If ((di = true) A (do = false)) then b' <— 0 
Else b' <- 1 
Return b' 

Then we have 


Adversary B(1 A ) 

(x, w) I G (1 A ) 

(crs, std) n.Sim.crs(l A ) 

7 r n.Sim.pf(l A , crs, std, x) 

Return (crs, x, 7r) 


Pr[Go] < Advp^g(A) (4) 

Pr[G 1 ]-Pr[G 2 ]<Adv a n 1 ; R)A (A). (5) 

Putting together Eqs. (2), (3), (4) and (5) we get Eq. (1). □ 

6 Positive Results 

We already have NI systems that are SND+ZK, or SND+WI. We ask, if the CRS 
is subverted, what more can we have without losing the initial properties? Can we 
add S-ZK? In Sect. 6.1 we answer positively to this question (result PI), showing 
a protocol that is SND-j-S-ZK under a knowledge-of-exponent assumption (KEA) 
in a group equipped with a bilinear map. In light of negative result N, this is 
the best we can achieve if we want to retain ZK in presence of CRS subversion. 


792 


M. Bellare et al. 


Can we add S-SND? In light of N, we know that we cannot have S-SND 
and any form of ZK together. The best we can achieve while retaining S-SND is 
S-WI. In Sect. 6.2 we show that there exist NI systems that are S-SND+S-WI 
(result P2). 

Result PI provides S-ZK but requires KEA. A natural question is, if we relax 
the requirement of S-ZK and aim to retain S-WI, can we achieve it from weaker 
assumptions? In Sect. 6.3 we show that there exists a NI system that is SND, ZK 
and S-WI under the weaker assumption that one-way functions and zaps exist. 


6.1 Soundness and Subversion ZK 

Overview. To achieve S-ZK, a simulator must be able to simulate proofs under 
a CRS output by a subvertor. As opposed to ZK, the simulator thus cannot 
embed a trapdoor in the CRS, nor can it extract one from the subvertor by 
rewinding, as there is no interaction with it. We will instead rely on a knowledge 
assumption, stating that an algorithm can only produce a certain output if it 
knows underlying information. This is formalized by requiring that there exists 
an extractor that extracts the information from the algorithm. We will use this 
information as the simulation trapdoor, which we can extract from a subvertor 
outputting a CRS. For soundness, a minimal requirement is that it is hard for 
the adversary to obtain the trapdoor from an honestly generated CRS. 

The knowledge-of-exponent assumption (KEA) for a group G, generated by g, 
states that from any algorithm which given a random element ft G returns 
a pair of the form ( g s , h s ) one can efficiently extract s. A possible approach for 
a NI system is to define the CRS as a pair (g s , ft 5 ), for random s, and define a 
proof for x E L to prove that either xGf or one knows the value s in the CRS. 
By extracting 8, the simulator in the S-ZK game can simulate proofs, while the 
adversary in the soundness game must supposedly use a witness for x, since it 
does not know s. 

There are two problems with this approach: who chooses the group G and 
who chooses the element ft used to prove knowledge of 5? We address the first 
problem by letting the group G be part of the scheme specification. As for the 
choice of ft, it cannot be chosen at CRS setup, since if the subvertor knows 
r] = log ft, it can produce a CRS (Si, S2) without knowing s by randomly 
picking Si G and setting S2 <— S 11 . Fixing ft and letting it also be also 
part of the scheme description is problematic, since again, what guarantees that 
the subvertor does not know its logarithm and can thereby break KEA? We 
overcome this issue by defining a new type of KEA, stating that in order to 
produce elements (ft = ^ 7? ,^ s ,ft s ), one has to either know s or g. As tuples of 
this form are Diffie- Heilman tuples, we call the assumption DH-KEA. 

We define a CRS as a tuple (g s ° , g Sl , g s ° Sl ) and let a proof for a state- 
ment x prove that either there is a witness for x or one knows 80 or s i- We 
prove knowledge by adding a ciphertext C and use a perfectly sound witness- 
indistinguishable NI proof £ with trivial CRS (a.k.a. a non-interactive zap) to 
prove that either x G L or C encrypts 80 or s\. (Using linear encryption for C 
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and the NI system by GOS [42], both IND-CPA of (7, as well as WI of £, follow 
from the decision-linear assumption (Dlin) [18].) 

The sketched scheme is ZK since by encrypting the trapdoor sq (or si) proofs 
can be simulated, and by IND-CPA of C and WI of £ they are indistinguishable 
from real ones. But we defined the CRS to allow even more: by DH-KEA, from a 
CRS subvertor we can extract either sq or si, which should yield S-ZK. Not quite, 
since the subvertor could simply output random group elements (So, Si, S' 2 ), 
from which we cannot extract. Since the GOS NI system requires a bilinear 
group, we can use its pairing to check CRS well-formedness. The prove (and 
verification) algorithm can then reject a malformed CRS, which together with 
simulat ability under a well- formed CRS yields S-ZK. 

Soundness intuitively holds because, by soundness of £, a proof for a wrong 
statement must contain an encryption of sq or si, which should be infeasible to 
obtain from an honestly generated CRS if computing discrete logarithms (DL) 
is hard. (Given a DL challenge S', one can randomly set So or Si to S and 
with probability the proof contains an encryption of logs'.) To formally prove 
soundness, the reduction must recover s from C. We could include in the CRS 
a public key under which C is to be encrypted: the reduction sets up the CRS, 
knows the decryption key and can obtain s. Alas, this would break S-ZK: an 
adversary that created the CRS could also decrypt C and thereby distinguish 
real proofs from simulated ones. 

We therefore include the linear-encryption key pk = ( g u ,g v ) in the proof 
rather than the CRS. But how would the soundness reduction then retrieve si 
Could we use KEA again? Since we can only extract one of two possible loga- 
rithms, we do the following. The proof contains two public keys pk 0 = (g u °,g v °) 
and pk t = (g Ul ,g Vl ) and s is encrypted under both of them. Addition- 
ally, the proof contains elements g UoUl ^g u ovi ^ gv 0 ui ^g v ovi ^ w hose consistency 
can be verified via the pairing. By DH-KEA, there exists an extractor which 
from (g u ° , g Ul , g UoUl ) extracts either uo or rq, another extractor that from 
(g u ° , g Vl , g u ° Vl ) extracts uo or tq, and so on. Together these four extractors 
either yield (uo,vo) or (rq,rq), thus one of the secret keys corresponding to pk 0 
and pk 1 . This way the soundness reduction can extract the value s encrypted in 
a proof for a false statement. At the same time we show that S-ZK still holds. 

In our actual scheme we use the CDH assumption (defined below and implied 
by DLin) instead of DL. The reason is that CDH solutions are group elements, 
which can be efficiently encrypted using linear encryption. The trapdoor is then 
a solution to a CDH instance in the CRS. Besides 14 group elements, the most 
costly component of our proofs is the GOS NI proof (. It uses a circuit repre- 
sentation of the NP relation R and shows that (a) either R(x, w) for some re, or 
(b) the simulation trapdoor was encrypted (see Eq. (6)). The GOS system [42] 
was further developed by Groth and Sahai [44] yielding very efficient proofs for 
algebraic statements, and we could replace GOS by GS. As the clause (b) that 
we added has precisely this algebraic form, the overhead for turning a proof that 
is merely WI into one that is S-ZK would be quite modest. 
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DISCUSSION. Our scheme specification includes the bilinear group, so one might 
ask whether we have not just shifted the subversion risk from the CRS to the 
choice of the group. Since the group generation algorithm is deterministic and 
public, anyone can run the algorithm to re-obtain the group; moreover, different 
entities can implement it independently if they think that some standardized 
implementation was subverted, as a check. With the CRS, the situation is dif- 
ferent. There is no easy way to check that it was properly generated, at least 
without compromising security. Perhaps a vocabulary that speaks to this is that 
the group is reproducible , whereas the CRS is not. Someone is trusted to produce 
it and one cannot easily check that they did it honestly. 

Still, one must ask whether the algorithms used allow embedding of back- 
doors. Here we must look at the specific algorithms. Thus, while one could use 
a bilinear group in which the discrete-log problem is easy, leading to an insecure 
scheme, we know it is possible to publicly specify good algorithms. The specifica- 
tions, given for example in research papers, may be used by anyone to re-produce 
the results of the algorithms with some faith that there are no backdoors, in the 
case (as here) that these algorithms are deterministic. 


Game KE d GG,M,E(A) 

(p, G, G t , e, g) <- dGG(l A ) ; ho, hi G; r {0, l} M ‘ rl(A) 
(So,Si,&)^M(l A ,ho,hi;r) ; s E(l\ h 0 , hi, r) 

Return (e(So,Si) = e(p, £ 2 ) and g s ^ So and g s ^ Si) 

Game CDH dG G,A(A) 

(p, G, Gt, e, g) dGG(l A ) ; s, t X— $ Z p ; C X— $ A(1 A , g s , g 1 ) 
Return (C = g st ) 

Game DLin d GG,A(A) 
b {0, 1} ; (p, G, G t , e, g) <- dGG(l A ) 

; b' <-tA(l \ g u , g v , g ua , g vt , g a+t + b *) 

Return (b = b') 


Fig. 5. Games defining the knowledge-of-exponent assumption, the CDH assumption 
and the DLin assumption. 


Speaking broadly, we cannot (and do not claim to) prevent all possible sub- 
version. This is not possible. Our goal is to put in defenses that make the most 
obvious paths harder, one of which is subversion of the CRS. 

Bilinear groups. Our construction is based on bilinear groups for which we 
introduce a new type of knowledge-of-exponent assumption. A bilinear-group 
generator GGen is a PT algorithm that takes input a security parameter 1 A and 
outputs a description of a bilinear group (p, G, Gt, e, g), where p is a prime of 
length A, G and Gt are groups of order p, g generates G and e: GxG^ Gt is 
a bilinear map that is non- degenerate (i.e. (e(g,g)) = Gt). 
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While in the cryptographic literature bilinear groups are often assumed to 
be probabilistically generated, real-world pairing-based schemes are defined for 
groups that are fixed for every A. We reflect this by defining the group generator 
as a deterministic PT algorithm dGG. An advantage of doing so is that every 
entity in the scheme can compute the group from the security parameter and no 
party must be trusted with generating the group. 

KEA. The knowledge-of-exponent assumption (KEA) [8,25,45] in a group G 
states that an algorithm M that is given two random generators g,h of G and 
outputs (g c , h c ) must know c. This is formalized by requiring that there exists an 
extractor for M which when given M’s coins outputs c. Generalizations of KEA 
were used in the bilinear-group setting in [39] . We introduce a new type of KEA 
in bilinear groups, which we call DH-KEA, where we assume that if M outputs a 
Diffie- Heilman (DH) tuple g s ,g t ,g st then it must either know s or t. This should 
also be the case when M is given two additional random generators ho, hi. We 
note that while an adversary may produce one group element without knowing 
its discrete logarithm by hashing into the elliptic curve [19,20,55], it seems hard 
to produce a DH tuple without knowing at least one of the logarithms. 

Formally, let Adv^ G M E (A) = Pr[KEdGG,M,E(A)], where game KE is defined 
in Fig. 5. The DH-KEA assumption holds for dGG if for every PT M there exists 
a PT E s.t. Adv^ GjM E (-) is negligible. 

We note that due to deterministic group generation the assumption does not 
hold for non-uniform machines M, as their advice for inputs 1 A could simply 
be a DH tuple (So, Si, S 2 ) w.r.t. the group output by dGG(l A ). However, we 
follow Goldreich [34] and only consider uniform machines. As a sanity check, we 
show that DH-KEA holds in the generic-group model. To reflect hashing into 
elliptic curves, we provide the adversary with an additional generic operation: 
it can create new group elements without knowing their discrete log. In the full 
version [6] we show the following. 

Theorem 2. DH-KEA , as defined above, holds in the generic- group model with 
hashing into the group. 

CDH. The computational Diffie-Hellman assumption in a group G states that 
given g s and g f for a random s , £, it should be hard to compute g st . Formally, the 
CDH assumption holds for dGG if Adv[j GG A (-) is negligible for all PT adversaries 
A, where Adv^ GG a (A) = Pr[CDHdGG,A(A)] and game CDH is specified in Fig. 5. 

DLin. The decision linear (DLIN) assumption [18] in a group G states that 
given (g u , g v , g us , g vt ) for random u,v,s,t , the element g s+t is indistinguish- 
able from a random group element. Formally, the DLin assumption holds for 
dGG if AdVdGG,A(') is negligible for all PT adversaries A, where Advice;, a M = 
2 Pr[DLindGG,A(A)] — 1 and game DLin is defined in Fig. 5. 

We will make use of the fact that DLin is self-reducible. This means that 
given a tuple (U,V, S,T, X) one can produce a new tuple {U f , V' , S', T' , X') so 
that if the original tuple was linear then the new tuple is so too, but with fresh 
u,v,s and £; and if X is random then (U' , V' , S', V , X') are all independently 
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random as well. In particular, consider the following algorithm that takes input 
a DLin challenge ( U , V, S, T, X) G G 5 : 

Algorithm Rnd(l A , ( U , R, S , T, X)) 

(p, G, G t, e, g) dGG(l A ) ; z, a, 6, c, d <— $ 

U' ^U c ]V f ^V d ; S' ^ S cz U ca ; V <- T d *R db ; X' <- 

Return (£/', R', S', T", X') 

Let s,t, £ be such that S' = £/ s ,T = R*,X = gC Define s' := sz + a and 
t' := tz + b and note that they are both uniformly random. We have S' = ( U') s , 
T' = (V'Y and X' = g£ z + a + b = 0(£-*-t)*+«*+t«+a+6 = g(£-s-t)z+s'+t' ' xhus, if 

the original challenge was a linear tuple (i.e., £ = s + t) then the new tuple is also 
linear with new randomness uc, vd, s', £', whereas otherwise (i.e., ( - s - t / 0) 
7/', R', S', T' and X' are independently random. 

The scheme. Our S-ZK scheme is based on a bilinear-group generator dGG, for 
which we define linear commitments to messages Me G as follows: 

Ln.C(M; (u, t)) Ln.P(u, (C 2 ,C S ,C^) 

C <- (gUO^gU^gUoto^mt^gto+t!.^ ^ C 4 ’ ^ ^ ^ ^ 

Return C Return M 

Commitments are hiding under DLin. Since (C2, C3, C4) is a linear encryption 
under public key (Co, Ci), the logarithms of the latter let one recover the message 

via Ln.D. 

We also use a statistically sound NI system with trivial CRS (also called 
“non-interactive zap” by GOS [42]) Z = (Z.P,Z.V) for the following relation: 


Rz((x,So,Si,h,C 0 ,Ci), {{w, (s,ii Q ,ui,t Q ,ti))) 

IfR(x,re) = true then return true 

If (g s = S 0 org s = Si ) and C 0 = Ln.C(/* s ; (u 0 , t 0 )) and C x = Ln.C(h s ; (m, ti)) 
then return true 

Return false (6) 

The NI proof system Z can for example be instantiated by the construction from 
[42], which does not require a CRS, is perfectly sound and WI under the DLin 
assumption. Our NIZK system l~1 [R, dGG] is given in Fig. 6. 

Theorem 3. Let R be an NP relation and let dGG be a bilinear- group generator. 
Then 11 [R, dGG], defined in Fig. 6, satisfies (1) soundness under DH-KEA and 
CDH; and (2) subversion zero knowledge under DH-KEA and DLin. 

Below we give some intuition. A proof can be found in the full version [6]. 
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n.Pg(i A ) 

(p, G, G T , e, g) «- dGG(l A ) ; t, so, si <-* Z P ; h <- g t 

So <— g s ° ; Si <— g Sl ; & g SQSl ; crs (So, Si, S2, h) ; Return crs 

n.V(l A ,(5 0 ,5i,52,/i),x,7r) 

(p,G,GT,e,s) ^dGG(l A ) ; (Co,C u D 0 ,D u Q 
If e(So, Si) ^ e(g, S2) then return false 
For i, j = 0, 1 do 

If e(Co,i,Cij) ^ e(g,Dij) then return false 
Return Z.V((x, So, Si, h, Co, Ci), £) 

n.P(l A ,(go,gi,5 2 ,/i),a;,w) 

If R(x,w) = false then return _L 
( p , C, Ct, 6, g ) ^ — dGG(l A ) 

If e(So, Si) / e(g, S2) then return _L 

(7o,o, • • • , Co, 4, Ci, 2, Ci, 3, Ci, 4 G ; uo, ui <—■ $ 7 L V ; Ci,o <— g u °', Ci,i <<— 

For i,j = 0, 1 do A,j 

c Z.P((x, So, Si, h, Co, Cl), (w, _L)) ; tt <- (C 0 , C 1? D 0 , TR, C) 

Return 7r 


Fig. 6. NIZK scheme fl[R,dGG] satisfying SND and S-ZK 


Soundness. Assume an adversary A outputs a proof 7 r = (Co, Ci, D 0, Di,() f° r 
a false statement. Since there does not exist a witness w, by statistical soundness 
of the proof (, R z must return 1 in the second line in Eq. (6), meaning Co and 
Ci are commitments to either h log s ° or h logSl ; intuitively, the adversary has 
thus broken the CDH assumption either for challenge (So, h) or (Si, h). 

To make this formal, we construct an algorithm B that on input (g s ,h) 
outputs h s with probability close to We first construct four machines M ij, 
0 <i,j<l that are given given (S, h), set Sb <— S for a random b , complete this 
to a CRS, on which they run A; when A returns tt, M^j outputs (Co,i, Cij,Dij). 
By DH-KEA there exist four extractors E ij which on input (S,h) and M^-’s 
coins (which include A’s coins) return either uo,i = log Co, i or uij = logCij. 

Using M 0j o, M 0j i, M 1>0 , M ljl? we define B: given a CDH challenge (S,h), it 
picks coins r and uses r to pick 6 ^ — $ { 0 , 1 }, s' Z p and coins r for A; it sets 
Sb <— S, Si-b <— g s and S2 <— S s and runs A on input (So, Si, S2, h) and 
coins r to get tt containing (Co, Ci, Do, Di); it then runs all E ij on input 
(S,h,r), which each returns either uo, i = log Co , i or uij = log Cij. This 
implies that for some i , B obtains both iq ? o and iqq. Using this, B recovers 
T Ln.D((^ ? o 5 ^,1)5 (Ci,2, Ci^, 6^4)), which it outputs. By soundness of (, we 
have either T = h logS 0 or T = h log Sl . Since A has no information on where the 
challenge S was embedded, B solves CDH with probability 
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n.Pg(i A ) 

a $ { 0 , 1} 2A ; mi «— $ Z.V(1 A ) ; Return crs <— (cr, mi) 
n.P(l\(cr, mi), x, w) 

m2 $ zp(i a , (cr, x), (_L, w), mi) ; tv <— m2 ; Return tv 

n.V(l A , (cr, mi), x, tv) 

Return Z. D(1 A , (cr, x), mi, tv) 

Fig. 7. NIZK scheme fl[R, dGG] satisfying SND and S-ZK 


Subversion zero knowledge. By DH-KEA, for every X that outputs a CRS of 
the form (g s ° , g Sl , g s ° Sl , h) there exists an algorithm E that extracts either so 
or s 1 . To show S-ZK we first construct a simulator S. Its first part S.crs picks r, 
runs crs <— X(l A ,r) and sets s E(l A ,r) if crs is correctly formed and s JL 
otherwise, and outputs crs, r and the trapdoor std <— s. It is immediate that 
crsi output by X on coins rq is indistinguishable from crso,ro output by S.crs. 

We next construct a proof simulator S.pf for statements x under crs = 
(So, Si, S 2 , h) using trapdoor s. Like n.P it returns _L if crs is malformed. Else, it 
chooses uo,to, U\,t\ and defines Co and Ci as commitments to h s and computes 
the corresponding elements Dij g U( r iU uj . Since either g s = So or g s = Si, 
S.pf has thus a witness for the statement (x, So, Si, h, Co, Ci) G R z, which it 
uses to compute a proof £. The simulated proof is tv <— (Co, Ci, Do, Di, Q, 
which we now argue is indistinguishable from a real proof output by n.P under 
DLin by a series of game hops. 

We first note that when constructing (, instead of witness (s,uo,Ui,to,ti) 
we could use this is indistinguishable under WI, which for the GOS system 
follows from DLin. In the next game hop, we replace Co by a random quintuple 
and construct the Tkj’s as in n.P; this is indistinguishable under DLin. In the 
final game hop we replace Ci by a random quintuple. This is also reduced to 
DLin using the fact that we can compute the s using the logarithms of Co- 
The result is a proof tv that is distributed like one output by n.P. 


6.2 Subversion SND and Subversion WI 

In this section we prove result P2: there exists an NI system that is simultane- 
ously SND, WI, S-SND and S-WI. We call n an NI system with trivial CRS if 
crs = 5 and n.P and n.V ignore input crs. In Lemma 4 we observe that if such 
a FI is SND and WI then it is also S-SND and S-WI. (Intuitively, if the CRS 
is ignored then there’s no harm in subverting it.) In Theorem 5 we then notice 
that an NI system with trivial CRS exists [42] which is SND and WI under the 
DLin assumption in bilinear groups (defined on p. 19). As in this instantiation 
the group is chosen by the prover (rather than fixed as for PI), it needs to be 
verifiable [42] (that is, one can efficiently check that it is a bilinear group). 
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Lemma 4. Let R be an NP relation. Let II be an NI system with trivial CRS 
for R. If Id is SND and WI then it is also S-SND and S-WI. 

Proof Let A be an S-SND adversary. Define B against SND: on input (1 A , £), run 
(crs, x, 7r) * — $ A(1 A ) and return (x,7 r). Since n.V(l A , 5 , x, tt) = n.V(l A , crs, x, 7r) , 
we have Pr[SND n , R , B (A)] = Pr[S-SND n , R , A (A)]. Thus, if n is SND, it is S-SND. 

Let A be a WI adversary. Define B against S-WI: on input (l A ,s), run 
(crs, st ) A(1 A ); b' A Pr o ve ( 1 a , crs, st) and return b forward A’s queries to 

own oracle (this simulates A’s oracle since n.P(l A , e, x, = Id. P(1 A , crs, x, rr^)). 
We have Pr[WI n , R , B (A)] = Pr[S-WI n , R , A (A)]. Thus, if n is WI, it is S-WI. □ 

Theorem 5. Let R be an NP relation. If the decision-linear assumption holds 
for a verifiable bilinear group then there exists an NI system II for R that is 
S-SND and S-WI. 

Proof. Let II be the NI system presented in [42] . II is an NI system with trivial 
CRS satisfying SND and WI under the DLin assumption. By Lemma 4 it follows 
that Id is also S-SND and S-WI. □ 


6.3 Soundness, ZK and Subversion WI 

We prove result P3 by presenting an NI system that is SND, ZK, and S-WI. 

Zaps. A zap [30] for a relation R is a 2-move protocol (cf. Sect. 4.4), where 
the first move is public-coin and is generated independently of the statement to 
be proved. Zaps retain soundness and witness-indistinguishability even if the 
statements are chosen adaptively after the first move mi is fixed. Consequently, 
the same mi can be reused for many proofs. We denote zaps by 

mi $ Z.V(1 A ) ; m2 $ Z.P(1 A , x, w, mi) ; b Z.D(x, mi, m2) . 

Dwork and Naor [30] show that zaps can be constructed from any NIZK in 
the shared random string model. Concretely, zaps can be based on any fam- 
ily of doubly-enhanced trapdoor permutations, when the underlying NIZK is 
instantiated with the system of FLS [32]. 

The scheme. The CRS of our scheme consists of a random bit string a of length 
2A and the first move mi of a zap. A proof consists of the second move of the 
zap for statement (x, cr), proving that either x G L or s is the pre-image of a 
under a PRG G. The formal description of I"1 follows. 

Let G: {0, 1} A — ► {0, 1} 2A be a pseudorandom generator and let Z be a zap 
for the following relation R z- 

Rz((cr,x),(s,w)) 

If a = G(s) then return true 
Return R (x,w) 

Then NI system fl [G, Z] is given in Fig. 7. 
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Theorem 6. Let R be an NP relation. Let G be a length- doubling function and 
Z be a zap for relation R z- If G is pseudorandom and Z is sound and witness- 
indistinguishable then n[G,Z] is SND , ZK and S-WI. 

Proof Soundness of I"1 follows from the soundness of the zap and the fact that 
the probability that a randomly sampled string a is in the range of the PRG G 
is negligible. ZK follows as in [32]: The ZK simulator picks s {0, 1} A , sets the 
CRS to be a <— G(s) and mi Z.V(1 A ). When the simulator is challenged to 
prove a theorem x, it has a witness for (cr, x) G R z and can therefore compute 
7r Z.P(1 A , (cr, x), (s, _L), mi). Indistinguishability of the simulated CRS and 
proofs follows from the pseudorandomness of G and zap-WI (defined below). 

To show S-WI, we prove that from an adversary A winning game S-WIn,R,x,A 
we can construct an adversary B winning the WI game of the underlying zap 
for relation R z- We denote this game by Z-WIz,r z ,b and define it in Fig. 8. Note 
that it reflects the stronger notion of WI where the verifier can obtain several 
proofs, for theorems of her choice, computed using the same first move m\. 


Game Z-WI z ,r z ,b(A) 

Bi(l A ) 

{0,1} 

((< 7 , mi),st) A(1 a ) 

(mi, st) $ Bi(l A ) 

Return (mi, (a, st)) 

b' B r PRovE (i A ,st) 

b wiprove( 1 a , (cr , st ^ 

Return (6 = 6') 

b' «— $ A Prove ( 1 a , (<j, mi), st) 

WIProve(x, wo, wi) 

Return b' 

If (R z{x, wo) = false) 

B 2 s simulation of Prove(x, wo, w±) 

then return T 

If (R z(x, wi) = false) 

m 2 <— WIProve((ct, x), (_L, wq), (T, wi)) 

then return T 
m 2 <— Z.P(1 A , x, Wb, mi) 
Return m 2 

7r m 2 ; Return n 


Fig. 8. Game defining WI for zaps (left) and adversary in proof of S-WI of fl 


In its first stage B runs A to obtain a CRS consisting of cr and the first 
message m\ and returns m\. B then simulates oracle Prove(x, wq, w\) for A by 
accessing its own oracle WIProve. Figure 8 specifies adversary B. Plugging its 
description into game Z-WIz,r z ,b 5 we obtain 


Game Z-WI z ,r Zj b(A) 
b ^${0,1} 

i),st) A(1 A ) 

V a Prove ( 1 a , (a, mi), st) 
Return (b = b') 


Prove(x, wo,wi) 

If Rz((cr,x), (T,ieo)) = false then return _L 
If R^((cr, x), (T,rei)) = false then return JL 
m 2 <- Z.P(1 A , (a,x), (±,w b ),m 1 ) 

Return m 2 
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As this is precisely the description of game S-WIn,R,A, we have 


Pr[Z-WI z , Rz , B (A)] = Pr[S-WIn, R , A (A)] . (7) 

Since Z is zap-WI, 2 Pr[Z-WIz,R z ,B(*)] — 1 is negligible and thus by Eq. (7) 
Advn'p 1 A (-) is negligible, which proves the theorem. □ 
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Abstract. In universal composability frameworks, adversaries (or envi- 
ronments) and protocols/ideal functionalities often have to exchange 
meta-information on the network interface, such as algorithms, keys, sig- 
natures, ciphertexts, signaling information, and corruption-related mes- 
sages. For these purely modeling-related messages, which do not reflect 
actual network communication, it would often be very reasonable and 
natural for adversaries/environments to provide the requested informa- 
tion immediately or give control back to the protocol/functionality imme- 
diately after having received some information. However, in none of the 
existing models for universal composability is this guaranteed. We call 
this the non-responsiveness problem. As we will discuss in the paper, 
while formally non-responsiveness does not invalidate any of the universal 
composability models, it has many disadvantages, such as unnecessarily 
complex specifications and less expressivity. Also, this problem has often 
been ignored in the literature, leading to ill-defined and flawed specifica- 
tions. Protocol designers really should not have to care about this prob- 
lem at all, but currently they have to: giving the adversary /environment 
the option to not respond immediately to modeling-related requests does 
not translate to any real attack scenario. 

This paper solves the non-responsiveness problem and its negative 
consequences completely, by avoiding this artificial modeling problem 
altogether. We propose the new concepts of responsive environments 
and adversaries. Such environments and adversaries must provide a 
valid response to modeling-related requests before any other proto- 
col/functionality is activated. Hence, protocol designers do no longer 
have to worry about artifacts resulting from such requests not being 
answered promptly. Our concepts apply to all existing models for univer- 
sal composability, as exemplified for the UC, GNUC, and IITM models, 
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with full definitions and proofs (simulation relations, transitivity, equiva- 
lence of various simulation notions, and composition theorems) provided 
for the IITM model. 


Keywords: Universal composability • Protocol design • Cryptographic 
security proofs • Responsive environments 


1 Introduction 

One of the most demanding tasks when designing a cryptographic protocol is 
to define its intended security guarantees, and to then prove that it indeed 
satisfies them. In the best case, these proofs should guarantee the security of the 
protocol in arbitrary contexts, i.e., also when composed with other, potentially 
insecure, protocols. This would allow one to split complex protocols into smaller 
components, which can then be separately analyzed one by one and once and 
for all, thus allowing a modular security analysis. Over the past two decades, 
many models to achieve this goal have been proposed [3,8-10,19,22,24,27-29], 
with Canetti’s UC model being one of the first and most prominent ones. 

All these models have in common that the designer first needs to specify an 
ideal functionality T defining the intended security and functional properties of 
the protocol. Informally, a real protocol realizes T if no efficient distinguisher (the 
environment ) can decide whether it is interacting with the ideal functionality 
and a simulator , or with the real world protocol and an adversary. 

Urgent request s/messages. In the specifications of such real protocols and 
ideal functionalities, it is often required for the adversary (and the environ- 
ment) to provide some meta-information via the network interface to the pro- 
tocol or the functionality, such as cryptographic algorithms, cryptographic 
values of signatures, ciphertexts, and keys, or corruption-related messages. Con- 
versely, protocols/functionalities often have to provide the adversary with meta- 
information, for example, signaling information (e.g., the existence of machines) 
or again corruption-related messages. Such meta-information does not corre- 
spond to any real network messages, but is merely used for modeling pur- 
poses. Typically, giving the adversary /environment the option to not respond 
immediately to such modeling-specific messages does not translate to any real 
attack scenario. Hence, often it is natural for protocol designers to expect that 
the adversary /environment (answers and) returns control back to the proto- 
col/functionality immediately when the adversary is requested to provide meta- 
information or when the adversary receives meta-information from the proto- 
col/functionality. In the following, we call such messages from protocols/ideal 
functionalities on the network interface urgent messages or urgent requests. 

Urgent requests occur in many functionalities and protocols from the lit- 
erature, see, e.g., [1,4,5,8,11-13,15,16,21,25,26,31]. This is not surprising as 
the exchange of meta-information between the adversary /environment and the 
protocols/functionalities is an important mechanism for protocol designs in any 
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UC-like model. For example, one can specify the behaviour of cryptographic val- 
ues or algorithms by an ideal functionality in a natural manner without having 
to worry about how these values are generated or the parameters for the algo- 
rithms are set up, e.g., using a CRS. Also, protocols should be able to provide 
the adversary with meta-information in situations where it is not intended to 
give control to the adversary, such as certain information leaks (e.g., honest- 
but-curious corruption) or signaling messages. In general, it seems impossible to 
dispense with urgent requests altogether, and certainly, such requests are very 
convenient and widely used in the literature (see also Sect. 3). 

The non-responsiveness problem. In the existing universal composability 
models, it currently is not guaranteed that urgent requests are answered imme- 
diately by the adversary: when receiving an urgent request on the network 
interface, adversaries and environments can freely activate protocols and ideal 
functionalities in between, on network and I/O interfaces, without answering 
the request. In what follows, we refer to this problem as the problem of non- 
responsive adversaries /environments or the non-responsiveness problem. 

This problem formally does not invalidate any of the UC-style models. It, 
however, often makes the specification of protocols and functionalities much 
harder and the models less expressive (see below). Most disturbingly, as men- 
tioned, the non-responsiveness problem is really an artificial problem: urgent 
requests do not correspond to any real messages, and the adversary not respond- 
ing promptly to such requests does not reflect any real attack scenario. Hence, 
non-responsiveness forces protocol designers to take care of artificial adversarial 
behavior that was unintended in the first place and is merely a modeling artifact. 

In particular, protocol designers currently have to deal with various delicate 
problems: (i) While waiting for a response to an urgent request, a protocol/ideal 
functionality might receive other requests, and hence, protocol designers have 
to take care of interleaving and dangling requests, (ii) While a protocol/ideal 
functionality is waiting for an answer from the adversary to an urgent request, 
other parties and parts of the protocol/ideal functionality can be activated in the 
meantime (via the network or the I/O interface), which might change their state, 
even their corruption status, and which in turn might lead to race conditions 
(see Sect. 3 for examples from the literature). 

This, as further discussed in the paper, makes it difficult to deal with the 
non-responsiveness problem and results in unnecessarily complex and artificial 
specifications of protocols and ideal functionalities, which, in addition, are then 
hard to re-use. In some cases, one might not even be able to express certain 
desired properties. As explained in Sect. 3, there is no generic and generally 
applicable way to deal with the non-responsiveness problem, and hence, one has 
to resort to solutions specifically tailored to the protocols at hand. 

Importantly, the non-responsiveness problem propagates to higher-level pro- 
tocols as they might not get responses from their subprotocols as expected. The 
security proofs also become more complex because one, again, has to deal with 
runs having various dangling and interleaving requests as well as unexpected 
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and unintuitive state changes, which do not translate into anything in the real 
world, but are just an artifact of the modeling. 

Clearly, in the context of actual network messages, one has to deal with 
many of the above problems in the specifications of protocols and ideal func- 
tionalities too. But, in contrast to the non-responsiveness problem, dealing with 
the asynchronous nature of networks has a real counterpart, and these two types 
of interactions with the adversary should not be confused. 

In the literature, urgent requests and the non-responsiveness problem occur 
in many protocols and functionalities. Nevertheless, protocol designers frequently 
ignore this problem (see, e.g., [1,4,5,13,14,18,21,25,26,30,31]), i.e., they seem 
to implicitly assume that urgent request are answered immediately, probably, 
at least as far as ideal functionalities are concerned, because their simulators 
promptly respond to these kinds of requests. As a result, protocols and ideal 
functionalities are underspecified and/or expose unexpected behavior, and thus, 
are not usable in other (hybrid) protocols, or security proofs of hybrid protocols 
are flawed (see Sect. 3). 

Our contribution. In this paper, we propose a universal composability frame- 
work with the new concept of responsive environments and adversaries , which 
should be applicable to all existing UC-style models (see below). This frame- 
work completely avoids and, by this, solves the non-responsiveness problem as 
it guarantees that urgent requests are answered immediately. This really is the 
most obvious and most natural solution to the problem: there is no reason that 
protocol designers should have to take care of the non-responsiveness problem 
and its many negative consequences. 

More specifically, the main idea behind our framework is as follows. When a 
protocol/ideal functionality sends what we call a restricting message to the adver- 
sary/environment on the network interface, then the adversary /environment is 
forced to be responsive, i.e., to reply with a valid response before sending any other 
message to the protocol. This requires careful definitions and non-trivial proofs to 
ensure that all properties and features that are expected in models for universal 
composition are lifted to the setting with responsive environments and adversaries. 

By using our framework and concepts, protocols and ideal functionalities can 
be modeled in a very natural way: protocol designers can simply declare urgent 
requests to be restricting messages, which hence have to be answered immedi- 
ately. This elegantly and completely solves the non-responsiveness problem. In 
particular, protocol designers no longer have to worry about this problem, and 
specifications of protocols and ideal functionalities are greatly simplified, as one 
can dispense with artificial solutions. In fact, as illustrated in Sect. 6, with our 
concepts we can easily fix existing specifications from the literature in which 
the non-responsiveness problem has not been dealt with properly or has simply 
been ignored as protocol designers often implicitly assumed responsiveness for 
urgent messages. In some cases, we can now even express certain functionalities 
in a natural and elegant way that could not be expressed before (see Sects. 3.2.2 
and 6). Of course, with simplified and more natural functionalities and protocols, 
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also security proofs become easier because the protocol designer does not have 
to consider irrelevant and unrealistic adversarial behavior and execution orders. 

We emphasize that protocol designers must exercise discretion when using 
restricting messages: such messages should be employed for meta-information 
used for modeling purposes only, and not for real network traffic, where imme- 
diate answers cannot be guaranteed in reality. 

We illustrate that our framework and concepts apply to existing models for 
universal composability. This is exemplified for three prominent models: UC [8], 
GNUC [19], and IITM [22,24]. In the full version of this paper [6], we provide 
full proofs for the IITM model. In particular, we define all common notions 
of simulatability, including UC, dummy UC, strong simulatability, and blackbox 
simulat ability with respect to responsive environments and adversaries, and show 
that all of these notions are equivalent. This result can be seen as a sanity check 
of our concepts, as it has been a challenge in previous models (see, e.g., the 
discussions in [20,24]). We also prove in detail that all composition theorems 
from the original IITM model carry over to the IITM model with our concepts. 

Related work. The concept of responsive adversary and environments is new 
and has not been considered before. 

In [2], composition for restricted classes of environments is studied, motivated 
by impossibility results in UC frameworks and to weaken the requirements on 
realizations of ideal functionalities. In this setting, environments are restricted 
in that they may send only certain sequences of messages to the I/O interfaces 
of protocols and functionalities. These restrictions cannot express that urgent 
requests are answered immediately and also do not restrict adversaries in any 
way. Hence, this approach cannot be used to solve the non-responsiveness prob- 
lem, which anyway was not the intention of the work in [2]. 

In the first version of his seminal work [8], Canetti introduced immediate 
functionalities. According to the definition (cf. page 35 of the 2001 version), an 
immediate functionality uses an immediate adversary to guarantee that mes- 
sages are delivered immediately between the functionality and its dummy. To 
be more precise, an immediate functionality may force an immediate adversary 
to deliver a message to a specific dummy party within a single activation. This 
construct was necessary as in the initial version of Canetti’s model, the ideal 
functionality could not directly pass an output to its dummy but had to rely 
on the adversary instead. In current versions of UC, the problem addressed by 
immediate adversaries has vanished completely because ideal functionalities can 
directly communicate with their dummies. Clearly, immediate adversaries do not 
address, let alone solve, the non/responsiveness problem, which is about imme- 
diate answers for certain request to the adversary on the network interface rather 
than between a functionality and its dummies. 

Outline. In Sect. 2, we briefly recall basic terminology and notation. We observe 
in Sect. 3 that the non-responsiveness problem affects many protocols from the 
literature, with many papers ignoring the problem altogether, resulting in under- 
specified and ill-specified protocols and functionalities, that are thus hard to 
re-use. Furthermore, that section shows that properly taking this problem into 
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consideration is quite difficult and does not have a simple and generally applica- 
ble solution. Our universal composability framework with responsive environ- 
ments and adversaries is then presented in Sect. 4. This section is kept quite 
model independent to highlight the main new concepts and the fact that these 
concepts are not restricted to specific models. Section 5 then illustrates how our 
concepts can be implemented in the UC, GNUC, and IITM models. Section 6 
shows how the problems with non-responsive environment and adversaries dis- 
cussed in Sect. 3 can be avoided elegantly with our restricting messages and 
responsive environments/adversaries. We conclude in Sect. 7. Further details can 
be found in the full version of this paper [6]. In particular, as mentioned before, 
we provide full details for the IITM model with responsive environments and 
adversaries in the full version. 

2 Preliminaries 

In this section, we briefly recap the basic concepts of universal composability and 
fix some notation and terminology. The description is independent of the model 
being used and can easily be mapped to any concrete model, such as UC, GNUC, 
or IITM. For now, we ignore runtime issues as they are handled differently in 
the models and only implicitly assume that all systems run in polynomial time 
in the security parameter and the length of the external input (if any). Runtime 
issues are discussed in detail in Sect. 5. 

Universal composability models use machines to model programs. Each 
machine may have I/O and network tapes/interfaces. These machines are then 
used as blueprints to create instances which execute the machine code while hav- 
ing their own local state. Machines can be combined into a system S. In a run 
of <S, multiple instances of machines may be generated and different instances 
can communicate by sending messages via I/O or network interfaces. Given two 
systems 7 Z and Q, we define the system {7 Q} which contains all machines from 
1Z and Q. 

There are three different kinds of entities, which can themselves be considered 
as systems and which can be combined to one system: protocols , adversaries , and 
environments. One distinguishes real and ideal protocols, where ideal protocols 
are often called ideal functionalities. An ideal protocol can be thought of as the 
specification of a task, whereas a real protocol models an actual protocol that is 
supposed to realize the ideal protocol (cf. Definition 2.1). These protocols have 
an I/O interface to communicate with the environment and a network interface 
to communicate with the adversary. An adversary controls the network commu- 
nication of protocols and can also interact with the environment. Environments 
connect to the I/O interface of protocols and may communicate with the adver- 
sary, cf. Fig. 1 for an illustration of how environments, adversaries, and protocols 
are connected. 

Environments try to distinguish whether they run with a real protocol and 
an adversary or an ideal protocol and an adversary (then often called a simulator 
or ideal adversary) . An environment may get some external input to start a run. 
It is expected to end the run by outputting a single bit. 
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Fig. 1. A real protocol P realizing an ideal functionality Ad denotes the dummy 
adversary which just forwards messages to and from the environment £. 


Given an environment £ , an adversary A, and a protocol P, we denote 
both the combined system and the output distribution of the environment by 
{£ , A, V}. We use the binary operator = to denote two output distributions that 
are negligibly close in the security parameter 77 (and the external input, if any). 

Now, in models for universal composability, the realization of an ideal pro- 
tocol by a real protocol is defined as follows. 

Definition 2.1 (Realization Relation). Let V and T be protocols , the real 
and ideal protocol, respectively. Then, V realizes T (V < T) if for every adver- 
sary A, there exists an ideal adversary S such that {£,A, V} = {£,<S,.F} for 
every environment £. 

We note that, in the definition above and in all reasonable models, instead of 
quantifying over all adversaries, it suffices to consider only the dummy adversary 
Ad which forwards all network messages between V and £. Intuitively, this is 
true because A can be subsumed by £. Hence, we have that V < T iff there exists 
an ideal adversary S such that {£, Ad, P} = {£,S,T } for every environment £. 

The main result in any universal composability model is a composition the- 
orem. Informally, once a protocol P has been proven to realize an ideal protocol 
T, one can securely replace (all instances of) T by P in arbitrary higher- level 
systems without affecting the security of the higher-level system. 

3 The Non-responsiveness Problem and Its 
Consequences: Examples from the Literature 

We have already introduced and discussed the non-responsiveness problem and 
sketched its consequences in Sect. 1 . In this section, we illustrate this problem 
and its consequences by examples from the literature. We also point to concrete 
cases in which this problem has been ignored (i.e., immediate answers to urgent 
requests were assumed implicitly) and where this has led to ill-defined protocols 
and functionalities as well as invalid proofs and statements. 

3.1 Underspecified and Ill-Defined Protocols and Functionalities 

In many papers, the non-responsiveness problem is ignored in the specifications 
of both ideal functionalities and (higher-level) protocols (see, e.g., [1,4,5,13,14, 
18,21,25,26,30,31]). We discuss a number of typical cases in the following. 
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Ideal Functionalities. An example of a statement that one often finds in specifi- 
cations of ideal functionalities is one like the following (see, e.g., [1,4,13,18,21, 
25,26]): 

“send <some message> to the adversary; , , 

upon receiving <some answer> from the adversary do <something>” , ' 

where the message sent to the adversary, in our terminology, is an urgent request, 
i.e., as explained in Sect. 1, some meta-information provided to the adversary 
or a request for some meta-information the adversary is supposed to provide. 
For example, ideal functionalities might ask for cryptographic material (crypto- 
graphic algorithms and keys, ciphertexts, or signatures), ask whether the adver- 
sary wants to corrupt a party, or simply signal their existence. 

In specifications containing formulations as in (1) it is not specified what 
happens if the adversary does not respond immediately, but, for example, 
other requests on the I/O interface are received; intermediate state changes in 
other parts might also occur, which might require different actions. There does 
not seem to exist a generic solution to handle such problems (see Sects. 3.2.1 
and 3.2.3). It rather seems to be necessary to find solutions tailored to the spe- 
cific protocol and ideal functionality at hand, making it even more important to 
precisely specify the behavior in case the adversary does not respond immedi- 
ately to urgent requests. 

Many research papers on universal composability focus on proposing new 
functionalities and realizations thereof, including proofs that a realization actu- 
ally realizes a functionality; to a lesser extent the functionalities are then used in 
higher- level protocols. In realization proofs, one might not notice that formula- 
tions as that in (1) are problematic because for such proofs an ideal functionality 
T runs alongside a (friendly) simulator and this simulator might provide answers 
to urgent requests immediately (see also Fig. 1). However, if used in a hybrid 
protocol (see Fig. 2), an ideal functionality T runs alongside a (hostile) adver- 
sary/environment. In this case, it is important that specifications capture the 
case that urgent requests are not answered immediately. If this is ignored or not 
handled correctly, it yields (i) underspecified protocols, with the problem that 
they cannot be re-used in hybrid protocols, which in turn defeats the purpose of 
universal composability frameworks, and (ii) possibly false statements. 

To illustrate these points by a concrete example, we consider the “signature 
of knowledge” functionality F so ^(L) proposed by Chase and Lysyanskaya [14]. 
This functionality contains a Setup instruction (reproduced in Fig. 3), where 
the adversary provides the keys and algorithms, and signing and verification 
instructions that then use those keys and algorithms without requiring inter- 
action with the adversary - a very common mechanism in the literature (see, 
e.g., [1,5,12,15,16,30]). This functionality is explicitly intended to be used in a 
hybrid setting to realize delegatable credentials. 

If the adversary does not respond to the first (Setup, sid ) request, all subse- 
quent requests (e.g., a Setup request by a different party) will cause the func- 
tionality to use or output the undefined Sign and Verify algorithms, which is a 
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Fig. 2. An P-hybrid protocol V' realizing some ideal functionality T' . 


Upon receiving a value (Setup, sid) from any party P, verify that sid = ( Ml, sid ') 
for some sid'. If not, then ignore the request. Else, if this is the first time 
that (Setup, sid) was received, hand (Setup, sid ) to the adversary; upon receiv- 
ing (Algorithms, sid, Verify, Sign, Simsign, Extract) from the adversary, where Sign, 
Simsign, Extract are descriptions of PPT TMs, and Verify is a description of a determinis- 
tic polytime TM, store these algorithms. Output the stored (Algorithms, sid , Sign, Verify) to 
P. 


Fig. 3. The Setup instruction of P so k (L) from [14]. 


problem: Chase and Lysyanskaya provide a protocol in the ^ r so k(A)-hybrid model 
that can be used for realizing delegated credentials, i.e., an ideal functionality 
for signatures on a signature. They then prove that this protocol realizes the 
functionality. They, however, missed the fact that ^sok(^) may interact with 
a non-responsive adversary in the hybrid world. Such an adversary can force 
P so k (L) to use undefined algorithms, and their simulator does not handle that 
situation in the ideal world. It is thus easy to distinguish the real from the ideal 
world. Hence, their proof is flawed, and in fact it seems that the statement cannot 
be proven. 

(Higher- Lev el) Protocols. As already mentioned in the introduction, real pro- 
tocols often also send urgent requests to the adversary (e.g., signaling their 
existence or asking whether the adversary wants to corrupt). In addition, one 
often finds protocol specifications containing formulations of the following form 
to make requests to subprotocols (see, e.g., [5,14,30,31]): 

“send <some message> to T\ , x 

upon receiving <some answer > from T do <something>.” ^ 


Intuitively, T might indeed model some non-interactive functionality, such as 
signature functionalities. However, because of the use of urgent requests in such 
functionalities, even when completely uncorrupted, T might not return answers 
right away. So, again, formulations as the one in (2) are greatly underspecified. 
What happens if other requests are received at the network or I/O interface? 
Should they be ignored? Or may they be queued somehow? Also, the state and 


816 


J. Camenisch et al. 


status (such as corruption) of other parts of the protocol or subprotocols might 
change while waiting for answers from T. Again, as illustrated in the following 
subsections, dealing with this is not easy and often requires solutions tailored 
to the specific protocol and functionality at hand, making a full specification of 
the behavior particularly important. 

3.2 Problems Resulting from Non-responsiveness 

We now discuss challenges resulting from the non-responsiveness problem (when 
actually taken into account, rather than ignored) and illustrate them by examples 
from the literature. 

3.2.1 Unintended State Changes and Race Conditions 

As mentioned before, a general problem one has to take care of when dealing with 
the non-responsiveness problem is that while a protocol is waiting for answers 
to urgent requests, the adversary might cause changes in the state of other parts 
of the protocol/functionality and of subprotocols, which in turn influences the 
behavior of the protocol. Keeping track of the actual current overall state might 
be tricky, and race conditions are possible. 

The following is a simple example which illustrates that the problem can 
occur already locally within a single functionality. It can often become even 
trickier in higher-level protocols which use urgent requests themselves and where 
possibly several subroutines use urgent requests. 

We consider the dual-authentication certification functionality Pb-Cert [31]. 
In this functionality, the adversary needs to be contacted when verifying a sig- 
nature (a common mechanism to verify cryptographic values that is also used 
in many other functionalities [7,13,21]). Such requests are urgent as this is sup- 
posed to model local computations. However, the adversary may not answer 
immediately. 

More specifically, Fig. 4 shows the Verify instruction of Pb-Cert- Assume now 
that S' has received a message m and a signature a for this message, which 
supposedly was created by an honest party P with SID sid. Now, if the sig- 
nature actually was not created by P, the verification should fail as P is not 


Upon receiving a value (Verify, sid , m , cr) from some party S', hand (Verify, sid, m, a) to 

the adversary. Upon receiving (Verified, sid , m, (j>) from the adversary, do: 

1. If (m, cr, 1) is recorded then set / = 1. 

2. Else, if the signer is not corrupted, and no entry (m, cr' , 1) for any cr' is recorded, then set 
/ = 0 and record the entry (m, cr, 0). 

3. Else, if there is an entry (m, cr, f') recorded, then set f — f . 

4. Else, set / = <fi, and record the entry (m, a, <p). 

Output (Verified, sid, m, f ) to S'. 


Fig. 4. The Verify instruction of Po-Cert from [31]. 
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corrupted. However, as the adversary gets activated during this allegedly local 
task, it could corrupt the signer during the verification process, return 0 = 1, and 
therefore let the functionality accept a. This behavior is certainly unexpected 
and counterintuitive. 

Such a functionality also considerably complicates the security analysis of 
any higher-level application that uses *FD-Cert as a subroutine, as one has to 
also consider the possibility of a party getting corrupted during the invocation 
of a subroutine modeling a local task, which, even worse, in that case returns 
unexpected answers. 

3.2.2 Problems Expressing the Desired Properties 

The following is an example where the authors struggled with the non- 
responsiveness problem in that it finally led to a functionality that, as the authors 
acknowledge, is not completely satisfying. This functionality, denoted .Fnike, is 
supposed to model a non-interactive key exchange and was proposed by Freire 
et al. [17]. Figure 5 shows a central part of this functionality, namely, the actual 
key exchange. A party Pi may ask for the key that is shared between the parties 
Pi and Pj. If this session of Pi and Pj is considered corrupted, namely, because 
one of the parties is corrupted, and no key has been recorded for this session yet, 
the adversary is allowed to freely choose the key that is shared between the two 
parties. The functionality uses an urgent request to model this, i.e. , it directly 
sends a message to the adversary if she is allowed to choose a key. 


Upon input (init, Pi, Pj) from Pi, if Pj 0 T re f, return (P t , P 3 , X) to Pi. If Pj E A rcg , we 
consider two cases: 

- Corrupted session mode: if there exists an entry ({Pi, Pj}, Kij) in dk ey s, set key = Kij. Else, 
send (init, Pi , Pj) to the adversary. After receiving ({Pi, Pj}, Kij) from the adversary, 

set key = K itj and add ({Pi, Pj}, K t j) to d key s. 

- Honest session mode: if there exists an entry ({Pi, Pj}, Ki,j) in dk ey s, set key = Kij, else 
choose key <- {0, l} fc and add ({Pi, Pj}, Kij) to Tk eys . 

Return (Pi, Pj, key) to Pi. 


Fig. 5. The init instruction of Pnike from [17]. 


As the authors state, they would have liked to also model “immediateness” of 
the functionality, i.e., a higher- level protocol that requests a key should be able to 
expect an answer without the adversary being able to interfere with the protocol 
in the meantime. This indeed would be expected and natural because .Fnike 
models a non-interactive key exchange. However, this is in conflict with allowing 
the adversary to choose the key of a corrupted session. The authors suggest that 
one option to also model immediateness might be to let the adversary choose an 
algorithm upon setup, which is then used to compute the keys for corrupt parties. 
Nevertheless, they chose the non-immediate modeling because the other solution 
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would lead to “technical complications” ; it would also limit the adaptiveness of 
the adversary and might add other problems. Indeed, code upload constructs 
(see also Sect. 3.2.3), in general, do not solve the non-responsiveness problem. 

As a consequence of the formulation chosen in .Fnike, the adversary can 
now, e.g., block requests, which again also needs to be considered in any higher- 
level protocol using .Fnike as a subroutine, even though in the real world the 
honest party would always obtain some key because of the non-interactivity of 
the primitive. 

More generally, ideal functionalities that use urgent messages (which in cur- 
rent models are not answered immediately) might have weaker security guaran- 
tees than their realizations, in particular when the functionality is supposed to 
model a non- interactive task, because the realization might not give control to 
the adversary. So for hybrid protocols one might not be able to prove certain 
properties when using an ideal functionality, whereas the same protocol using 
the realization of the ideal functionality instead might enjoy such properties. 

This is in contrast to one of the goals of universal composability models, 
namely, reducing the complexity of security analyses by enabling the use of 
conceptually simpler ideal functionalities as subroutines. 

3.2.3 The Reentrance Problem 

As already mentioned in Sect. 1, a protocol designer has to specify the behavior 
of protocols and ideal functionalities upon receiving another input (on the I/O 
interface) while they are waiting for a response to an urgent request on the 
network. In other words, protocols and ideal functionalities have to be reentrant. 
Note that, as pointed out, a protocol has to be reentrant not only when it uses 
urgent requests itself, but also if a subroutine uses such messages. 

As explained next, dealing with the reentrance problem can be difficult. 
Approaches to solve this problem complicate the specifications of protocols and 
ideal functionalities, and none of them is sufficiently general to be applicable in 
every case. 

We now illustrate this by an example ideal functionality. However, similar 
issues occur in specifications for real and hybrid protocols. Let T be any ideal 
functionality which sends an urgent request to the adversary upon its first cre- 
ation, say, to retrieve some modeling-related information. This is a common 
situation. For example, ideal functionalities often require some cryptographic 
material such as keys and algorithms from the adversary before they can con- 
tinue their execution (e.g., functionalities for digital signatures or public-key 
encryption). We also assume that T is meant to be realized by a real protocol 
consisting of two independent parties/roles A and B (e.g., signer and verifier). 
We further assume that both of these parties also send an urgent request to 
the adversary upon their first activation and expect an answer before they can 
continue with their computation. Again, this is a common situation as, for exam- 
ple, real protocols often ask for their corruption status or notify the adversary 
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of their creation . 1 While the above is only one illustrative example, it already 
describes a large and common class of real and ideal protocols often encountered 
in the literature. 

We now present several approaches to make T reentrant in the above sense, 
i.e., to deal with I/O requests while waiting for a response to an urgent request on 
the network. We show that the obvious approaches in general cannot be used. 
In particular, with most of these approaches T cannot even be realized by A 
and B in the setting outlined above. This in turn shows that solutions that are 
tailored to the specific functionality at hand and even the envisioned realization 
are required, which is very unsatisfactory, as this leads to more complex and yet 
less general functionalities and protocols. 

Ignore Requests. After sending an urgent request to the adversary, the most 
straightforward approach would be to ignore all incoming messages until a 
response from the adversary is received . 2 This, however, is not only an unex- 
pected behavior in many cases - for example, why should a request silently fail 
if the ideal functionality models a local computation? - but the ideal function- 
ality in fact might no longer be realizable by some real protocols: 

If T ’, in our example functionality, would simply ignore incoming messages, 
an environment can distinguish T (with a simulator) from the realization A 
and B (with the dummy adversary). It first sends a message to A which, as 
we assume, then in turn sends an urgent request to the dummy adversary and 
hence to the environment. Now the environment, which does not have to respond 
to urgent requests immediately, sends a message to B which in turn also sends 
an urgent request to the adversary and hence to the environment. Consider the 
behavior of the ideal world in this case: After receiving the message for A, T will 
send an urgent request to the simulator. The simulator, however, cannot answer 
this urgent request because it has to simulate A by sending an urgent request 
to the environment. (This might be the case because the simulator first has to 
consult the environment before answering the urgent request by T or because T 
does not return control to the simulator after receiving an answer to the urgent 
request.) The environment then sends the second message (for B) to T, which is 
ignored because T still waits for an answer to its urgent request. This behavior 
is different from the real world, and thus, the environment can distinguish the 
real world from the ideal one. 

This illustrates that an ideal functionality that simply blocks all requests 
while waiting for a response to an urgent request can in general not be realized by 
two or more independent parties that also send urgent requests to the adversary. 
Instead one needs to adjust the blocking approach to the specific protocols at 

1 The latter is, for example, required by the definition of “subroutine respecting pro- 
tocols” in the 2013 version of UC [8]. While prompt responses by the adversary are 
formally not required, they would be very convenient for all of the reasons discussed 
in Sect. 3.2. 

2 Alternatively, one could send error messages as response to intermediate requests. 
However, the exact same problems discussed for the approach of ignoring requests 


occur. 
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hand. For example, often it might be possible to block messages that would be 
processed by a single party in the real protocol, while messages for other parties 
are still processed. But this does not work if, for instance, T cannot process 
messages for any party before receiving a response to its urgent requests, e.g., 
because T first needs to receive cryptographic material (algorithms, keys, etc.). 
Thus, in this case yet another workaround is required. 

Queuing of Intermediate Requests. Another potential general approach to deal 
with the reentrance problem is to store all incoming messages to process them 
later on. The simplest implementation of this approach would be the following: 
Upon receiving another input while still waiting for a response to an urgent 
request, the ideal functionality stores the input in a queue and then ends its 
activation. After receiving a response from the adversary, the ideal functionality 
processes the messages stored in the queue. 

This approach is vulnerable to the same attack as the previous approaches: if 
the environment executes this attack in the real world, it will eventually receive 
an urgent request from B. This, however, cannot be simulated in the ideal world. 
The simulator does not get control when B is activated as the ideal functionality 
simply ends its activation after queuing the input for B. 

Another problem with this approach is that in all current universal compos- 
ability models, a machine is allowed to send only one message per activation. 
Hence, the ideal functionality will never be able to catch up with the inputs that 
have been stored. Every time it is activated by another input, it will have to 
process both the new input and several older inputs that are still stored in the 
queue. But it can only answer one of these messages at a time. This observation 
leads to another approach based on the queuing of unanswered requests which 
we discuss in the full version of this paper [6]. This approach, which does not 
seem to have been used in the literature so far, is, however, very complex and 
weakens the security of the ideal functionality to an extent that for some tasks 
is unacceptable: it allows the adversary to determine the order in which requests 
are processed by an ideal functionality. 

Further Approaches. In the full version of this paper [6] , we discuss several alter- 
native approaches, namely, default answers and code uploads , which, however, 
can merely help reduce the use of urgent requests, but do not solve the reentrance 
problem, let alone the general non-responsiveness problem. 

3.2.4 Unnatural Specifications of Higher-Level Protocols 

Higher-level protocols have to deal with the non-responsiveness problem for two 
reasons. First, they might use urgent requests themselves. Second, subprotocols 
might use urgent requests, and hence, if requests are sent to subprotocols (even 
for those that intuitively should model non-interactive primitives), the adversary 
might get control. In both cases, higher-level protocols have to deal with the 
problem that while waiting for answers, the state of other parts of them and 
of any of their subprotocols might change and new requests (from the network 
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or I/O interface) might have to be processed. This can lead to unnecessarily 
complex and often unnatural specifications, if the non-responsiveness problem 
is actually taken into account rather than being ignored (which in turn would 
result in underspecified, and hence, unusable protocols). 

We illustrate this by a joint state realization, which represents one form 
of a higher- level protocol: Consider a digital signature functionality «F S i g . Let 
us assume that i g is specified in such a way that at the beginning it asks the 
adversary for signing and verification algorithms and keys before it answers other 
requests; as already mentioned, this is a very common design pattern. Because 
the adversary might not answer requests for the cryptographic material right 
away (non-responsiveness), JF sig might receive further requests while waiting for 
the answer. Let us assume that i g ignores/drops all such requests (this seems 
to be the option mainly used in the literature, see, e.g., [4, 23]). 3 



Fig. 6. Joint state realization. 


In a joint state realization of jT sig , one instance of JU sig (per party) is used to 
realize all sessions of jF sig (for one party) in the ideal world (see also Fig. 6). The 
idea behind the joint state realization is that if in session sid a message m is to 
be signed/ verified, then one would instead sign/verify the message ( sid,m ). In 
this way, messages of different sessions cannot interfere. In the realization proof, 
a simulator would provide an instance jF sig in session sid with a signing and 
verification algorithm that exactly mimics the behavior of JF sig in session sid (i.e., 
signing/ verifying prefix messages with sid). Unfortunately, because of the non- 
responsiveness problem, the joint state realization is more complex than that, 
even if, for the purpose of the discussion, we ignore the handling of corruption. To 
see this, assume that the environment sends a signing request for some message 
m in session sid. The joint state realization would now invoke .F S i g with (sid, m). 
Before jF sig can answer, jT sig asks the adversary for the cryptographic material. 
Hence, the adversary /environment gets activated again, and the environment can 
send a new, say, signing request for message m' in session sid' . As JF sig is still 
waiting for the adversary to provide the cryptographic material, this later request 

3 As explained in Sect. 3.2.3, this approach, just as all other approaches discussed in 
Sect. 3.2.3, does not work in general, e.g., when the signer and verifier are inde- 
pendent and send urgent requests to the adversary upon first activation. It really 
depends on the details of JF sig and its realization. 
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will be ignored by tF S i g and hence will never be answered. To mimic this behavior 
in the ideal world, the simulator should not provide the cryptographic material 
to the instance of jF sig in session sid' (otherwise, jF sig in session sid' would return 
a signature for m'). But then, this instance of jF sig is blocked completely. Hence, 
in turn, the joint state realization also has to block all further requests for session 
sid ' . That is, it has to store all SIDs for which it received requests while waiting 
for ^ sig to respond, and all future requests for all such SIDs have to be dropped. 

This is very unnatural and certainly would not correspond to anything one 
would do in actual implementations: there one would simply prefix messages 
with SIDs, but one would never block requests for certain SIDs. This is just an 
artifact of the non-responsiveness problem, i.e., the fact that, in current models, 
urgent requests (in this case the request for cryptographic material by .F s ig) 
might not be answered immediately. 

4 Universal Composability with Responsive 
Environments 

The non-responsiveness problem and the resulting complications shown in Sect. 3 
are artificial problems. As urgent requests exist only for modeling purposes but 
do not model any real network traffic, a real adversary would not be able to use 
them to carry out attacks. Still, in all current universal composability models, 
the non-responsiveness of adversaries enables attacks that do not correspond to 
anything in reality. If we could force the adversary to answer urgent requests 
immediately, which, as already mentioned before, would be the natural and 
expected behavior, there would not be any need for coming up with workarounds 
that try to solve the non-responsiveness problem in the specifications of protocols 
and functionalities and one would not have to consider such artificial attacks in 
security proofs. 

In this section, we present our framework which extends universal compos- 
ability models by allowing protocol designers to specify messages that have to 
be answered immediately by (responsive) environments and adversaries. We first 
give a brief overview of our approach, then define in more detail responsive envi- 
ronments, responsive adversaries and the realization relation in this setting, and 
finally prove that the composition theorems still hold for our extension. As our 
framework and concepts can be used by any universal composability model and 
to highlight the new concepts, we keep this section independent of specific mod- 
els. In particular, we mostly ignore runtime considerations. In Sect. 5, we then 
discuss in detail how our framework can be adapted to specific models. 


4.1 Overview 

To avoid the non-responsiveness problem altogether, we introduce the concept of 
responsive environments and responsive adversaries. In a nutshell, when these 
environments and adversaries receive specific messages from the network (we 
call these messages restricting ) then they have to respond to these messages 
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immediately, i.e., without activating other parts of the protocol before sending 
an answer. Furthermore, depending on the restricting message, they may send an 
answer from a specific set of messages only. Restricting messages and the possible 
answers can be specified by the protocol designer; they are not hardwired into 
the framework. More specifically, restricting messages and the possible responses 
are specified by a binary relation R C {0, 1} + x {0, 1} + over non-empty messages, 
called a restriction. If (m, m') G R, then m is a restricting message and m' a 
possible answer to m. That is, if an environment /adversary receives m on its 
network interface, then it has to answer immediately with some m! such that 
(m, m!) G R. 

This allows a protocol designer to specify all urgent requests as restrict- 
ing messages by defining a restriction R appropriately; such requests are then 
answered not only immediately but also with an expected answer. Therefore the 
adversary can no longer interfere with the protocol run in an unintended way 
by activating other parts of the protocol or sending unexpected inputs before 
answering an urgent request. 

Note that this concept is very powerful and needs to be handled with care: 
While, as motivated above, it does not weaken security results if one models 
urgent requests as restricting messages, one must not use such messages when 
modeling real network traffic, as real network messages are not guaranteed to be 
answered immediately in reality. 


4.2 Defining Responsiveness 

To define responsive environments and responsive adversaries, we first precisely 
define the notion of a restriction. As mentioned, restrictions are used to define 
both restricting messages, which have to be answered immediately by the envi- 
ronment/adversary, and possible answers to each restricting message. 

Definition 4.1. A restriction R is a set of pairs of non-empty messages, i.e., 
R C {0,1}+ x {0, l} + ; such that, given a pair of messages (m, m'), it is efficiently 
decidable whether R allows m' as an answer to m. We define R[0] := {m\3m f : 
(' m,m' ) G R}. A message m G R[ 0] is called a restricting message. 

The idea is that if an environment /adversary receives m on the network 
interface, there are two cases: If m is not a restricting message, i.e., m 0 R[ 0], 
then the environment /adversary is not restricted in any way. Otherwise, if m G 
R[ 0], then the first message (if any) sent back to the protocol (both on the 
network and I/O interface of the protocol) has to be some message m' with 
(m, m') G R. This message has to be sent on the network interface of the same 
machine that issued the request m, without any other message being sent to 
another machine of the protocol (see also Definition 4.2). 

By requiring efficient decidability we ensure that environments are able to 
check whether some answer is allowed by the restriction; this is necessary, e.g., for 
Lemma 4.4. We refer to Sect. 5 for the exact definitions of “efficiently decidable” , 
which depend on the runtime definitions of the underlying models. 
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As mentioned in Sect. 4.1, only urgent requests should be defined as restrict- 
ing messages via a restriction. For example, upon creation of a new instance by 
receiving a message m, instances of protocols are often expected to first ask the 
adversary whether they are corrupted before they process the message m. An 
adversary can be forced to answer such a request immediately by the following 
restriction: 

R := = AmICorrupted?, m! = (Corruption, b), b G {false, true}}. 

We now formalize the responsiveness property of environments and adversaries. 

Definition 4.2 (Responsive Environments). An environment £ is called 
responsive for a system of machines Q with respect to a restriction R if in 
an overwhelming set of runs of {£, Q} every restricting message from Q on the 
network is answered correctly, i.e., for any restricting message m G R[ 0] sent 
by Q on the network, the first message m' that Q receives afterwards (be it on 
the network interface or the I/O interface of Q), if any, is sent by £ on the 
network interface of Q to the same machine of Q that sent m and m! satisfies 
(m, m') G R. By Env^(Q) we denote the set of responsive environments for Q. 

In the above definition, “same machine” typically means the same instance 
of a machine. So if an instance of a machine of Q sent a restricting message m on 
the network interface to the environment, the first message m! received by any 
instance of Q (on the network or I/O interface), including all currently running 
instances of Q and an instance that might be created as a result of m' , has to be 
sent back on the network interface to the same instance of Q which sent m, and 
m' has to satisfy ( m,m' ) G R. The exact definition of “same machine” depends 
on the model under consideration (see Sect. 5). 

The system Q usually is either {Ad,V}, where V is a real protocol and Ad 
is the dummy adversary, or {S,R}, where S is an ideal adversary and T is an 
ideal protocol. 

Responsive adversaries have to provide the same guarantees as responsive 
environments; however, they have to do so only when running in combination 
with a responsive environment. In other words, they can use the responsiveness 
property of the environment to ensure their own responsiveness property. 

Definition 4.3 (Responsive Adversaries). Let Q be a system and let A be an 

adversary that controls the network interface of Q. Then, A is called a respon- 
sive adversary if, for all £ G Env#({A, Q}), in an overwhelming set of runs 
of {£, A , Q } every restricting message from Q on the network is immediately 
answered (in the sense of Definition 4.2). We denote the set of all such adver- 
saries for a protocol Q by Adv^(Q). 

We note that the dummy adversary Ad is responsive. 

Also note that the definitions of both responsive environments and responsive 
adversaries depend on a specific system, i.e., an environment which is responsive 
for a system Q is not necessarily responsive for a system Q'. If we required envi- 
ronments to be responsive for every system, we would also have to require this 
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from simulators (ideal adversaries). This in turn would needlessly complicate 
security proofs. Let us elaborate on this. Many theorems and lemmas in UC-like 
models, such as transitivity of the realization relation (cf. Lemma 4.7) and the 
composition theorems (cf. Theorems 4.8 and 4.9), are proven by simulating (some 
instances of) adversaries/simulators and protocols within the environment. In 
such proofs, we need to make sure that if an environment is responsive, then 
it is still responsive if we move a simulator (ideal adversary) into the environ- 
ment, i.e., run the simulator within the environment. Now, if we require strong 
responsiveness (i.e., responsiveness for all systems), then moving a simulator 
into a responsive environment might result in an environment that is no longer 
responsive (in the strong sense), unless we require from the simulator that it is 
responsive in the strong sense as well. However, imposing such a strong require- 
ment on simulators seems unreasonable. Simulators are constructed in security 
proofs to work with exactly one protocol. So a protocol designer should only 
have to care about runs with this specific protocol, not with arbitrary systems 
that might try to actively violate the responsiveness property of the simulator. 
This is why we require responsiveness for specific systems only and this indeed 
is sufficient. 

In fact, for security proofs, there are two important properties that should be 
fulfilled and for which we now show that they are. The first says that if an envi- 
ronment is responsive for one system, then it is also responsive for any system 
indistinguishable from that system. The second property says that a responsive 
environment can internally simulate a responsive adversary /simulator without 
losing its responsiveness property. In other words, we can move a responsive 
adversary /simulator into a responsive environment without losing the respon- 
siveness property of the environment. As mentioned before, this is necessary, 
for example, for the transitivity of the realization relation and the composition 
theorems. 

Lemma 4.4. Let R be a restriction. Let Q and Q! be two systems of machines 
such that {£, Q} = {£, Q'} for all £ G Env^(Q). Then, Env^(Q) = En vr(Q'). 

For the proof of this lemma, we refer the reader to the full version of this 
paper [6]. 

Lemma 4.5. Let R be a restriction. Let Q be a system , A G Adv^(Q) be a 
responsive adversary, and £ G Env#({*4, Q}) be a responsive environment. Let 
£' denote the environment that internally simulates the system {£,A}. Then, 
f'EEn v R (Q). 

For the proof of this lemma, we refer the reader to the full version of this 
paper [6]. 

4.3 Realization Relation for Responsive Environments 

We can now define the realization relation for responsive environments. The 
definition is analogous to the one for general environments and adversaries (see 
Definition 2.1), but restricts these entities to being responsive. 
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Definition 4.6 (Realizing Protocols with Responsive Environments). 

Let V and T be protocols , the real and ideal protocol, respectively, and R 
be a restriction. Then, V realizes T with respect to responsive environments 
(P <r T) if for every responsive adversary A G A(Tvr(V), there exists an 
(ideal) responsive adversary S G Adv#(.F) such that {£,A,V} = {£,S,R} for 
every environment £ G En \/r({A,T}). 

Just as in the case of Definition 2.1, we have that instead of quantifying over 
all responsive adversaries, it suffices to consider only the dummy adversary Ad, 
which forwards all network messages between V and £ (we provide a formal 
proof in the full version of this paper [6]). As already mentioned, Ad is always 
responsive. This means that in security proofs, one has to construct only one 
responsive simulator <S for Ad- 

As mentioned before Lemma 4.5, the responsiveness of S is necessary for 
the transitivity of <r. While the responsiveness of S is a property a proto- 
col designer has to ensure, this property is easy to check and guarantee: upon 
receiving a restricting message from the protocol, it either answers immediately 
and correctly or sends only restricting messages to the environment until it can 
provide a correct answer to the original restricting message from the protocol. 
In such a situation, the simulator should not send a non-restricting message to 
the environment because, if it does so, it cannot make sure that it gets back an 
answer immediately from the environment and that the environment does not 
invoke the protocol in between. In the full version of this paper [6], we specify 
and provide a formal proof of this intuition. 

We also note that Definition 4.6 is a generalization of Definition 2.1: with 
R := 0, we obtain Definition 2.1. 

We now prove that the realization relation with responsive environments is 
reflexive and transitive. This is crucial for the modular and step-wise design of 
protocols: once we have proven V <rV and V' <r V" , we want to conclude 
immediately that V <r V" . 

Lemma 4.7. The <r relation is reflexive and transitive. 

For the proof of this lemma, we refer the reader to the full version of this 
paper [6]. 

4.4 Composition Theorems 

The core of every universal composability model is the composition theorems. 
We now present a first composition theorem that handles concurrent composition 
of any (fixed) number of potentially different protocols. 

Theorem 4.8. Let R be a restriction. Let k > 1, Q be a protocol, and 
Vi , . . • , Vk, d~i , • . • , J~k be protocols such that for all j < k it holds true that 
V :j < R R :j . 

Then, {Q,V \, . . -,Vk} {2,^1, • • -,Rk}- 


Universal Composition with Responsive Environments 827 


Proof. In what follows, we take the (equivalent) formulation of <# with the 
dummy adversary Ad • 

It suffices to prove the theorem for the case k = 1. The argument can then 
be iterated to obtain the theorem for k > 1 using transitivity of the <r relation. 
Let S G Adv#(Pi) be the simulator from the definition of V\ <r T\. Define 
the simulator S' to forward messages between the environment and 2, while 
internally simulating S for messages between the environment and Pi. Now let 
£ G Env#({*4.£>, Q, 'Pi}). For convenience, in what follows, we split Ad into A% 
and A^f where A% forwards all communication betweeen £ and Q and A^f 
forwards all communication betweeen £ and V\. 

We first prove that {£ , Ad, 2, Pi} = {£, S' ,Q,T\ i}. Suppose that this is not 
the case. Then we can define a new environment £' that distinguishes {A^J 1 , Pi} 
from {5, Pi}. The environment £' internally simulates {£, A§, 2}, and hence, 
distinguishes with the same probability as £. Now observe that £' is respon- 
sive for {AJq ,V i} : All network messages from {A^Pi} in {£, Ad, 2? Pi} are 
handled by £ only, not by Q. Moreover, as £ is responsive for {Ad, Q,Pi}, we 
have that these messages are answered correctly (in the sense of Definition 4.2), 
implying the responsiveness of £' for {A^ 1 , Pi}. This contradicts the assumption 
that Pi <r Pi, and hence {£, Ad, Q, Pi} = 2, Pi} must be true. 

We still have to show the responsiveness property of S' , that is, S' G 
Adv#({2, Pi})- Let £ G Env#({<S', 2, Pi}). We have to show that all restrict- 
ing network messages from Q and Pi to £ and S' are answered correctly (in 
the sense of Definition 4.2). Suppose that there is a non-negligible set of runs 
of {£,£', 2? Pi} in which a restricting network message from {2, Pi} is not 
answered correctly. As S' only forwards network messages from Q to the envi- 
ronment and the environment is responsive for {5', 2, Pi}, we have that with 
overwhelming probability these messages are answered correctly. Hence, there 
must be a non-negligible set of runs in which network messages from Pi are 
not answered correctly. Now consider £' from above. Then there also is a non- 
negligible set of runs of {£', <S, Pi} in which restricting messages on the network 
from Pi are answered incorrectly because, by construction of £', the behav- 
ior of the system {£',<S,P i} coincides with {£, <S', 2, Pi}- We already know 
that £' G EnvftdA^ 1 , Pi}) from above. Also, by assumption, we have that 
{£", A^,Pi} = {£" ,S,T i} for all £" G Env^dA^ 1 , Pi}). Now, by Lemma 4.4, 
it follows that Env^dAn, Pi}) = Env#({<S, Pi}), and hence £' G Env#({<S, Pi}). 
This contradicts the responsiveness property of S. □ 

The following composition theorem guarantees the secure composition of an 
unbounded number of instances of the same protocol system. To state this the- 
orem, we consider single-session (responsive) environments, i.e., environments 
that invoke a single session of a protocol only. In universal composability mod- 
els, instances of protocol machines have IDs that consist of party IDs and session 
IDs. Instances with the same session ID form a session. Instances from different 
sessions may not directly interact with each other. A single- session environ- 
ment may invoke machines with the same session ID only. We denote the set 
of single-session environments for a system Q by Env# 5S j ng | e (2). We say that P 
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single-session realizes T (P <r , single *F) if there exists a simulator S G Adv#(.F) 
such that {£,Ad,P} = {£,S,R} for all £ G Env# jS j ng | e ({AD, P})- Now, the 
composition theorem states that if a single session of a real protocol V realizes a 
single session of an ideal protocol T, then multiple sessions of V realize multiple 
sessions of T . 

Theorem 4.9. Let R be a restriction , and let V and T be protocols. Then, 
V < Rt single T implies V < R T. 

Proof. Let S be the simulator for V <#, single d~. A new simulator S' for arbi- 
trary responsive environments can be constructed just as in the original (non- 
responsive) composition theorem, i.e., S' internally keeps one copy of S per 
session and uses these copies to answer messages from/to the corresponding 
sessions. 

The proof has two main steps: The first step shows indistinguishability of 
{Ad,P} and {S'^R} for every responsive environment £ G Env R ({ A d, P})- 
The second step shows the responsiveness property of the simulator. 

The first part uses a hybrid argument in which one builds a series of single- 
session environments £i,i > 1, which internally simulate £ such that all mes- 
sages to the first i — 1 sessions are sent to internally simulated instances of 
{<S, messages to the i-th session are sent to the (external) system {Ad, P} or 

{<S, respectively, and the remaining messages are sent to internally simulated 

instances of {Ad,P}- As different sessions of a protocol do not directly interact 
with each other, it is easy to see that {£\,Ad,P} behaves just as {£,Ad,P} 
(*), and {£ n ,S,R} behaves just as {£,S' where n G N is an upper bound 
of the number of sessions created by £ (note that n is a polynomial in the secu- 
rity parameter and the length of the external input given to the environment, 
if any). Hence, the distinguishing advantage of £ is bounded by the sum of 
the advantages of £i, . . . ,£ n , i.e., it is sufficient to show that the advantages of 
£\ , . . . , £ n are bounded by the same negligible function 4 to show that £ cannot 
distinguish {Ad,P} from {S' In what follows, to show the existence of a 
single negligible function, we consider environments with external input because 
the argument is simpler in that case. Nevertheless, using sampling of runs, the 
argument also works without external input, i.e., in the uniform case (see the 
full version of this paper [6] for details). 

To show that such a bound exists, it is first necessary to prove that there is 
a (single) negligible function / that, for every i < n, bounds the probability of 
Si of violating the responsiveness property in runs of {Ad,P} or {<S, T}, respec- 
tively. Let c\ A d ' V ^ be the event that in runs of {£{, Ad,P } the environment £, 
which is internally simulated by £i , answers a restricting message of the external 
system {Ad,P} or one of the internally simulated instances of {Ad,P} and 
{S,P} incorrectly; is defined analogously. Because £ G Er\y R ({AD, P}) 


4 It is not sufficient to show that the advantage of every environment £i is bounded by a 
negligible function /$, which is actually rather easy to show. The negligible functions 
fi might be different and then their sum /i + • • • + f n might not be negligible. 
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{Ad,V} 


is negligible. It also holds true that (**) 


HA-d,V} 


-Pr 




and because of (*), we have that C { 
there exists a single negligible function that bounds |Pr 
for all z > 1. This is because one can define a single-session responsive environ- 
ment £' that gets z as external input and then simulates £{\ £' aborts and 
outputs 1 as soon as a restricting message is about to be answered incorrectly, 
and 0 otherwise. Note that because the restriction R can be decided efficiently, 
£' can perform the task described. Also, by construction, £' is a single-session 
environment (it invokes a single external session only) and it is responsive (it 
stops the execution before the responsiveness requirement would be violated). 
As £' distinguishes {Ad,V{ and only based on the events C^ Ad,v > and 

Cj S,:F \ and both systems are indistinguishable for every single session respon- 
sive environment, statement (**) holds true. Finally, observe that, for all z > 2, 
the systems <S, JF} and {£i, Ad,V} behave exactly the same, and hence 


Pr 


C] 


{A-d,V} 


— Pr 


C) 




that bounds Pr 


{At>,V} 


. This implies that there is a single negligible function 

for all 1 < z < n (here we need that n is polynomially 

bounded). 5 In particular, we have that the probability that £i is not responsive 
for the system {Ad, V} is bounded by a single negligible function independently 
of i < n. 

We can now conclude the indistinguishability argument by showing that the 
advantages of £*, 1 < z < n, in distinguishing {Ad, V} from {5, T{ are bounded 
by the same negligible function. For this, we construct another single-session 
responsive environment £" analogously to £' . The system £" expects 1 < z < n 
as external input (and otherwise stops) and then exactly simulates £*. Impor- 
tantly, £" is responsive for {Ad,V} because we have shown that every £{ violates 
responsiveness with at most the same negligible probability, i.e., the same bound 
also holds for £ " for every input. As £" is a single-session responsive environment, 
its distinguishing advantage for the systems {Ad,V} or {S,R} is negligible for 
every possible input. Moreover, with external input z, its distinguishing advan- 
tage is the same as that for £{. Hence, the same negligible function that bounds 
the advantage of £" also bounds all advantages of £^ z < n. As mentioned at the 
beginning of the proof, this implies indistinguishability of {Ad,V} and {S' 
for every responsive environment £ G Env#({Mc>, V}). 

Having proved indistinguishability, it remains to show that S' is responsive, 
i.e., S' G Adv#(.F). Let £ G Env^dtS', R}). We have to show that the probability 
that all restricted messages from T in runs of {£,S' ,JF} are answered correctly 
(in the sense of Definition 4.2) is overwhelming. For this, consider the following 
single-session environment £' that is meant to run with {<S,.F}: The system £' 
first flips r < n, with n as above, and then internally simulates £ and several 
sessions of {S,R} such that messages from £ to the r-th session are sent to 
the external session, whereas all other messages are processed by the internally 
simulated sessions. Note that {£' ,5,JF} behaves just as {£,<S',.F}, and hence, 


5 Note that it also follows that Pr is bounded for all 1 < i < n. However, we 

do not need this result in the following. 
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because £ G Env#({<S', J 7 }), by Lemma 4.4 we have that £' is responsive for 
{S,R}. Because S is a responsive adversary, this implies that there is only 
a negligible set of runs of in which a restricting message of T is 

answered incorrectly (by £' or S). Hence, the probability for this to happen is 
bounded by some negligible function /. From this and the fact that there are 
only polynomially many sessions, it follows that the probability that a restricting 
message from some session of T is answered incorrectly is negligible. Hence, S' 
is a responsive adversary. □ 

We note that Theorems 4.8 and 4.9 can be combined to obtain increasingly 
complex protocols. For example, one can first show that a single session of a 
real protocol V realizes a single session of an ideal protocol T . Using the two 
theorems, it then follows, for example, that a protocol Q using multiple sessions 
of V realizes Q using multiple sessions of T . 

To conclude this section, we note that all of our lemmas and theorems have 
been proven using a single restriction R. Hence, formally, a protocol designer 
would have to use the same restriction in all of her security proofs in order to 
be able to use our results. However, as we show in the full version of this paper 
[6], this is actually not the case because it is very easy to extend and combine 
different restrictions while still retaining all security results. Also, as discussed in 
Sect. 6, there is in fact one generic restriction that would suffice for all purposes. 

5 Responsive Environments in Concrete Models 

In the preceding section, we have presented our universal composability frame- 
work with responsive environments in a rather mo del- independent way. In this 
section, we outline how to implement this framework in the prominent UC, 
GNUC, and IITM models to exemplify that our framework and concepts are suf- 
ficiently general to be applicable to any universal composability model. While 
these three models follow the same general idea, they differ in several details 
which affect the concrete implementation of our concepts in these models (see, 
e.g., [19, 24] for a discussion of these differences). The main differences and details 
to be considered concern runtime definitions and the mechanism for addressing 
(instances of) machines. 

To instantiate our universal composability framework with responsive envi- 
ronments for the models mentioned, we mainly have to concretize the definitions 
in Sect. 4.2 for these models, that is, the definitions of restrictions as well as of 
the responsive environments and adversaries. For some models we also have to 
adjust their runtime notions slightly. Before presenting the details for the specific 
models, let us briefly explain the central points to be taken care of: 

Runtime. In the GNUC and IITM models, the runtime of systems/protocols is 
required to be polynomially bounded only for a certain class of environments. 
As we now want to consider responsive environments, we should restrict the 
class of environments considered in the GNUC and IITM models to those 
that are responsive. This also has some technical advantages. To see this, 


Universal Composition with Responsive Environments 831 


let 7 Z and 7 Z' be two systems/protocols. For example, 7 Z and 7 Z' could be 
the systems {£, Ad, and {£,<S, Q,X} as considered in the composition 

theorem (Theorem 4.8) when we want to prove that {Q,V} realizes {Q,Z}. 
We often face the situation that we know that, say, 7 Z satisfies the model’s 
runtime bound for all environments in a certain class and that 7 Z and 7 Z' 
are indistinguishable for every responsive environment £ (in this class). This 
implies that 7 Z' also has to satisfy the runtime notion, but only for all respon- 
sive environments of the class. Hence, one cannot necessarily use 7 Z' , with 
any environment, in another system as it does not satisfy the model’s run- 
time notion (for non-responsive environments £ , the runtime of 7 Z' might 
not be polynomial). Hence, also from a technical point of view, it makes 
sense to relax the runtime notions in these models in that the runtime of 
systems/protocols should only be required to be polynomially bounded for 
responsive environments. 

Definition of restrictions. According to Definition 4.1, we require that restrictions 
are “efficiently decidable” . As mentioned, the exact definition depends on the 
model at hand. The important property this definition should satisfy is the 
following: An environment £' which internally simulates another environment 
£ should be able to decide whether the output £ produces is a correct answer 
(according to the restriction) when receiving some message as input. That is, 
£' must be able to check whether the input message was restricting at all, and 
if it was, £' must be able to check whether the response was valid. We often 
use such simulations in proofs. Depending on the model under consideration, 
we might not yet (at this point of the proof) have guarantees about the 
length of the restricting message sent to £. A model-dependent definition of 
an efficiently decidable restriction should take this into account. 

Definition of responsive environments. In the definition of responsive environ- 
ments (Definition 4.2), we require that an answer to a restricting message be 
sent back to the same machine and we already explained that “same machine” 
typically means the same instance from which the restricting message has 
been received. This has to be specified for the different models. 

Definition of responsive adversaries. Depending on the restriction R consid- 
ered, in some models, in particular UC and GNUC, Definition 4.3 can be too 
restrictive, and, for example, the dummy adversary in these models might 
not satisfy the definition. The dummy adversary in these models is required 
to perform multiplexing. When it receives a message from an instance of the 
protocol and forwards this message to the environment, it has to prefix the 
message with the ID of that instance to tell the environment where the mes- 
sage came from. This alters the message, and the resulting message might no 
longer be restricting, depending on the definition of the restriction R. Hence, 
the environment would no longer be obliged to answer directly, and thus 
the (dummy) adversary would not be responsive. One way to fix this is to 
require a certain closure property of restrictions, namely that adding IDs at 
the beginning of restricting messages still yields restricting messages and that 
these message permit the same answers. But this is quite cumbersome. For 
example, by recursively applying this constraint one would have to require 
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that R be closed under arbitrarily long prefixes of sequences of IDs. A more 
elegant solution that would still allow simple and natural restrictions would 
redefine what it means for a message from an adversary to the environment 
to be restricting. This is what we suggest for the UC and GNUC models (see 
below) . 

In what follows, we sketch how to adjust and concretize the runtime notions 
and the definitions for the UC, GNUC, and IITM models. As mentioned in the 
introduction, we have carried out the implementation of responsive environments 
in this model in full detail for the IITM model. 

5.1 UC 

For the UC model, we do not have to change the runtime definition because the 
runtime of a protocol is not defined w.r.t. a class of environments, but simply 
bounded by a fixed polynomial (see also below). 

Definition of Restrictions. For UC we require both R and R[ 0] to be decidable 
in polynomial time in the length of the input. Because of UC’s strict runtime 
definition, this is sufficient to satisfy the requirement mentioned above, namely, 
that an environment £' simulating another environment £ can check whether a 
restricting message received by £ is answered correctly by £. To see this, recall 
that every machine in UC is required to be parameterized with a polynomial. At 
every point in the run, the runtime of every instance of a machine is bounded 
by this polynomial, where the polynomial is in n := nj — n<j, with ni being the 
number of bits received so far on the I/O interface from higher- level machines and 
no being the number of bits sent on the I/O interface to lower level machines. 
Environment machines have to satisfy this condition as well, where n/ is the 
number of bits of the external input (which contains the security parameter rf) . 
Hence, as protocols will receive only a polynomial number of input bits from the 
environment, they can send messages of polynomial length in the length of the 
external input plus p only. Therefore, given some message m that was received 
by an environment and a response m! to this message, the message pair (m, m') 
has at most polynomial length in the external input plus 77 , and an environment 
is able to decide within its runtime bound whether m' is a correct answer to m 
if we use the above definition of effectively decidable restrictions. 

Definition of Responsive Environments. We require that a response to a restrict- 
ing message be sent back to the instance of the machine that sent the restrict- 
ing message. This is possible because every instance in UC is assigned a glob- 
ally unique ID, which is then used to specify the sender and the recipient of a 
message. 

Definition of Responsive Adversaries. As explained above, messages from the 
adversary to the environment and vice versa may contain a prefix (typically an 
ID). For reasons explained above, we say in UC that such a prefix is ignored for 
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the sake of checking whether a message is restricting and whether the answer is 
correct. To be more specific, a message m = (pre, fh) from the adversary to the 
environment is restricting iff fh E R[ 0]. Also, if m is restricting (in this sense), 
an answer m! = ( pre',fh ') from the environment is allowed if (m, fh') E R and 
pre' = pre. Using this definition, it is easy to see that the dummy adversary 
in UC, which adds some prefix to messages from a protocol to the environment 
and strips off a prefix from messages from the environment to a protocol, is 
responsive. 

5.2 GNUC 

The changes necessary for the GNUC model are similar to those for the UC 
model. However, the runtime notion has to be modified: 

Runtime. Let us first recall the relevant parts of the runtime definition of 
GNUC. 6 In this model, the runtime definition depends on the entity consid- 
ered. For an environment £, there has to exist a polynomial p that bounds the 
runtime of the environment in runs with every system where p gets as input 
the number of bits of all messages that have been received by the environment 
during the run, including the external input, plus the security parameter rj. For 
a protocol V, there has to exist a polynomial q such that the runtime of V is 
bounded by q in runs with any environment and the dummy adversary where q 
gets as input the number of bits that are output by the environment (to both 
the adversary and the protocol). This definition has to be changed such that 
the runtime of a protocol needs to be bounded only for all environments (in the 
sense of GNUC) that in addition are responsive. 

Definition of Restrictions. Analogously to UC, we require R and R[ 0] to be 
decidable in polynomial time in the length of the input. This is sufficient to satisfy 
the described requirement (£' simulating £) as the runtime of environments 
in GNUC depends on the number of bits received from a protocol. Hence, an 
environment is always able to read a potentially restricting message m entirely, 
whereas the length of an answer m! is bounded by the runtime bound of the 
environment. 

Definition of Responsive Environments. Just as for UC, we require that 
responses to restricting messages be sent to the same instance of a machine. 
This is possible in GNUC because, again, all machines have globally unique IDs 
to address instances. 

Definition of Responsive Adversaries. Just as for UC, the adversary in GNUC 
might (have to) add IDs as prefixes or remove such prefixes, therefore these 
prefixes are ignored in the definition of responsive adversaries. 

6 Note that there are several additional requirements, such as bounds on the number 
of bits that are sent by the environment as well as so-called invited messages. These 
details, however, are not relevant here. 
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5.3 IITM 

Just as for the other models, we now outline how to adjust and concretize the 
runtime notion and the definitions from Sect. 4 for the IITM model. As men- 
tioned, in the full version of this paper [6], we provide full details for the IITM 
model with responsive environments, with a brief summary of the results pre- 
sented at the end of this subsection. 

Runtime. In the IITM model, the runtime depends on the type of entity. For 
an environment £, it is required that there exists a polynomial p (in the length 
of the external input, if any, plus the security parameter) such that for every 
system running with £ the runtime of £ with this system is bounded by p. For 
a protocol P, it is merely required that it be environmentally bounded, i.e., 
for every environment £ there is a polynomial q (again, in the length of the 
external input plus the security parameter) that bounds the overall runtime of 
runs of {£,P} (except for at most a negligible set of runs). 7 Given a protocol 
V, for an adversary A for V it is required only that {*4, V} be environmentally 
bounded. (Clearly, the dummy adversary is environmentally bounded.) To adjust 
the runtime notions for the setting with responsive environments, instead of 
quantifying over all environments in the definition of environmentally bounded 
protocols/adversaries, one should now quantify over responsive environments 
only, as motivated at the beginning of Sect. 5. 

Definition of Restrictions. We require that a restriction R is efficiently decid- 
able in the second component , i.e., there is an algorithm A which expects pairs 
(m, m!) of messages as input and which runs in polynomial time in \m'\ in order 
to decide whether m! is a correct answer to m according to R (see the full version 
of this paper [6] for a formal definition). This stronger definition is necessary to 
obtain the property described, namely, that an environment £' internally simu- 
lating another environment £ can check that answers of £ to restricting messages 
are correct. Owing to the very liberal runtime notion for protocols used in the 
IITM model, in proofs (e.g., of the composition theorem) we sometimes have to 
establish that a system is environmentally bounded. Therefore, we do not know 
a priori that the length of the message m is polynomially bounded. Hence, the 
environment might not be able to read m completely. Conversely, the length of 
m! is guaranteed to be polynomially bounded as it is output by the environ- 
ment £, which, by definition, is polynomially bounded. With R being efficiently 
decidable in the second component, £' can then efficiently decide whether m! 
is a correct answer to m. Compared with the definition of restrictions for the 
UC and GNUC models presented above, this formally is more restricted. It is, 
however, sufficient for all practical purposed, as discussed in Sect. 6, as one has 
to consider one generic restriction only and this restriction is efficiently decidable 
in the second component. 


7 Here £ may directly connect to P’s network interface. Equivalently one could have 
£ communicate with V on the network interface via a dummy adversary. 
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Definition of Responsive Environments. Unlike the UC and GNUC models, the 
IITM model does not hardwire a specific addressing mechanism for instances of 
machines and specific IDs for such instances into the model. Instead, it supports 
a flexible addressing mechanism which allows a protocol designer to specify how 
machine instances are addressed and what they consider to be their ID. More 
specifically, the IITM model allows a protocol designer to specify an algorithm 
run by machine instances that decides whether the message received is accepted 
by the instance or not. Therefore, in the IITM model, we can require only that 
responses to restricting messages be sent to the same machine, but not neces- 
sarily the same machine instance. This, however, is indeed sufficient. A protocol 
designer, can specify that a (protocol) machine accepts a message iff it is pre- 
fixed by a certain ID (the one seen in the first activation of the instance) as 
typically done in the IITM model. This ID can then be considered to be the 
ID of this machine instance, and messages output by this machine would also 
be prefixed by this ID. Now, a protocol designer can use restrictions to manu- 
ally enforce that the same instance receives a response. Such a restriction would 
contain message pairs of the form ((id, m), (id, m')). By this, it is guaranteed 
that if a restricting message has been sent by a protocol machine instance with 
ID id, then the response is returned to this instance, as the response is prefixed 
with id. 

Definition of Responsive Adversaries. For the IITM model, we do not have to 
change the definition of responsive adversaries. Adversaries in the IITM model do 
not have to add prefixes to messages, and hence, do not have to modify restricting 
messages. In particular, the dummy adversary simply forwards messages between 
the environment and the protocol without changing messages. 

Detailed Results for the IITM Model. In the full version of this paper [6] we pro- 
vide full details of the IITM model with responsive environments. That is, we 
adjust the runtime notion of the IITM model accordingly, and provide full defi- 
nitions of restrictions, responsive environments and adversaries. Based on these 
definitions we define the various security notions for realization relations con- 
sidered in the literature (now with responsive environments), namely, (dummy) 
UC, black-box simulat ability, strong simulat ability, and reactive simulatability. 
These new and adjusted notions have been carefully developed in order to be 
general and to preserve central properties. In particular, we show that all the 
notions mentioned for realization relations are equivalent (for reactive simulata- 
bility, this requires environments with external input). We also prove that these 
relations are reflexive and transitive. We finally prove the composition theo- 
rems for responsive environments. As should be clear from the proof sketches 
in Sect. 4, the proofs are more involved than those without responsive environ- 
ments because one always has to ensure that the constructed environments and 
simulators are responsive. The full proofs are even more intricate and non-trivial 
because they take all model-specific details, such as the liberal runtime notions, 
into account. We note, however, that this is a once and for all effort. Proto- 
col designers no longer have to perform such proofs. They can simply use the 
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results. That is, responsive environments do not put any burden on the protocol 
designer. On the contrary, as explained, they greatly simplify the specification 
and analysis of protocols. 

6 Applying Our Concepts to the Literature 

Our new concepts of restricting messages and responsive environments and 
adversaries allow protocol designers to avoid the non-responsiveness problem 
elegantly and completely. As mentioned, urgent requests can simply be declared 
to be restricting messages, causing the adversary /environment to reply with a 
valid response before sending any other message to the protocol. This indeed 
seems to be the most reasonable and natural solution to the non-responsiveness 
problem. We now show that our approach indeed easily solves all the problems 
mentioned in Sects. 1 and 3. 

The frequently encountered formulations of the form (1) mentioned 
in Sect. 3.1 can now actually be used without causing confusion and flawed spec- 
ifications, if the message sent to the adversary is declared to be restricting: there 
will now in fact be an immediate answer to this message. Similarly, ideal function- 
alities which are intended to be non-interactive can now be made non-interactive 
(at least if uncorrupted; but, if desired and realistic, also in the corrupted case) 
just like their realizations, which solves the problems discussed in Sect. 3.2.2 (lack 
of expressivity), and also makes it possible to use the, again, often encountered 
specifications of the form (2): if such ideal functionalities have to send urgent 
requests to the adversary, such requests can be made restricting, and hence, 
prompt replies are guaranteed, i.e., if the (responsive) adversary /environment 
contacts the protocol at all again, it first has to answer the request. Clearly, 
the other problems caused by urgent requests not being answered immediately 
discussed in Sect. 3.2, namely, unintended state changes and race conditions, 
the reentrance problem, and unnatural specifications of higher- level protocols, 
vanish also; again, because urgent request now are answered immediately. 

Two ways of defining restrictions. We note that there are two approaches 
to define restrictions R. 

Tailored Restrictions. One approach is to define restrictions tailored to specific 
protocols and functionalities. For example, for J-B-Cer t the restriction could be 
defined as follows: 

{ ((Verify, sid , m, cr), (Verified, sid , m, </>)) : sid , m, a G {0, 1}*, 4> G {0, 1}} 

Now, whenever the adversary is asked to verify some cr, the next message sent to 
the ideal functionality is guaranteed to be the expected response. This directly 
resolves the issues discussed in Sect. 3.2.1. Similarly, one could, for example, 
define restrictions for .Fnike and *F S ok - 8 

8 Note that to show that the respective real protocols realize their ideal functionali- 
ties, according to Definition 4.6, one needs to prove that there exists a responsive 
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We note that the above approach of defining a separate restriction for each 
protocol is general in the sense that it can be used independently of the under- 
lying model for universal composition, and is thus applicable, e.g., to the UC, 
GNUC, and IITM models. Furthermore, this solution allows one to fix many ideal 
functionalities and their realizations found in the literature without any modifi- 
cations to the specifications, including all examples mentioned in this document. 
However, since the composition theorems and the transitivity property assume 
one restriction, different restrictions have to be combined into a single one. This 
is always possible as shown in the full version of this paper [6]. Nevertheless, the 
following solution seems preferable. 

Generic Restriction. Alternatively to employing tailored restrictions, one can 
use the following generic restriction: 

Rg •= {(m, m!) | m = (Respond, m" G {0, 1}*}. 

This means that messages prefixed with Respond are considered to be restrict- 
ing, and hence protocol designers can declare a message to be restricting by 
simply prefixing it by Respond. According to the definition of Rg, the adver- 
sary/environment can respond with any message to these messages, but proto- 
cols or ideal functionalities can be defined in such a way that they repeat their 
requests until they receive the expected answer: for instance, in the case of tF s ok, 
it can repeatedly send m" = (Setup, sid ) to the adversary until it receives the 
expected algorithms. In this way, the adversary is forced to eventually provide 
an expected answer (if she wants the protocol to proceed). 

Using this fixed multi-purpose restriction has the advantage that, in contrast 
to the former approach, there is no need to combine different restrictions. Also, 
in protocol specifications, the prefixing immediately makes clear which messages 
are considered to be restricting. 

The main reasons we did not hardwire the generic restriction into our frame- 
work are twofold. First, this is not required to prove our results, but makes our 
framework only more general, and the flexibility might become useful in some 
situations. Second, as protocols and ideal functionalities have to send several 
requests until they get the expected answer, depending on the runtime notions 
used, they might run out of resources. In the IITM model, however, this is not 
an issue, and hence the generic restriction can be used. 

7 Conclusion 

In this paper, we highlighted the non-responsiveness problem, the fact that it 
has often been ignored in the literature, and its many negative consequences. 


simulator. However, it is easy to verify that the simulators constructed in [14,17,31] 
for the functionalities mentioned already are responsive, and thus these realizations 
can be used unalteredly also in a responsive setting. 
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We have proposed a framework that completely avoids this problem. It 
enables protocol designers to declare urgent requests to be restricting mes- 
sages, causing such requests to be answered immediately by (responsive) environ- 
ments/adversaries. This, in particular, allows protocols and ideal functionalities 
to be defined in the expected and natural way. It also avoids unnecessarily com- 
plex and artificial specifications, unintended state changes and race conditions 
while waiting for responses to urgent requests, the reentrance problem, the lack 
of expressivity when modeling non-interactive tasks, and the propagation of such 
problems to higher-level protocols and proofs. We discussed how our concepts 
can be adopted by existing models for universal composition, as exemplified in 
this work for the UC, GNUC, and IITM models. In the full version of this paper 
[6], we also provide full details for the IITM model, showing that our concepts 
can seamlessly be integrated into the existing model without losing any of the 
properties of the setting without responsive environments: all security notions 
for the realization relations are formulated, shown to (still) be equivalent, and 
enjoy reflexivity and transitivity; the composition theorems also carry over to 
the setting with responsive environments. 


References 

1. Abe, M., Ohkubo, M.: A framework for universally composable non-committing 
blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 
435-450. Springer, Heidelberg (2009). doi: 10. 1007/978-3-642-10366-7-26 

2. Backes, M., Durmuth, M., Hofheinz, D., Kiisters, R.: Conditional reactive simu- 
latability. Int. J. Inf. Secur. (IJIS) 7(2), 155-169 (2008) 

3. Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (RSIM) frame- 
work for asynchronous systems. Inf. Comput. 205(12), 1685-1720 (2007) 

4. Backes, M., Hofheinz, D.: How to break and repair a universally composable sig- 
nature functionality. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, 
pp. 61-72. Springer, Heidelberg (2004). doi:10. 1007/978-3-540-30144-8-6 

5. Camenisch, J., Dubovitskaya, M., Haralambiev, K., Kohlweiss, M.: Composable & 
modular anonymous credentials: definitions and practical constructions. In: ASI- 
ACRYPT 2015 (2015) 

6. Camenisch, J., Enderlein, R.R., Krenn, S., Kiisters, R., Rausch, D.: Universal 
composition with responsive environments. Technical report, Cryptology ePrint 
Archive, Report 2016/034 (2016). http://eprint.iacr.org/2016/034 

7. Canetti, R.: Universally composable signature, certification, and authentication. 
In: CSFW 2004, pp. 219-233. IEEE (2004) 

8. Canetti, R.: Universally composable security: a new paradigm for cryptographic 
protocols. In: 42nd FOCS, pp. 136-145. IEEE Computer Society Press, October 
2001. For full and previous versions https://eprint.iacr.org/2000/067.pdf 

9. Canetti, R., Cheung, L., Kaynar, D., Liskov, M., Lynch, N., Pereira, O., Segala, 
R.: Time-bounded task-PIOAs: a framework for analyzing security protocols. In: 
Dolev, S. (ed.) DISC 2006. LNCS, vol. 4167, pp. 238-253. Springer, Heidelberg 
(2006). doi: 10. 1007/ 11864219-17 


Universal Composition with Responsive Environments 839 


10. Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security 
with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61- 
85. Springer, Heidelberg (2007). doi:10. 1007/978-3-540-70936-7-4 

11. Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public- key 
encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150-168. Springer, 
Heidelberg (2005). doi:10. 1007/978-3-540-30576-7-9 

12. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. 
In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565-582. Springer, 
Heidelberg (2003). doi:10. 1007/978-3-540-45146-4-33 

13. Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key- 
exchange with global PKI. Cryptology ePrint Archive, Report 2014/432 (2014) 

14. Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) 
CRYPTO 2006. LNCS, vol. 4117, pp. 78-96. Springer, Heidelberg (2006). doi:10. 
1007/11818175-5 

15. Damgard, I., Hofheinz, D., Kiltz, E., Thorbek, R.: Public-key encryption with 
non- interactive opening. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 
239-255. Springer, Heidelberg (2008). doi:10.1007/978-3-540- 79263-5.15 

16. Dowsley, R., Miiller-Quade, J., Otsuka, A., Hanaoka, G., Imai, H., Nascimento, 
A.C.A.: Universally composable and statistically secure verifiable secret sharing 
scheme based on pre-distributed data. IEICE Trans. 94 — A(2), 725-734 (2011) 

17. Freire, E.S.V., Hesse, J., Hofheinz, D.: Universally composable non- inter active key 
exchange. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 1-20. 
Springer, Heidelberg (2014). doi: 10. 1007/978-3-319- 10879-7.1 

18. Hazay, C., Venkitasubramaniam, M.: On black-box complexity of universally com- 
posable security in the CRS model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 
2015. LNCS, vol. 9453, pp. 183-209. Springer, Heidelberg (2015). doi:10.1007/ 
978-3-662-48800-3.8 

19. Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. Cryp- 
tology ePrint Archive, Report 2011/303 (2011) 

20. Hofheinz, D., Unruh, D., Miiller-Quade, J.: Polynomial runtime and composability. 
J. Cryptology 26(3), 375-441 (2013) 

21. Kurosawa, K., Furukawa, J.: Universally composable undeniable signature. In: 
Aceto, L., Damgard, I., Goldberg, L.A., Halldorsson, M.M., Ingolfsdottir, A., 
Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 524-535. Springer, 
Heidelberg (2008) . doi: 10 . 1007 /978- 3- 540- 70583-3.43 

22. Kiisters, R.: Simulation-based security with inexhaustible interactive turing 
machines. In: CSFW 2006, pp. 309-320. IEEE (2006) 

23. Kiisters, R., Tuengerthal, M.: Joint state theorems for public-key encryption and 
digital signature functionalities with local computation. In: Proceedings of the 21st 
IEEE Computer Security Foundations Symposium (CSF 2008), pp. 270-284. IEEE 
Computer Society (2008) 

24. Kiisters, R., Tuengerthal, M.: The IITM model: a simple and expressive model for 
universal composability. Cryptology ePrint Archive, Report 2013/025 (2013) 

25. Laud, P., Ngo, L.: Threshold homomorphic encryption in the universally compos- 
able cryptographic library. Cryptology ePrint Archive, Report 2008/367 (2008) 

26. Matsuo, T., Matsuo, S.: On universal composable security of time-stamping pro- 
tocols. In: IWAP 2005, pp. 169-181 (2005) 


840 


J. Camenisch et al. 


27. Maurer, U.: Constructive cryptography - a new paradigm for security definitions 
and proofs. In: Modersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 
6993, pp. 33-56. Springer, Heidelberg (2012). doi:10. 1007/978-3-642-27375-9-3 

28. Maurer, U., Renner, R.: Abstract cryptography. In: ICS 2011, pp. 1-21. Tsinghua 
University Press (2011) 

29. Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reac- 
tive systems. In: ACM CCS 2000, pp. 245-254. ACM Press (2000) 

30. Tian, Y., Peng, C.: Universally composable secure group communication. Cryptol- 
ogy ePrint Archive, Report 2014/647 (2014). http://eprint.iacr.org/ 

31. Zhao, S., Zhang, Q., Qin, Y., Feng, D.: Universally composable secure tnc protocol 
based on IF-T binding to TLS. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) 
NSS 2014. LNCS, vol. 8792, pp. 110-123. Springer, Heidelberg (2014). doi:10.1007/ 
978-3-319-11698-3-9 


A Shuffle Argument Secure in the Generic Model 


Prastudy Fauzi'^- 1 , Helger Lipmaa, and Michal Zajac 

University of Tartu, Tartu, Estonia 

prastudy . f auzi@gmail . com 


Abstract. We propose a new random oracle- less NIZK shuffle argu- 
ment. It has a simple structure, where the first verification equation 
ascertains that the prover has committed to a permutation matrix, the 
second verification equation ascertains that the same permutation was 
used to permute the ciphertexts, and the third verification equation 
ascertains that input ciphertexts were “correctly” formed. The new argu- 
ment has 3.5 times more efficient verification than the up-to-now most 
efficient shuffle argument by Fauzi and Lipmaa (CT-RSA 2016). Com- 
pared to the Fauzi-Lipmaa shuffle argument, we (i) remove the use of 
knowledge assumptions and prove our scheme is sound in the generic 
bilinear group model, and (ii) prove standard soundness, instead of cul- 
pable soundness. 


Keywords: Common reference string • Bilinear pairings • Generic bilin- 
ear group model • Mix-net • Shuffle argument • Zero knowledge 


1 Introduction 

A typical application of mix-nets is in e-voting, where each voter (assume that 
there are n of them) encrypts his ballot by using an additively homomorphic 
public-key cryptosystem, and sends it to the bulletin board. After the vote cast- 
ing period has ended, the bulletin board (considered to be the 0th, non-mixing, 
mix- server) forwards all encrypted ballots to the first mix-server. A small num- 
ber (say, M) of mix-servers are ordered sequentially. The kth mix-server obtains 
a tuple d of input ciphertexts from the (k — l)th mix-server, shuffles them, and 
sends a tuple d' of output ciphertexts to the (k + l)th mix-server. Shuffling 
means that the fcth mix-server generates a random permutation a <— r S n and 
a vector s of randomizers, and sets d' = d • enc p k(0; s$). The last mix-server 
(the (M + l)th one, usually implemented by using multi-party computation) is 
again a non-mixing server, who instead decrypts the results. 

A mix-net clearly preserves the anonymity of voters, if at least one of the 
participating mix-servers is honest. To achieve security against an active attack 
(where some of the shuffles were not done correctly) is more difficult. In a nut- 
shell, each server should prove in zero knowledge [24] that her shuffle was done 
correctly, i.e. , prove that there exists a permutation a and a vector s, such that 
d • = d a (p • enc p k(0; Si) for each i. The resulting zero-knowledge proof is usually 
called a (zero-knowledge) shuffle argument. 

© International Association for Cryptologic Research 2016 
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Moreover, to obtain active security of the whole mix-net, it is important that 
the outputs of incorrect shuffles are ignored. This means that each mix-server 
(including the (M + l)th one) has to verify the correctness of each previous 
mix-server, and only apply her own shuffle to the output of the (multi-) shuffle 
where each previous server has been correct. Intuitively, this means that the 
verification time is the real bottleneck of mix-nets. 

Substantial amount of work has been done on interactive zero-knowledge 
shuffle arguments. Random oracle model shuffle arguments are already quite 
efficient, see, e.g., [25]. However, an ever-growing amount of research [6, 12,23,36] 
has provided evidence that the random oracle model yields properties that are 
impossible to achieve in the standard model. (See [14] for recent progress on 
NIZK arguments in the random oracle model.) 

Much less is known about shuffle arguments in the common reference string 
(CRS, [7]) model, without using random oracles. Based on earlier work [28,33], 
Fauzi and Lipmaa recently proposed a shuffle argument in the CRS model [19]. 
Assuming that basic group operations are as efficient in both cases, and that a 
pairing is about 8 times slower than a group exponentiation (both assumptions 
should be taken with a caveat), the Fauzi-Lipmaa shuffle is about two times less 
efficient for the prover than the most efficient known shuffle argument in the 
random oracle model [25], while its verification is about 25 times less efficient. 

The security of the Fauzi-Lipmaa shuffle argument is proven under a knowl- 
edge assumption [15] (PKE, [26]) and three computational assumptions (PCDH, 
TSDH, PSP). Knowledge assumptions are non-falsifiable [35], and their valid- 
ity has to be very carefully checked in each application [5]. Moreover, the PSP 
assumption of Fauzi and Lipmaa [19] is novel (albeit closely related to SP, an 
earlier assumption of Groth and Lu [28] ) , and its security is proven in the generic 
bilinear group model [8,34,38]. 

The Fauzi-Lipmaa shuffle differs from the shuffle of Lipmaa and Zhang [33] 
in its security model. Briefly, in the security proof of the Lipmaa-Zhang shuf- 
fle argument it is assumed that the adversary obtains — by using knowledge 
assumptions — not only the secrets of the possibly malicious mix-server, but 
also the plaintexts and randomizers computed by all voters. This model was 
called white-box soundness by Fauzi and Lipmaa [19], where it was also criti- 
cized. Moreover, in the Lipmaa-Zhang shuffle argument [32], the plaintexts have 
to be small for the soundness proof to go through; for this, all voters should use 
efficient CRS-model range proofs [13,20,31]. 

On the other hand, the Fauzi-Lipmaa shuffle is proven culpably sound [28] 
though also under knowledge assumptions. Intuitively, culpable soundness means 
that if a cheating adversary produces an invalid (yet acceptable) shuffle together 
with the secret key, then one can break one of the underlying knowledge or 
computational assumptions. 


Our Contribution. In all three results mentioned above [19,28,33], the authors 
based the soundness of their shuffle argument on some novel hardness assump- 
tions, and then proved that the assumptions are secure in the generic bilinear 
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group model (GBGM). It seems to be an obvious question whether one can 
obtain some efficiency benefit by bypassing the intermediate assumption and 
proving the soundness of the shuffle argument directly in the GBGM. We show 
this is indeed the case. We improve on the efficiency of the previous CRS-based 
shuffle arguments by proving the security of our protocol in the GBGM and 
without using knowledge assumptions. Due to the use of GBGM, we must first 
define a sensible security model. 

First, recall that in the GBGM, the adversary inputs some group elements 
05 i = 0 Xi , where g is a group generator and Xi are various (not necessarily 
independent) random values. One assumes that each group element S)j output 
by the adversary is of the form S)j = g^ 3 ^ x \ where Fj(X) are known linear 
polynomials and g z is a generator of the group G z , z G {1,2}. (Within this 
paper, % is a concrete instantiation of the indeterminate X.) We call such values 
admissible. (In addition, elements output from the target group can also use the 
bilinear map, but in the current paper, we do not use this fact.) 

One philosophical question when using the GBGM is what exactly is the 
input of the adversary. In our intended usage cases, the shuffle argument is a 
part of a mix- net. Clearly, the mix-net should remain secure against coalitions 
between parties (in the case of e- voting, either voters, or some of the mix-servers 
themselves) that create the input ciphertexts, and parties who perform the shuf- 
fling. It is a common practice to model such coalitions as a single adversary. 
In the GBGM, it is natural to model this single adversary — who may cor- 
rupt everybody who has produced any part of the input to the verifier — as 
a generic adversary. This means that an adversary, who has generated a (say, 
I Lin [18]) ciphertext = (ffii, ^ 3 ), knows polynomials Vij(X) and Vh(X), 
such that logtqj = Vij (%) and logfcF = fW(%). This is somewhat similar to 
the approach taken in [33] who used knowledge assumptions to then obtain the 
random variables — more precisely, plaintexts and randomizers — hidden in t). 

We will assume that the mix-net is structured as follows. First, the encrypters 
(e.g., voters) prove that their ciphertexts (e.g., encrypted ballots) are admissible. 
More precisely, by using a validity argument , a voter proves that each component 
(e.g., an I Lin [18] ciphertext consists of three group elements) of her ciphertext 
is equal to where the polynomial F(X) has specific form. The validity 

argument guarantees that the input ciphertexts to the first mix-server have been 
computed only from certain, “allowed”, elements of the CRS. 

Each mix-server first verifies the validity of original (unshuffled) ciphertexts 
and the soundness of each previous shuffle argument. After that the mix-server 
produces her shuffle (d')™ =1 together with her shuffle argument 7r s h. This means 
that we consider shuffling a part of the shuffle argument. 

Our generic approach in the shuffle argument is as follows. We first let the 
prover (a mix-server) choose a permutation matrix and then commit separately 
to its every row. The prover then proves that the committed matrix is a permuta- 
tion matrix, by proving that each row is 1-sparse (i.e., it has at most one non-zero 
element) as in [33], while computing the last row explicitly, see Sect. 5. The 1- 
sparsity argument is based loosely on Square Span Programs [16]. Basically, to 
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show that a vector a is 1-sparse, we construct n + 1 polynomials {Pi{X ))^ =0 
that interpolate a certain matrix (and a certain vector) connected to the defini- 
tion of 1-sparsity, and then commit to a by using a “polynomial” version of the 
extended Pedersen commitment scheme, c <— g|^ a * p dx)+^ for random secrets 
X and q. 

To obtain the full shuffle argument, we use the same underlying idea 
as [19,28,33]. Namely, we construct a specific consistency verification equation 
that ensures that (t^)^ is permuted to by using the same permutation 

matrix that was used to permute (Q2^ X ^)i=i to (21^2 )2=i- This is done by using 
a pairing equation of type Yi e(t)', 82 *^)/ Yl e(t)*, 21^) = 93, where 91 is a value 
that takes care of the rerandomization (i.e., it depends on the values s used to 
rerandomize d, but not on a). 

Both [19, 28] had an additional problem here, namely it can be the case that a 
maliciously created d' depends on Pj(X ) (in [28], one has Pj(X 1, . . . , X n ) = Xj, 
where Xj are independent random variables) so log 0T e(d •, g^^) can depend 
on Pj(X)Pi(X ), for arbitrary i and j. In this case, this equation is not sufficient 
for soundness, since {Pi(X)Pj(X)} i j e [i is not linearly independent (e.g., an 
adversary can cancel out Pj(X)Pi(X) easily with —Pi(X)Pj(X)). Therefore, 
they had to go through additional complicated steps — that reduced the effi- 
ciency of their arguments — to achieve (culpable) soundness even in this case. 

In our case, such complications are not needed, due to the validity argument. 
Since the validity argument guarantees that d^ and d' do not depend on P^(X), 
it means that the values log 0T e(d •, 0^ x ^) and log 0T e(d$, 21^) do not depend on 
Pi(X)Pj(X ), which removes the problem evident in both [19,28]. On the other 
hand, [19,28] solved this problem by proving culpable soundness only, while we 
prove that the new argument satisfies the standard soundness property. 

We emphasize that the full GBGM soundness proof of the new shuffle argu- 
ment is quite intricate. In particular, the verification of the permutation matrix 
argument results in a system of more than 20 polynomial equations. As some 
other recent papers like [1,3], we use computer-based tools to solve the latter 
system. More precisely, we use a computer algebra system to find its Grobner 
basis [11], and then continue to find solutions from there on. It is interesting that 
a simple shuffle argument has such a complicated security proof. On the other 
hand, both researchers and practitioners can write their own computer algebra 
code to verify the security proof; this is not possible in many other arguments. 

We further optimize the verification by the use of batching techniques [4], 
thus replacing many pairings with less costly exponentiations. Batching has not 
been used before in the context of pairing-based shuffle arguments. 

Table 1 compares our work and known NIZK shuffle arguments in the CRS 
model. However, differently from other papers, [28] uses symmetric pairings, and 
thus its computational and communication complexity is not directly compara- 
ble. The prover’s computational complexity and the communication includes 
the computation and sending of the ciphertexts themselves. (This is fair, since 
different shuffle arguments use different public-key cryptosystems that incur dif- 
ferent overhead to these complexity measures.) The highlighted cells in each row 
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Table 1 . A comparison of different NIZK shuffle arguments. We always consider shuf- 
fling to be a part of the communication and prover’s computation. Units (the main 
parameter, a weighted sum of other parameters) are defined in Sect. 9. 



Groth-Lu 

Lipmaa-Zhang 

Fauzi-Lipmaa 

Current Work 

Type of pairings 

Symmetric 

Asymmetric 


|CRS| in (Gi,G- 2 ,Gt') 2n T 8 
Communication 18n + 120 

(2 n + 2, 5n + 4, 0) (6n + 8, 2 n + 8, 1) (2 n + 6, n + 7, 1) 

(8 n + 6, 4n + 5, 0) (7 n + 2, 2 n, 0) (4n + 1, 3n + 2, 0) 

Prover’s computation 

Exp. in (Gi , G 2 ) 

54n + 246 

(16n + 6, 12n + 5) (14n + 3, An) 

(9n T 2, 9n Y 3) 

Units 


36 

19.8 

24.3 

Verifier’s computation 

Exp. in (Gi , G 2 , Gt) 

— 

— 


(lln + 5, 3n + 6, 1) 

Pairings 

75n + 282 

28n + 18 

18n + 6 

3n + 6 

Units 


196 

126 

36.3 

Knowl. assumpt-s 

No 

Yes 

Yes 

No 

Relying on GBGM 

PP, SP 

Knowledge 

Knowl., PSP 

Complete 

Random oracle 



No 


Soundness 

Culpable 

Full 

Culpable 

Full 


are the values with best efficiency, or best security properties. A more precise 
efficiency comparison is given in Sect. 9 . 

Finally, each of the CRS-model shuffle arguments relies substantially on the 
GBGM. The Groth-Lu and Fauzi-Lipmaa shuffles rely on the GBGM to prove 
security of complicated computational assumptions. The Lipmaa- Zhang shuffle 
relies on the GBGM to prove security of non-falsifiable knowledge assumptions. 
The current paper gives the full shuffle soundness proof in the GBGM. See 
Sect. 10 for a more thorough discussion of the GBGM security proof versus using 
knowledge assumptions. 

2 Preliminaries 

Let S n be the symmetric group on n elements. For a (Laurent) polynomial or a 
rational function / and its monomial /i, denote by coeff M (/) the coefficient of /i 
in /. We write /(ft) g(ft), if /(ft) — g(ft) is negligible as a function of ft. 


Bilinear Maps. Let ft be the security parameter. Let ^ be a prime 
of length O(ft) bits. Assume we use a secure bilinear group generator 
genbp(P) that returns gk = (g, Gi, G2, Gt, £), where Gi, G2, and G t 

are three multiplicative groups of order g, and e : Gi x G2 — > G t- 
Within this paper, we denote the elements of Gi, G2, and G t as in 
(i.e., by using the Fraktur typeface). It is required that e is bilinear (i.e., 
£(0 i> 02) = £(0i5 02) a6 / efficiently computable, and non-degenerate. We define 

e((*i, *2,213),®) = (e(2li,®),e(2l2,®),e(2l 3 ,®)) and e(®, (*i, *2, %)) = 

(e(®, *1), e(®, *2)5 *3)). Assume that is a generator of G^ for i G { 1 , 2 }, 

and set $ T <— e(fli, 0 2 )- 
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For k = 128, the current recommendation is to use an optimal (asymmetric) 
Ate pairing over a subclass of Barreto-Naehrig curves. In that case, at security 
level of k = 128, an element of G 1 /G 2 /Or can be represented in respectively 
256/512/3072 bits. 


Zero Knowledge. A NIZK argument for a group-dependent language C con- 
sists of four algorithms, setup, gencrs, pro and ver. The setup algorithm setup 
takes as input 1 K and n (the input length), and outputs the group description 
gk. The CRS generation algorithm gencrs takes as input gk and outputs the 
prover’s CRS crs p , the verifier’s CRS crs v , and a trapdoor td. The distinction 
between crs p and crs v is only important for efficiency. The prover pro takes as 
input gk and crs p , a statement u, and a witness w, and outputs an argument 7 r. 
The verifier ver takes as input gk and crs v , a statement u , and an argument 7r, 
and either accepts or rejects. 

Some of the properties of an argument are: (i) perfect completeness (hon- 
est verifier always accepts honest prover’s argument), (ii) perfect zero knowledge 
(there exists an efficient simulator that can, given u , (crs p , crs v ) and td, output an 
argument that comes from the same distribution as the argument produced by 
the prover), (in) adaptive computational soundness (if u 0 £, then an arbitrary 
non-uniform probabilistic polynomial time prover has negligible probability of 
success in creating a satisfying argument), and (iv) adaptive computational culpa- 
ble soundness [28,29] (if u 0 £, then an arbitrary NUPPT prover has negligible 
success in creating a satisfying argument together with a witness that u 0 C). An 
argument is an argument of knowledge , if from an accepting argument it follows 
that the prover knows the witness. See Appendix A for formal definitions. 


Generic Bilinear Group Model. We will prove the soundness of the new 
shuffle argument in the generic bilinear group model (GBGM, [8,34,38]). Our 
description of the GBGM is based on [34]. 

We start by picking a random asymmetric bilinear group gk := 
(g, Gi, G 2 , Gt, e) <— genbp(lT). Consider a black box B that can store val- 
ues from groups Gi,G 2 ,Gt in internal state variables celli, cel^, . . . , where 
for simplicitly we allow the storage space to be infinite (this only increases 
the power of a generic adversary). The initial state consists of some values 
(celli, celb, ..., cellp np |), which are set according to some probability distribu- 
tion. Each state variable cel U has an accompanying type type^ E {1,2,T, _L}. 
We assume initially type^ = _L for i > \inp\. The black box allows computation 
operations on internal state variables and queries about the internal state. No 
other interaction with B is possible. 

Let II be the allowed set of computation operations. A computation oper- 
ation consists of selecting a (say, t-ary) operation / E 77 together with t + 1 
indices ii, ^2, • • • , H+i- Assuming inputs have the correct type, B computes 
/(cellij, . . . ,celli t ) and stores the result in cel U t+1 . For a set £ of relations, a 
query consists of selecting a (say, t-ary) relation g G £ together with t indices 
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ii, 22, • • • , U- Assuming inputs have the correct type, B replies to the query with 
£>(cell il ,...,cell it ). 

In the GBGM, we define 77 = {•, e} and U = {=}, where 

1. On input (-,21,22,23): if type^ = type^ 2 7^ _L then set cel U 3 cel • celU 2 and 
type i3 <— type^ • 

2. On input (e, ii, 22, 23): if type ix = 1 and type i2 = 2 then set cel U 3 <— 
e(cell ilt cell i2 ) and type- 3 <- T. 

3 . On input (=,21,22): if type^ = type i2 7^ A and cell^ = cel U 2 then return 1. 
Otherwise return 0. 

Since we are proving lower bounds, we will give a generic adversary adv additional 
power. We assume that all relation queries are for free. We also assume that adv 
is successful if after r operation queries, he makes an equality query (=,21,22), 
21 7^ 22, that returns 1 ; at this point adv quits. Thus, if type^ 7^ A, then cell^ = 
7 i(celli, . . . , cell| inp |) for a polynomial 7 } known to adv. 

The GBGM has proved itself to be very fruitful since its introduction, [8]. 
In particular, the generic (bilinear) group model is amenable to computerized 
analysis, and as such, has proven itself to be very useful say in the area of 
structure-preserving signature schemes [ 3 ]; see also [1]. 

Finally, Fischlin [ 21 ] and Dent [ 17 ] have pointed out that there exist con- 
structions that are secure in (Shoup’s version of) the generic group model but 
cannot be instantiated given any efficient instantiation of the group encoding. 
However, their constructions are utterly artificial; e.g., Dent constructed a sig- 
nature scheme that under certain conditions outputs the signing key as a part 
of the signature. 

Cryptosystems. A public-key cryptosystem 77 is a triple (genpkc, enc, dec) 
of efficient algorithms. The key generation algorithm genpkc(l^) returns a fresh 
public and secret key pair (pk, sk). The encryption algorithm enc p k(ra; r), given a 
public key pk, a message m, and a randomizer r (from some randomizer space 7 £), 
returns a ciphertext. The decryption algorithm dec S k (c), given a secret key sk 
and a ciphertext c, returns a plaintext m. It is required that for each (pk, sk) E 
genpkc(l^) and each m, r, it holds that dec S k(enc p k(m; r)) = m. Informally, 77 
is IND-CPA secure , if the distributions of ciphertexts corresponding to any two 
plaintexts are computationally indistinguishable. 

We will use the I Lin cryptosystem from [ 18 ]; it is distinguished from other 
well-known cryptosystems like the BBS cryptosystem [ 9 ] by having shorter secret 
and public keys. Consider group G&, k E { 1 , 2 }. In this cryptosytem, where the 
secret key is sk = 7 Z 9 \ { 0 , - 1 }, the public key is pk fc <- (g fc , F) fe ) = (g k , g 7 k ), 
and the encryption of a small m E 7 L q is 

enc pkfc (m; s) := (f)*\ (dkh) S 2 , 9 Tdh +S2 ) 

for s <- r Zj x2 . Denote := (Fjfc,i k ,Qk) and k2 := (ik, Qk^k, Qk), thus 
encpk^m; s ) = (l*, lfc, g™) • ^ s k \^ s k 2 2 - Given 0 G G|, the decryption sets 

dec sk (t)) := log 0 fe (o 3 oA (7+1) th 1/7 ) . 


848 


P. Fauzi et al. 


Decryption succeeds since t> 3 t» 2 — 0™0^ 1+S2 • (gktyk) S2 ^ 7+1 ^ • 

^-Si /7 _ 0 m 0 si+s 2 . 0 -s 2 /( 7 +i) 0 -s 2 - 7 /( 7 +i) . fl -«i = g™. This cryptosystem is 
CPA-secure under the 2-Incremental Linear (2-1 Lin) assumption, see [18]. The 
I Lin cryptosystem is blindable , enc p k fc (m; s) • enc p k fc (0; s') = enc p k(m; s + s'). 

We use a variant of the I Lin cryptosystem where each plaintext is encrypted 
twice, in group Gi and in G 2 (but by using the same secret key an the same 
randomizer s in both). For technical reasons (relevant to the shuffle argument 
but not to the I Lin cryptosystem), in group Gi we will use an auxiliary gen- 
erator gi = 0 i^ instead of 0 i, for (g,/3) <— r i^ q \ { 0 }) 2 ; both encryption and 
decryption are done as before but just using the secret key sk = (p, /?, 7 ) and the 
public key pk x = ( 0 i,()i = 0 i); this also redefines ?pki. That is, enc p k(m; s) = 
(enc pkl (m;s),enc p k 2 (m;s)), where pk x = ( 01 , \)i = gj), and pk 2 = (g 2 ,f )2 = 02 ), 

and dec sk (t>) := log fil (o 3 0^" 1/(7+1) o7 /7 ) = log 0i (o 3 0^" 1/(7+1) d7 /7 )/(^//3) for 
d G Gf. We call this the validity- enhanced I Lin cryptosystem. 

In this case we denote the ciphertext in group k by dfc, and its jth component 
by t>fc j. In the case when we have many ciphertexts, we denote the 7th ciphertext 
by t Ji and the jth component of the ith ciphertext in group k by 

3 Shuffle Argument 

In the current section, we will give a full description of the new shuffle argument, 
followed by its efficiency analysis. Intuition behind its soundness will be given 
in Sect. 4. The full soundness proof is long, and postponed to Sects. 5, 6 , and 7. 
Its zero knowledge property will be proven in Sect. 8 . 

Let II = (genpkc, enc, dec) be an additively homomorphic cryptosystem with 
randomizer space R ; we assume henceworth that one uses the validity-enhanced 
I Lin cryptosystem. Assume that and P- are valid ciphertexts of II. In a shuffle 
argument, the prover aims to convince the verifier in zero-knowledge that given 
(pk, (t)i, t)J)£!=i), be knows a permutation a G S n and randomizers i G [1 .. n\ 
and j G [1 .. 2], such that d- = • enc p k(0; Si) for i G [1 ..n\. More precisely, 

we define the group-specific binary relation 7 Z s h, n exactly as in [28,33]: 

n __ / (gMpMi>‘ J i)"=iM°'> s )) : 

( <7 E S n As £ R nx2 A (Vi : t>' = • enc pk (0; s,)) 

See Protocol 1 for the full description of the new shuffle argument. 

We note that in the real mix-net, ( 7 , p, /3) is handled differently (in particular, 
7 — and possibly g/ (3 — will be known to the decrypting party while (g,/3) does 
not have to be known to anybody) than the real trapdoor (y, a) that enables 
one to simulate the argument and thus cannot be known to anybody. Moreover, 
(0i 7 02 )^ i s i n the CRS only to optimize computation. A precise efficiency 
analysis of this argument is given in Sect. 9. 

In the rest of this section, we will explain the notion of batching and define 
non-batched versions (that are easier to read and analyse in the soundness proof) 
of the verification equations. We then state the main security theorem. 
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gencrs(l^,n G poly(ft)): Call gk = (g, Gi, G 2 , Gt, e) <— genbp(lT). Let Pi(X ) 
for i G [0..n] be polynomials, chosen in Sect. 5. Set x = (x, <a, p, /?, 7) r 
Z 2 x (Zg \ {0}) 2 x (Zg \ {0, —1}). Let enc be the I Lin cryptosystem with the 
secret key 7, and let (pk 1? pk 2 ) be its public key. Set 


/gk, ( 0 p w+Po(x » 2 - 1)/c )r=4,\ 

P k i = (01 = 0 GG 1 = 01 ), 

crs <— 

(0f’ (X) )r=l>02>0/ Q+P ° (X /p k 2 = (02, fj2 = 0 2 ),0 2 , 

\e(0i,0 2 ) 1_a2 ,(0i,02) E?=lPi(x) / 

and td <— (%, g). Return (crs,td). 
pro(crs; to G (Gi x G 2 ) 3n ; a G S n , s G Z£ x2 ): 

1. For i = 1 to n — 1: 

(a) Set n Z,. Set (2l il5 2l i2 ) <- (0 1 ,02) P "- 1 <*> (x)+PiC . 

2. Set r n < YJiZi r i- 

3. Set (2l„i,2t n2 ) <- (fli,fl 2 )SS=i^(x)/n?T 1 1 (a < i,2l <2 ). 

4. For i = 1 to n: /* Sparsity, for permutation matrix: */ 

(a) Set 7 r lsp:i <- (2l il0 f° (x) ) 2r * (of ) <x)+^b(x)) a -D/c_ 

5. For i = 1 to n: /* Shuffling itself */ 

(a) Set (o' l5 o' 2 ) <- (0 CT (i)i,0 CT (i)2) • (enc pkl (0;s < ),encpk 2 (0;si)). 

6. Set /* Consistency */ 

(a) For k = 1 to 2: Set r s:/c Z q . Set 7r cl:fe <- 0 p =1 aikPi M +r ‘* e . 

n 

(b) (7r c2:1 ,7r C 2: 2 ) <- JJ(Ou,Oi 2 )'' ; • (enc pkl (0;r s ),enc pk2 (0;r s )). 


i= 1 


7. Return w sh <- (o', (2lii,2li 2 )" =1 \ ( 7 r lsp:i )f = 1 , 7 r cl: 1 , 7 r cl:2 , 7r c2 :i, 7r c2:2 ). 
ver(crs; 0; o', (2l;i, 2l i2 )" = T 1 1 > (Trisp:* )f =1 , 7 r cl:2 , 7r c2:1 , -7r c2 : 2 ): 

1. Set (2l n i, 2l n2 ) (0i,02)^-^t x )/nr=i 1 (^ 1 ,^ 2 )- 

2. Set (pii , P 2 2 ? P3ij 1 P4j )iG[t .. 3 ] * r ^<7 P • 

3. Check that /* Permutation matrix: */ 

n”=i e ((21 ii3? +Po{x) ) Pli ,%2Q2 a+Po{x) ) = 

e (II'U 0 2 e ) • e( 0 i, 0 2 )( 1 -« 2 ) Pl * • 

4. Check that /* Validity: */ 

e (0?, lit, • ll'li ffl =1 (o' 2i )^) = 

e (n?=i • nr =1 n;=i(‘>L-) psw >0f 

5. Set m <- e (fli, <i 4 : 2 ( 7 r c i : i 7 r c i :2 ) P43 ) • e (f)i, <i : >ci :2 ) /e (ffl=i 

6. Check that /* Consistency: */ 

nr„ « (n?. 1 (oii,)"'.fe nw ) /nr., « (n;„ 2 ) = ». 


)■ 


7T P4i a Q 
= 1 7r c2:lj’02 


Protocol 1: The new shuffle argument 
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3.1 Batching 

We assume that verifier checks that the batched version [4] of the equations 
(given in Protocol 1) hold. However, for soundness we need that the individ- 
ual (non-batched) verification equations hold. We will show that we still have 
soundness even if the verifier checks batched versions of the equations. 

We first prove the following lemma. We state it in the case where fi(X ) are 
polynomials, but one can obviously transform it to the case where fi(X ) are 
Laurent polynomials or even rational functions. 

Lemma 1. Assume (Pi)ie[i..k\ are values chosen uniformly random from Z q . 
Assume x are values chosen uniformly at random from Z q . Assume fi are some 
polynomials of degree poly(ft). If the equation Yli=i eQji, Q 2 )^^ Pi = It holds , 
then with probability > 1 — 1/q the k pairing equations e(gi, £j 2 )^ x ^ = 1 t , 
i G [1 .. k] also hold. 

Proof. As the pairing is non-degenerate, Yl^ =1 e(gi, = 1 t iff 

Y^=i fi{x)Pi = 0- By the Schwartz-Zippel lemma [37,39], with probability 
> 1 — 1/q this means ^2 i=1 fi(x)Yi = 0 as a polynomial, where i..k\ 

are random variables corresponding to p{. Hence all individual coefficients of Y{ 
must be zero, i.e., fi(x) = 0 for i G [1 .. k\. But then we have for i G [1 .. k\ that 
= e(0i,0 2 )° = it, as desired. □ 

The following corollary follows immediately from Lemma 1. 

Corollary 1. Assume x = (x, o, g, /5,y) is chosen uniformly random from 
K x ( Z 9 \ {°}) 2 X ( Z 9 \ {0,-1})- Assume (pu,P2j,P3ij,P4j)ie[i ..n],je[i ..3] are 
values chosen uniformly random from Z^ n+6 . Consider the verification steps in 
Protocol 1. 

- If the verification on Step 3 accepts, then (with probability > 1 — 1/q) for 
i G [1 .. n\, 

e (2lii0i +Po(x) ,2li2fl^" +Po(x) ) = e(7ri sp: i,0§)e(0i,0 2 ) 1-a2 • (1) 

- If the verification on Step f accepts, then with probability >1 — 1/q, 

e(0i,7r c2:2 j) =e(7r c2: ij,f|f) , ie[1..3] , (2) 

e(0i,»i2j) ~ S Kij’02) > *e[l-n],je[1..3] . (3) 

- If the verification on Step 6 accepts, then with probability >1 — 1/q, 

n n 

Ip (t)ii,0^ i(x) ) / ne(»a,2l i2 ) = e(*Pn,7rci : i)e(*Pi2,7r c i:2)/e(7r C 2 : i,0f) • (4) 

i= 1 i = 1 
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Proof. If the verification on Step 3 accepts, then we get that 

n 

If (e (2l a 0“ +Po(x) ,2l i2 0^ a+Po(x) ) / (e(7Ti sp:i ,0§)e(0i,0 2 ) 1_a2 )) 

= Jfe (^%iQi +PoM ) Pl \^i2Q2°‘ +Po( ' X) ) /II (e(7Tis P :i,0l)e(0i,0 2 ) 1_Q2 ) P 

i= 1 i= 1 

= It- 

By Lemma 1, with probability > 1 — 1/q we get 

e (2l a 0r +Po(x) ,2li20^ a+Po(x) ) / (e(7Ti sp:i ,0§)e(0i,0 2 ) 1_a2 ) = i T , 

for i G [1 .. n]. Simplifying, this is precisely Eq. (1). The other cases are similar. 
□ 

This means that with probability > 1 — 3/g, checking the batched version of 
verification equations (as in Protocol 1) is equivalent to the checking of individual 
verification equations (as in Corollary 1). 

We note that Corollary 1 also holds when x is chosen according to the dis- 
tribution, stipulated in Protocol 1. 


3.2 Statement of Security 

Theorem 1 (Shuffle Security). The shuffle argument from Protocol 1 is per- 
fectly complete, computationally sound in the GBGM, and perfectly zero knowl- 
edge. More precisely, any generic adversary attacking the soundness of the new 
shuffle argument requires Q(^/q/n) computation. 

Proof. Completeness: we deal with other verifications in later sections. Cur- 
rently we only show that if the prover and the verifier are honest, then Eq. (4) 
(and thus also, the verification on step 6 in Protocol 1) accepts. Really, let 
Kk = i)k ' enc pk(s (0; s*) and pk x = (0i,f)i) for some Si e Zj x2 . Then, 


n n 

n ® (“a ’ sf i(x) ) = n ® (*Mi)i ■ enc P k i (°; sf (x) ) 

i= 1 i= 1 

n n 

IPK)!^) • Ip (enc pkl (O;Si)»0r i(x) ) 


i= 1 




; n ® (®*ii flf ,T_i(4) x ) ■ n ® (^Pii^Pi2> 0 p<(x) 


i= 1 


2=1 


n 

-II* Kfc' , - wW ) • « (<P», 9 p‘ *»''■“) ■ e »'••<*') 


2=1 
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and 


n n 

- II* 

i= 1 i= 1 

n 


,02* 1<<)(X) 


i = 1 




\i = 1 


Hence, as needed, 


Z— 1 


Z— 1 


/ n > 

=e (‘Pn, 0 p= lSilPi(x) ) • e (q 3 12 , 0 p= lSi2Pi(x) ) /e (n»>M 


G=1 


=e (qJii,flF^ 8<lP<(x)+r,!lC ) 


e (^Pi2,0r 


’ Er=lS<2P<(x)+rs:2e ) /e ' II<i’02 

=e (<Pn, 7T c i:i) e 0Pl2, 7Tcl:2) I & (tTc2:1, 0 2 ) 


i=l 


Soundness. Intuition behind soundness will be given in Sect. 4. Soundness 
of this argument will be proven in Sects. 5, 6 , and 7. 

Zero-knowledge: The zero-knowledge property will be proven in Sect. 8 . □ 

Since we work in the GBGM, where the adversary knows how all values were 
computed, Protocol 1 is actually an argument of knowledge. 


4 Intuition Behind Soundness 

Throughout this paper, we use a variation of the polynomial commitment scheme 
of type cornea; r) := f )^ =1 a * p dx)+^ where f) is a generator of Gj, y and p are 
random values from Z g , and Pi(X) are well-chosen polynomials. (The choice of 
Pi(X ) is fixed by the 1 -sparsity argument, see Sect. 5.1.) Several variants of this 
commitment scheme are well-known to be perfectly hiding and computationally 
binding (under a suitable computational assumption, security of which is usually 
proved in the GBGM, [26,30]). However, since we only rely on the security of 
this commitment scheme within the GBGM soundness proof of the shuffle, we 
will state neither the concrete assumption nor the security requirements (like 
hiding and binding) of a commitment scheme. 

On the last three steps, see Protocol 1 , the verifier executes four different 
verifications, restated in an easier to read format in Corollary 1 . Each of these 
verifications has an intuitive meaning, resulting in a different subargument. How- 
ever, since all of them have to use the same CRS and the soundness proof is in 
the GBGM, the subarguments interact strongly. 
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Our soundness proof in the GBGM uses the following idea. An adversary can 
only produce group elements from Gi or G 2 that are products of the elements 
of the same group given in the CRS; elements of G t can also be output by the 
pairing operation. Let x = (x, cq p, /?, 7) be concrete (randomly chosen) values 
from 7L q and X = (X, X a , X Q , Xp, Xy) be the corresponding random variables. 
E.g., if J-(X) = {Fi(X)} is the set of all rational functions such that = 

is equal to the set of all CRS values in Gi, then any value that the 
adversary creates in Gi must be of the form Q^ x \ where A(X) G spanP(X). 

In this way, after taking a discrete logarithm, each verification equation 
can be written in the form V(x) = 0 f° r some polynomial V(X) known to 
the adversary. However, since the values in % were chosen uniformly random, 
from the Schwartz- Zippel lemma [37,39] we can conclude that V(X) = 0 as a 
polynomial (or a rational function), except with negligible probability 0{n)/q. 
From V(X) = 0, we deduce that all the coefficients of terms 
in V(X) • V*(X) (where V*(X) is the denominator of V(X)) are zero, giving 
us several equations related to the adversary’s chosen values. From these equa- 
tions and the linear independence of polynomials Pi(X ), we can deduce that 
the adversary’s chosen values must be of a certain form, except with negligible 
probability 0{n)/q. 

More precisely, for symbolic values T and £, define (by following the definition 
of the CRS in Protocol 1) 


cr si{X,T,t) =t(X) + T e X e + T a ■ (X a + P 0 (X)) + T 0 P 0 (X) + t ZXXX . 

TefiXg TjXgXj^ 

Xp Xp 5 

crs 2 (X, T, t) =t(X) + T q X q + T a • (-X a + P 0 (X)) + T x + T 7 X 7 + TpXp , 


where t\X) is in the span of {((P^(X) + P 0 (X)) — l) 2 / Z (X)}™ =1 and t(X) is 
in the span of {Pi(X)}f =1 . We will follow the same notation in the rest of the 
paper. In particular, all “daggered” polynomials (e.g., b^(X)) are in the span 
of {{{Pi{X) + Po(X)) - 1 ) 2 /Z{X)}? =1 . Since deg Z{X) = n + 1, deg£+(X) < 
n — 1, and deg t{X) < n, then deg(crsi(X, T, t) • X Q Xp) < (n — 1) + (n + 1) — 
1 + 2 = 2n + 1. (Multiplication with X Q Xp is needed to make crsi(X,T, t) 
a polynomial.) Analogously, degcrs 2 (X, T, t) < n. Importantly, {Pi(X)}f =0 is 
linearly independent. In particular, Po(X) is linearly independent to all other 
polynomials present in crsi(X) and crs 2 (X), except the “daggered” polynomial 

H-Vi. 

Since the shuffle argument adversary is a GBGM adversary (and one uses I Lin 
encryption), she knows the following polynomials (in the case of crs 2 -functions), 
Laurent polynomials (in the case of crsi-functions) or rational functions (in the 
case of Mij(X ), ML(X), and M E: j(X)), where 0 2 = 0 2 : 
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A(X) =crsi(X, A, a) 
B(X) =crs 2 (X,B,b) 
C(X) =crsi (X, C, c) 
Dj(X) =crs 2 (X,D jt dj) 


s.t. 2li = gf (x) 
s.t. si 2 = g 2 (x) 
s.t. 7T lsp = gf 1 (x) 


Ekj (-^0 — crs fc E kj , e k j ) 
Vikj (-^0 — crs fc (-^T Vikj i v ikj ) 

V' kj (X) =crs k (X,V' kj ,v' kj ) 



Mij(X) =V ij3 (X) - V ij2 (X)/(X J + 1) - V i:j i/X 7 s.t. dec sk (t>ij) = My (*) , 
M'^X) =V' j3 (X) - y/. 2 (X)/(X 7 + 1) - Vlj 1 /X 1 s.t. dec sk (d' j ) = M'^x) , 

=Ej 3 (X) - Ej 2 (X)/ (X 7 + 1) - Eji/X 1 s.t. dec sk (7r c2:i ) = M £:j ( X ) . (5) 

We are now almost ready to explain the meaning of each individual verifica- 
tion equation. Before doing so, we emphasize that a major obstacle in proving 
soundness in the GBGM is that all subarguments must use the same CRS. In 
particular, a subargument that is sound by itself might stop being sound due to 
the elements in the CRS that are added because of other subarguments. Intu- 
itively, we tackle this problem by introducing random variables a (that is only 
needed in Eq. (1)) and f3 (that is needed in Eqs. (2) and (3)). 

Briefly, the verifier makes three checks. Equation (1), the “permutation 
matrix argument”, guarantees that the prover has committed to a permuta- 
tion matrix corresponding to some permutation a. Equations (2) and (3), the 
“validity argument”, guarantee that the ciphertexts have not been formed in a 
devious way that would make the consistency argument to be unsound. Equa- 
tion (4), the “consistency argument”, guarantees that the prover has used the 
same permutation a to shuffle the ciphertexts. 

Permutation Matrix Argument. Consider the subargument of Protocol 1, 
where the verifier just computes (2t n i,2t n 2) and then performs the verification 
Eq. (1) for each i = 1 to n. We will call it the permutation matrix argument. 
In Sect. 5 we motivate this name, by showing that after the permutation matrix 
argument only, the verifier is convinced that ( 2 ln, . . . , 2 i n i) commits to a per- 
mutation matrix. For this, we first prove the security of its subargument — the 
1-sparsity argument [33] — where the verifier performs the verification Eq. (1) 
for exactly one i. 

To prove the security of permutation matrix argument, we have to solve a 
quite complicated system of polynomial equations. We do it by using a computer 
algebra system, see Sect. 5 for more details. 

Validity Argument. As a subroutine in our argument, we make the veri- 
fier check the validity of all ciphertexts. This is done by checking Eq. (3) (and 
Eq. (2)). The main goal of the validity check is to show that the prover did not use 
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“forbidden” terms and when computing the ciphertexts P ik and 7T C 2:/c- 

In the case of the Elgamal cryptosystem, the validity argument provides a proof 
that both W iX and W i2 decrypt to a plaintext of form Mi(X) = 
for known coefficients and polynomials fij(X ), where none of the rational 
functions fij depends on either X or X 6 . (See Eq. (12).) Similar assurance is 
provided about the plaintext hidden in 7T C 2:/c- Employing validity subarguments 
allows the consistency subargument to be more efficient than in [19,28]. 


Consistency Argument. Finally, we show that performing all checks guar- 
antees that dec S k(t)-) = dec s k(t) cr (p) ^ A for some permutation a G S n . The 
main observation is that a permutation of ciphertexts (without rerandomiza- 
tion) is invariant under multiplication: without rerandomizing the ciphertexts, 
the (non-batched) verification Eq. (4) would just be the identity e(t)^ 1} 0^ x ^) = 
£(t)ii,0 2 CT 1(l)( ' X ^), for all i. However, this trivially leaks the permutation cr, and 

hence is not secure. To ensure privacy, must be rerandomized, and g 2 1(z) ^ 
must be replaced by a commitment to the unit vector e G - qq. This makes the 
final verification slightly more complicated, as we need extra terms to adjust it 
to the added random values. 

A version of Eq. (4) was also used in [19,28,33]. However, the shuffle argu- 
ments from [19,28] need to execute two versions of Eq. (4), once with Pi(X ) and 
once with different carefully chosen polynomials Pi(X) in G 2 - (See [19,28] for an 
explanation.) In addition, one must prove that those two versions are consistent 
between each other (by providing a same-message argument, in the terminology 
of [19]). This makes the arguments of [19,28] quite complicated. 

Similarly to [33], we avoid this complication by having a validity argument 
on the ciphertexts. Since valid ciphertexts are not dependent of Pi(X ), it suffices 
for the verifier to execute just one version of Eq. (4). 

5 Permutation Matrix Argument 

In this section, we show that a subargument of Protocol 1, where the verifier 
only computes 2l n i as shown and then executes verification at Eq. (1) (for each 
i e [1 ..n]) gives us a permutation matrix argument. This argument will be by 
far the most complex subargument that we use. 

5.1 New 1- Sparsity Argument 

In a 1-sparsity argument [33], the prover aims to convince the verifier that he 
knows how to open a commitment 2li to (a, r), such that at most one coefficient 
a i is non-zero. If, in addition, aj = 1, then we have a unit vector argument [19]. 
A 1-sparsity argument can be constructed by using square span programs [16], 
an especially efficient variant of the quadratic span programs of [22] . We prove its 
security in the GBGM and therefore use a technique similar to that of [27], and 
this introduces some complications as we will demonstrate below. While we start 
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using ideas behind the unit vector argument of [19], we only obtain a 1-sparsity 
argument. Then, in Sect. 5, we show how to obtain an efficient permutation 
matrix argument from it. 

Clearly, aGZJ is a unit vector iff the following n + 1 conditions hold [19]: 

- di G {0, 1} for i G [1 ..n] (i.e., a is Boolean), and 

l- 

Let {0, 2} n+1 denote the set of (n+l)-dimensional vectors where every coefficient 
is from {0,2}, let o denote the Hadamard (entry-wise) product of two vectors, 

let V := ( 2 ' / 1 T Xn ) G Zj” +1)xn and b := (°» ) G Z" +1 . Clearly, the above n + 1 
conditions hold iff Va + b G {0, 2} n+1 , i.e., 

(Va + b - l n+ i) o (Va + b - l n+1 ) = l n+ i . (6) 

Let i G [1 .. n + 1] be n + 1 different values. Let 

n+ 1 

Z(X) := n^-M) 

i=l 

be the unique degree n + 1 monic polynomial, such that Z(a^) = 0 for all 
i G [1 .. n + 1]. Let the ith Lagrange basis polynomial 

w-.= n ((x-ujyfa-uj)) 

j£[l .. n+l],j/z 


be the unique degree n polynomial, s.t. = 1 and £i(ujj) = 0 for j ^ i. 

For i G [1 .. n], let Pi(X) be the polynomial that interpolates the ith column 
of the matrix V. That is, 


Pt{X) = 2£i(X) + £ n+1 (X) 


for i G [1 .. n]. Let 

p 0 (x) = e n+ 1 (x) - 1 

be the polynomial that interpolates b — l n +i. In the rest of this paper, we will 
heavily use the following simple result. 

Lemma 2. {Pi(X)}^ =Q is linearly independent. 

Proof. Assume that EIL obiPi(X) = 0 for some constants b{. Thus, 
E™=o biPi{a>k) = 0 for each k. Consider any k G [1 ..n\. Then, 0 = bo-fb(^fe) + 

El*=l biPi(Wk) = 4(4+l4/c) — 1) + ElLl (iOk) + 4+1 (Wfc)) = — 4 + 

Thus, bk = 4/2 for k G [l..n]. Consider now the case k = n + 1, then 

0 = 6 0 PoK+l) H~ ELl ^iPi (^n+1 ) = 4(4+l4n+l) — 1) + ElLl 4(2^i(tt>n+l) + 
4+i (a; n +i)) = EiLi b i = n / 2 • 4- Thus 6/e = 0 for k G [0 .. n]. □ 
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We arrive at the polynomial Q(X) = if^ =1 a iPi{X) + P 0 (X)) 2 * — 1 = 
(. Pi(X ) + Pq{X)) 2 — 1 (here, we used the fact that a = ej for some / G [1 .. n]), 
such that a is a unit vector iff Z(X) \ Q(X). As in [27], to obtain privacy, we 
now add randomness A Q X e to Q(X), arriving at the degree 2 n polynomial 

Q wi (X, X e ) = (P/(X) + Pq(X) + A e X e ) 2 - 1 . (7) 

Here, X Q is a special independent random variable, and A g <— r Z q . This means 
that we will use an instantiation of the polynomial commitment scheme (see 
Sect. 4) with Pi(X) defined as in the current subsection. 

The new 1-sparsity argument is the subargument of the shuffle argument 
on Protocol 1, where the verifier only executes verification step Eq. (1) for one 
concrete value of i. 

Theorem 2. Consider i G [1 .. n] . The 1 -sparsity argument is perfectly complete. 
The following holds in the GBGM ) given that the generic adversary works in 
polynomial time. If the honest verifier accepts on Step 3 for this i, then there 
exists I G [1 ..n\, such that 

21 n = 0 “(x)+^ e e+A a (a+Po(x)) ; ( 8 ) 

where a(X) = (1 + A a )Pj(X) for some constant A a . 

Proof. Completeness: For an honest prover, 21* i = 21 *2 = and 

7Tis P:i = where A(X) = B(X) = Pj(X) + A e X s and C(X) = 2 A s ■ 

(A(X) + P 0 (X)) - A 2 e X e + Q wi (X, X e )/X e . Write 

Vi sp (X) ■.= (A(X)+X a + P 0 (X))-(B(X)-X a + P 0 (X))-C(X)-X e -(l-Xl) . (9) 

The verification equation Eq. (1) assesses that Vi sp (x) = 0- This simplifies to 
V lap (X) = {A g X g + P 7 (X) + Po{X )) 2 - 1 - Q wi (X,X e ). Hence for an honest 
prover, it follows from Eq. (7) that Vi sp (x) = 0. 

Soundness: Assume that the verifier has accepted inputs cell^ = A(X), 
cel l ^ 2 = B(X), and cel U 3 = C(X), for some polynomials A(X), B(X), and 
C(X). In the GBGM, the adversary knows all coefficients. (This corresponds 
to 2Ui = gf (x \2ti 2 = gf (x) ,7risp:i = 0f (x) O Let Vi S p(X) then be as in Eq. (9) 
with A(X), B(X), and C(X) as in Eq. (5). Let V^ 3 p (X)) := X Q Xg. Clearly, 
Vi sp(X) • Vi sp (X) is a polynomial, with deg(Vi sp (X) • V* sp (X)) < 3n+ 1. Since 
the verifier accepts, Vi sp (X) = 0 as a polynomial. 

In Table 2, we enlist all the coefficients of ju(i) = X^X^XjfX^ 4 in Vi sp (X) • 
Vi sp (X). We remark that we found those polynomials by using a computer 
algebra system 1 , but they can be verified manually. 


1 In the concrete case, Mathematica 9.0, but any other reasonably powerful system 

can be used. See [1] for references on the prior use of computer algebra systems to 

prove security in the generic (bilinear) group model. 
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Table 2. coeff M(i) (Vi sp (X) • VZ ap (X)), where /x(i) = XSXfXfXi* 


{d, • • • ,u} 

coeff^ w (Vi. P (A:).ViV-X)) 

{1,2, 1,0} 

—A g (B a + 1) + (A a + 1 )B e — Coi 

{1,2, 0,1} 

—A 1 (B a + 1) 

{1,2, 0,0} 

— Ag[3(B a + 1) 

{1,1, 2,0} 

{A a + 1 )Bp 

{1,1,1,!} 

(A a + 1 )B 7 

{1,1, 1,0} 

—a(X)(B a + 1) + (A a + 1) (b(X) + B\) - A 0 {B a + 1 )P 0 (X) 

{1,0, 1,0} 

~(B a + l)Z(X)a\X) 

{0,3, 1,0} 

AgBg — Cg 

{0,3, 0,1} 

A-yBg C' y 

{0,3, 0,0} 

Ag/3Bg Fg/3 

{0,2, 2,0} 

AgBfi 

{0,2, 1,1} 

A 1 B(3 + AgB - y 

{0,2, 1,0} 

a(X)B e + A g ( b(X ) + B\) + AgpBp-^ 

Po(X) (A g (B a + 1) + (A a +A 0 + l)B e -C a - C 0 ) - c{X) 

{0,2, 0,2} 

A 1 B 1 

{0,2, 0,1} 

A . 7 (b{X) + Bi) + A Q pB~< + A-f(B a + l)Po(X) 

{0,2, 0,0} 

A e0 (b(X) + B 1 ) + Ag P (B a + l)Po(X) 

{0,1, 2,0} 

a(X)Bp + (Aa + A) + 1) BpP 0 {X) 

{0,1, 1,1} 

a(X)S 7 + (A a + A) + 1) B^Po(X) 

{0,1, 1,0} 

-Z{X)c\X) + P 0 (X) ( a(X)(B a + 1) + {A a + X 0 + 1) (b(X) + Bj)) + 
a(X) ( b(X ) + B\ ) + (A a + Aq + 1) ( B a + l)-Po(X) 2 — 1+ 
BgZ(X)a t(X) 

{0,0, 2,0} 

B 0 Z(X)a\X) 

{0,0, 1,1} 

B~,Z(X)a\X) 

{0,0, 1,0} 

Z(X) (b(X) + Bi) a\X) + (Ba + l)Po(X)Z(X)at (X) 


Consider now each monomial of coeff /x ^)(Vi sp (X) • V* sp (-X")) = 0 as a poly- 
nomial F*(Y) of formal variables Y := (a(X), A e , A a , . . . , C 7 ) (i.e., in all coef- 
ficients of A(X), B(X), and C(X)). We can now set F*(Y) = 0 for each 
monomial, and the solution set of this system of polynomial equations gives us 
all possible ways of “cheating” the adversary can do. However, the resulting 
polynomial equation system is too complicated, and moreover, it contains some 
formal variables that are not linearly independent, like a(X) and aJ(X). 

We hence execute two additional steps. First, we take into account (by using 
Lemma 2) that Po(X) is linearly independent of all other polynomials except 
“daggered” polynomials af(X) and c^(X). This allows us to simplify some of the 
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coefficients and gives some more polynomial equations. After that step, we get 
a new polynomial equation system {Fi(Y) = 0} for some polynomials F{. 

Second, we use a computer algebra system to derive a Grobner basis [11] in 
variables in Y for the system {Fi(Y) = 0}. By using lexicographic order (more 
precisely, we used the function GroebnerBasis of Mathematica, with parameters 
Monomial Order -> Lexicographic and Method -> "Buchberger "), we get the 
Grobner basis on Fig. 1. 


fCy \ 

c s p 

4 C e - Co (Co + 2 C a ) 

c(X) 2 + 2 (Co + C a ) Po(X)c(X) + (Co + C a ) 2 (P 0 (X) 2 - Z(X)c'(X) - l) 
Bp 

By 

2 Bg — (B a + 1) (Co ■+■ 2 C a ) 

(b(X) + Bi) (Co + Ca) - c(X) (B a + 1) 
b(X)c(X) + (Bi + 2 (B a + 1) P 0 (X)) c(X)+ 

(Be + 1) (Co + Ca) ( Po(X ) 2 - Z(X)J(X) - 1) 

- (B a + l) 2 - B a (B a + 2) Z(X)c\X) - Z(X)c'(X)+ 

(b(X) + B 1 + (B a + 1) P 0 (X)) 2 
A 1 

Aq(3 

Z(X)a\X) 

Ao 

B a + A a (B a + 1) 

2 A e — (A a + l)Co 

Va(A)-(A a + l) 2 (5(A) + B!) 


Fig. 1. Grobner basis {Bi(Y)} 


The system of polynomial equations {Bi(Y) = 0} can be solved manually. 
First, we simplify this system by setting C 1 = 0, C e p = 0, Bp = 0, B 1 = 0, 
A 7 = 0, Aqp = 0, a)(X) = 0, Aq = 0, B a = —A a / (A a + 1), Cq = 2 A Q / (A a + 1), 
b(X) = a(X)/(A a + l) 2 - B u C Q = (A a + 1 )B e ((A a + 1 )B e - C a ). Then, we 
get a new system of polynomial equations, with the Grobner basis {B[(Y) = 0} 
as given on Fig. 2. 

We can further simplify this system by noting that C a = (A a + 1 )B Q — 
A Q /(A a + 1) and thus c(X) = a(X) (A g /(A a + l) 2 + Bg). By inserting those 
two values to the Grobner basis {B[(Y)}, we get that the resulting system of 
polynomial equations has the following simple Grobner basis {B f /(Y)}: 

( (A a + l) 2 (-Z(X)c t(X) + P 0 (X)2 - 1) + 2 a(X)(A a + 1 )P 0 (X) + a(X) 2 ) 
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- (Ca - 2 {Ac + 1 )B q ) 2 (-Z(X)c f (X) + Po(X) 2 - 1) + \ 

2c(X)P 0 (X) (C a - 2 (A a + 1 )B e ) - c(X) 2 

(C a -2(A 0 +l)B e ) 2 (-Z(X)ct(X)+Po(X) 2 -l)+2c(X)P 0 (X)(2(A 0 +l)B e -C a )+c(X) 2 

(A a + 1) ( C a — (A a + 1 )B e ) + A s 
( A a + 1) (2 (Aa + 1 )B„ (-Z(X)C t(X) + P 0 (X) 2 - 1) + 

Ca (Z^c^X) - P 0 (X) 2 + 1) + 2c(X)Po(X)^ + a(X)c(X) 
~(A a + 1) (c(X) - 2 a{X)B g ) - a(X)C a 
a(X)(^-2B e )+c(X) 

(Aa + l) 2 (-Z(X)c f (X) + P 0 (X) 2 - 1) + 2a(X)(A a + 1 )P 0 (X) + a(X) 2 / 


Fig. 2. Grobner basis (£>'(T)} 


By solving 13/ (Y) = 0, we get 


c f (X) 


(SGa.oo) 2 -! 

Z(X) 


which is a witness that a(X)/(A a + 1) = Pi(X ) for some I. 

Hence, if verification Step 3 in Protocol 1 succeeds for j = i, then, after 
replacing all coefficients with values derived in this proof, we get 


A(X) =a(X) + 
B(X)~ “ (X) 


-W 


(A a + 1)' 


+ BqXq + 


A a (X a + P 0 (X)) , 
A a (X a -P 0 (X)) 


1 


Hence, Eq. (8) holds. 


□ 


5.2 Permutation Matrix Argument 

Assume we explicitly compute 2l n i = Qp i=1 Pt ^ / YVjZi 2lji as in Protocol 1, 
and then apply the 1-sparsity argument to each 21$ i, i G [1 .. n]. Then, as in [33], 
we get that (2ln, . . . , 2l n i) commits to a permutation matrix. More precisely, 
according to Eq. (8), the ith commitment is represented by the polynomial 


Ai{X) = ai (X) + AgiX g + A ai • (A a + P 0 (*)) , 

where a$(X)/(l + A ai ) = P f ^(X) for some /. Since we 

get in particular that YU(A&i + l)Pf^(X) = Pi(X). Since due to Lemma 2, 
{P^(X)}- 1 =0 is linearly independent, it means that A a i = 0 for each i, and / = 
cr _1 is a permutation. 
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Theorem 3. The described permutation matrix argument is perfectly complete. 
The following holds in the GBGM, assuming that the generic adversary works 
in polynomial time. If the honest verifier accepts Eq. (1) for all i G [1 ..n\, and 
(2l n i, 2l n2 ) is explicitly computed as in Protocol 1, then there exists a permutation 
a G S n and randomizers A gi , such that 



for all i G [1 .. n\ . 


(10) 


6 Validity Argument 

The shuffle argument employs validity arguments for (7t C 2 : i, 7t c2:2 ) and for each 
We outline this argument for (7r C 2:i, 7 Tc 2:2), the argument is the same 
for (t>y,tJ£ 2 )- More precisely, in the validity argument for (tv C 2 -.i •> K c2:2 ) , the ver- 



this argument guarantees that in the GBGM, V va uj(X) = 0 for j e [1 .. 3]. 
Table 3. coef fg {i) {V va i :j (X) ■ X g Xp), where y(i) = Xff X l g 2 Xjf Xlf 


\ii 3 • • • ? iT\ 

coeff M (i ) (V t , 0 ; ;J (X) • X 0 Xp) 

{1,2, 1,0} 

E 2 j , OL 

{1,1, 2,0} 

Eij,a. 

{0,3, 1,0} 

—E 2 j, Q 

{0,2, 2,0} 

Eij, e ~ E 2 j,f3 

{0,2, 1,1} 

Eij ,7 — E 2 j )7 

{0,2, 1,0} 

Eij, Q (3 — e 2 j(X) — E 2 j >a Po(X) — E 2j , 1 

{0,1, 2,0} 

Clj(x) + (Eij^a + Eij^o) Po(X) 

{0,0, 2,0} 

Z(X)e i,(X) 


In this case, it is much easier to solve the resulting polynomial system of equa- 
tions than it was in Sect. 5. First, we find the coefficients of fi(i) = X^ X l g 2 X 1 ^ Xlf 
in V va i:j(X) • XgXp , see Table 3. Taking into account (see Lemma 2) that 
{Pi{X)}^ =0 are linearly independent and that 1 0 span {Pi{X)}^ =1 , we get from 
solving this polynomial system of equations that 


Eij(X) —{E\j ie p + E 2 j^Xp + E 2 j : 1 X 1 )X e / Xg , 


E 2j (X) =Eij Qp + E 2 j,pXp + E 2 j n X 7 , and thus 

M e (X) =M E:1 (X) = M E:2 (X) = E 23 (X) - E 22 (X)/(X y + 1 ) - E 21 (X)/X 1 


M e -.i + M E:2 Xp + M E:3 X 1 + 


Me-A M E: $X(3 

x 1 + + 


M E .6 M E : ?Xg 

Xsy T 1 Xsy 1 


( 11 ) 
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for some coefficients Me.j known to the adversary. Here, say Me-. 2 (X) = 
E 2 s(X) — E 2 2 (X ) / (Xj + 1) — E 21 (X)/X 7 ; we will call such an operation a 
“generic decryption’ in group G&. 


Theorem 4. The validity argument for (7v c2: i,7v c2:2 ) is perfectly complete. The 
following holds in the GBGM, assuming that the generic adversary works in 
polynomial time. If the honest verifier accepts Eq. (2), then the generic adver- 
sary knows coefficients Me.j, s.t. dec S k(7r C 2) = Me(x) where Me(X) is as in 
Eg. (11). 

Assuming similarly that also validity of Vn j(X), Vi 2j (X), V^^X), and 
V( 2 j(X) is checked, we get that 


Vnj(X) — (Viij }Q f3 + Vi2j,pXp + Vi2j^X 7 )X Q / Xp , 

Vi 2 j (X) — Vilj,gj3 + Vi 2 j,( 3 Xp Vi 2 j, 7 X 7 , 

vA^x) = (v ' ljjQ(3 + v' 2 j , p x p + v' 2 j , 7 x 7 )Xg/Xp , 

V% 2 j(X) — Vii j :Q /3 + Vi 2 j^Xj 3 + V' 2jn X 7 , and thus 
Mi(X) =M a (X) = M i2 (X) = V i23 (X) - V i2 2(X)/(X 7 + 1) - V i2 i(X)/X 7 


=M a + M i2 X p + M i3 X 7 + ^ + + 

JL-y 


MiQ MtfXp 


Xv 


Xv + 1 X- + 1 


M'(X) =M’ il (X) = M' 2 (X) = V' 23 (X) - V' 22 (X)/(X 7 + 1) - V' 21 (X)/X 7 

f , , M[a M-kXq Maq M' 7 Xr /io\ 

=M' il + Mi 2 Xp + M' 3 X 7 + ^ + tHtt + FTT ( 12 ) 

y\. /*y y\. z-y _L -/A. /*y “|” _L 

for some coefficients M^, k G [1 .. 3], known to the adversary. 


Corollary 2. The validity argument for (t^ l5 t^ 2 ) is perfectly complete. The fol- 
lowing holds in the GBGM , assuming that the generic adversary works in poly- 
nomial time. If the honest verifier accepts Eq. (3) for some i G [1 ..n\, then the 
generic adversary knows coefficients M[-, s.t. dec S k(t)') = M[ (y) where M[(X) 
is as in Eq. (12). 


7 Consistency Argument 

We call the subargument of Protocol 1, where the verifier only executes the last 
verification (namely, Eq. (4)), the consistency argument. Intuitively, the consis- 
tency argument guarantees that the ciphertexts have been permuted by using 
the same permutation according to which the elements 0^^ were permuted 
inside the commitments 21^. 

According to Sects. 5 and 6, the permutation matrix argument and validity 
arguments are “sound”. In what follows, we show that if the verifier executes 
all verification steps in Protocol 1, then this shuffle argument is sound in the 
GBGM. Now, we are finally able to finish the soundness proof of Theorem 1. 

Proof (Of Theorem 1). Since all the batch verifications in Protocol 1 accept, by 
Corollary 1 we have that with probability > 1 — 3/q all individual equations also 
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hold. Since the permutation matrix argument and ciphertext validity are sound, 
Eq. (8) and Eq. (12) hold with overwhelming probability for all i. 

Since we have a generic adversary, from the verification equation Eq. (4) we 
get that V CO ns:j(X) = 0 for j E [1 .. 3], where 


V co „,:i(X) =^(y n (X) - V a v 11 (X))P i (X) -J2Vm( x )ri x B 

- D 1 (X) X^XJXp + Eu {X)X e , 

V C ons: 2 (X) = £(Kl 2 (X) " V^i^X^X) - ]T V il2 (X)r 4 X c 

- D 2 (X)(X 7 + l)X e /X 0 + E 12 (X)X e , 

V CO ns-AX ) = ^(V/ 13 (X) - V^siXWiX) -J2vMX) ri X e 

- Di(X)X e /Xg - D 2 (X)X e /Xg + Eis(X)X e 


are rational functions. By doing a “generic decryption”, define Mj(X), M[ (X), 
and Me(X) as in Eq. (5). Then we get that V cons ( X ) = 0, where 


Vcons(X) = 


Vcons: s{X^Xg Vcons: 2 ^X')Xg V C ons:l (-^0-V? 


x„ 


X e (x 7 + 1) 


x e x 7 


= £ (M?(X) - M a{i) {X )) P t (X) - WMifflri - M E (X) )x e = 0 


is again a “generic decryption”. Clearly, the last equality holds clearly indepen- 
dently of the shape of Dj(X). 

Now, since the validity argument is sound, Me{X ) is as in Eq. (11) and 
Mi(X) and M-(X) are as in Eq. (12). Denote V* ons (X) := Xy(Xy + l). Inserting 
the obtained representations of Mi(X), M-(X), and Me{X ) to V CO ns{X), we 
find the coefficients of V cons (X) • V* ons (X), as given in Table 4. 

Since {Pi(X)} is linearly independent, this directly gives us M a ^j = Mb, 
for each j E [2 .. 5], and hence also for j = 7, as needed. In addition, we get that 
M a(i) i + M a( q 3 = M[ x + M' s (and hence M a{i)1 = M' ± ) and M a{i)1 + M a(i)4 + 
M a (q 6 = M[ x + M' a + MU (and hence M a ^ 6 = MU )• Hence, we have proven 
that M a (q(X) = M[{X) as a polynomial, which gives us soundness of the new 
shuffle argument in the GBGM. 

Let us now compute a lower bound to the efficiency of a generic adversary. 
Assume that after some r steps, the adversary has made a successful equality 
query (=,ii,i 2 ), be., cellq = celU 2 for i\ ^ i 2 . Hence, she has found a collision 
Bi(x) = such that Bi(X) ^ B 2 (X). If type^ E {1,T} (this is not 

needed for group G 2 , since we do not have rational functions there), then redefine 
Bj(X) := Bj(X) • X e Xp : this guarantees Bj(X) is a polynomial. Thus, 


Bi(x) ~ B 2 (x) = 0 (mod q) . 


( 13 ) 


Note that 

- If type^ = 1 , then deg Bj(X) < 2n + 1 =: di, 
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Table 4. coeff Mi) (V cons (X) • V c * ons (X)), where /x(i) = X^X^X^Xlf 


{iu * • • 44 

coeff M(i) (Vcon S (X) • V* ons (X)) 

{0,1, 1,2} 

Me: 2 — X} Mi<in 

{0,1, 0,3} 

Me-. 3 — X} Mi^ri 

{0,1, 0,0} 

Me-a — X^ MiATi 

{0,1, 1,0} 

Me-. 5 — M i5 n 

{ 0 , 1 , 1 , 1 } 

Me-. 2 + Me-. 5 + Me-. 7 ~ X) (Mi 2 + Mi§ + Mi 7 ) r\ 

{0,1, 0,2} 

Me-. 1 + Me-a — X} ( Mu + Mif) ri 

{ 0 , 1 , 0 , 1 } 

Me-. 1 + Me-a + Me-. 6 — X) ( Mu + M *4 + M&) n 

{0,0, 1,2} 


{0,0, 0,3} 

ECm^-EV^PPO 

{0,0, 0,0} 

EW-EWW 

{0,0, 1,0} 


{0,0, 0,2} 

E ((V'l + M'A - (M ff(1)1 + M CT(i)3 )) P(X) 

{0,0, 0,1} 

E ((M' x + M ' 4 + M' 6 ) - (Af ff(i)1 + M CT(i)4 + M CT(i)6 )) P(X) 

{0,0,1,!} 

E ((M ' 2 + M' s + M' 7 ) - (M CT(i)2 + M CT(i)5 + M ff(07 )) Pi{X) 


- If type ix = 2, then deg Bj(X) < n =: d 2 , and thus 

- If type ix = T, then deg Bj(X) < (2 n + 1) + n = 3n + 1 =: 

Due to the Schwartz- Zippel lemma, since x is chosen uniformly random from 
Z 2 x (Z q \ {0}) 2 x (Z q \ {0, —1}), and since Bi(X) B 2 (X) as a polynomial, 
Eq. (13) holds with probability at most deg Bj(X)/(q — 2) < d t yp e . /(q — 2). 
Clearly, an adversary working in time r can generate up to r new group elements. 
Then the probability that there exists a collision between any two of those group 
elements is upper bounded by (£) • deg Bj(X)/(q — 2) < (f) • d type .^/(q — 2) < 
t 2 / 2 • d t ype. /(q — 2). Thus, a successful adversary on average requires time at 
least 

T 2 > 2 (q - 2)/d type . i > 2(g - 2)/dr = 2fa - 2)/(3n + 1) 
to produce a collision. Simplifying, we get r G Q( \fqjri). □ 

8 Zero-Knowledge 

Theorem 5. The new shuffle argument is perfectly zero knowledge. 

Proof Consider the simulator Sim that, given the CRS crs, the trapdoor td = 
(x, p), and input (&,&'), simulates the prover in the shuffle argument. If the 
simulator can create an accepting argument with correct distribution for any 
(tJ, d'), this means that an accepting argument provides no information on (d, t>') 
or the relation between the two sets of ciphertext. 

The complete simulator construction is as follows: 
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1. For i = 1 to n — 1: 

(a) Set n <- r Z 9 . Compute (Stii,2l i2 ) <— (0i,02) p<(x)+rie - 

2. Set r ra < Ti- 

3. Set (S nl ,a n2 )G 

4. For z = 1 to n: Compute 

5. Set r s r Z^. Set 7r c i : i 02 S:1 ^ 75:1:2 <— 02 S:2 ^- they commit to 0.) 

6. Compute 7t c2: i <- nr=i(G +F<(x)/ V(°ii) Pi(x)/<? ) ' enc pki (0;r s ). 

Compute 7r c2:2 <- nr=i(°S +Pi(x)/e /( t, i2) P ’ (x)/e ) ' enc p k 2 (0; r s ). 

7. Return TT sh := (o', (a*!, 21*2 ( 7r lsp:i)?=l, ^clrl, 7^1:2, 7T C 2:1, 7 Tc2:2). 

The simulator calculates all values (21^1, (7Tisp:z)™=i, ^ci exactly as 
an honest prover would have when a = Id, and hence these values will have the 
same distribution as the same values computed by an honest prover. Since the 
commitment scheme is obviously perfectly hiding, these values have the same 
distribution independently of the choice of a. Moreover, there is a unique pair 
of values 7 t C 2 : i, 7t C 2 : 2 that satisfy Eqs. (2) and (4). (Computing 7 t C 2 : i and 7 t C 2 : 2 
is the only place in the simulation where one needs the trapdoor td = (y, g).) 
Thus we are left to show that our chosen values satisfy these two equations. 

But assuming the ciphertexts are valid, Eq. (2) trivially holds. We get 
e(<P?i\0f) = e(<p u ,7r cl:1 ) and e(%f,g e 2 ) = e(<p 12 ,7r cl:2 ). Hence, 

IT ( o ii’0 F<(x) ) /]T(t>ii,2li 2 ) 

i= 1 i= 1 

n n 

- n« / n* («5 W4 '*.*) 

i= 1 i=l 

= e ^n(( t >t) Pi(x)/ 7»a (x)/e+ri ),02^ 

= e (^Pu, 7T c i:i) e (<Pi2, tt c i : 2 ) /e (tt c2:1 , flf) , 

so the verifier will accept the shuffle argument. As the simulator did not know 
anything about the honest prover’s permutation cr, the shuffle argument is thus 
perfectly zero knowledge. □ 

9 Efficiency 

We use exponentiation speed records from [10] and pairing speed records from [2] 
for Barreto-Naehrig curves. According to Table 4 in [10], a pairing, exponentia- 
tion in Gi, exponentiation in G2, and exponentiation in G t take respectively 7.0, 
0.9, 1.8, and 3.1 million clock cycles on the Core i7-3520M CPU. This does not 
take into account the possible speed-ups by employing fast fixed-based exponen- 
tiation or multi-exponentiation algorithms. Thus, all following comparisons are 
imprecise, and just to give a gut feeling about the difference. They also depend 
on the known speed records on implementing pairings and exponentiations. 
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Prover’s Computation: 

- Step 1: n — 1 exponentiations in Gi, n — 1 exponentiations in G 2 . 

- Step 4: 2 n exponentiations in Gi. 

- Step 5a: 3 n exponentiations in Gi, 3 n exponentiations in G 2 . 

- Step 6a: 2n + 2 exponentiations in G 2 . 

- Step 6b: 3n + 3 exponentiations in Gi, 3n + 3 exponentiations in G 2 . 

Hence, the prover executes 9n + 2 exponentiations in Gi and 9n + 4 exponentia- 
tions in G 2 . Here, all costly (i.e., at least n-wide) exponentiations can be written 
as either multi-exponentiations or fixed-base exponentiations — e.g., Step 5a — 
and are hence relatively cheap. The only exception is the computation of gen- 
eral exponentiation in (%lnQi°^) 2ri for i E [1 .. n\. Taking n million clock cycles 
as the basic unit (and not taking into account possible speed-ups by employ- 
ing fast multi- exponentiation and fixed-base exponentiation algorithms), the 
prover’s computation is dominated by 9 • 0.9 + 9 • 1.8 = 24.3 units. 


Verifier’s Computation: by using batching techniques [4,31], we reduced the 
number of pairings by introducing a number of exponentiations either in Gi, G 2 , 
or G t- The verifier does: 

- Step 3: 2 n exponentiations in Gi, 1 exponentiation in G t, and n + 1 pairings. 

- Step 4: 3n + 3 exponentiations in Gi, 3n + 3 exponentiations in G 2 , and 2 
pairings. 

- Step 5: 2 exponentiations in Gi, 3 exponentiations in G 2 (^ 1:2 * s reused), and 
3 pairings. 

- Step 6: 3n + 3n = 6n exponentiations in Gi, and n + n = 2n pairings. 

In total, the verifier has to do lln + 5 exponentiations in Gi, 3n + 6 expo- 
nentiations in G 2 , 1 exponentiation in G t, and 3n + 6 pairings. Taking n mil- 
lion clock cycles as the basic unit, the verifier’s computation is dominated by 
11 • 0.9 + 3 • 1.8 + 3 • 7.0 = 36.3 units; around 58 % (21 units) of this is the cost 
of pairings. Also here, most of the exponentiations are multi-exponentiations or 
fixed-base exponentiations. 

Communication: 3n + (n — 1) + n + 3 = 5n + 2 elements from Gi and 3 n + 
(n — l) + 2 + 3 = 4n + 4 elements from G 2 , that is, 9n + 6 group elements. 
CRS length (excluding gk): 2n + 6 elements from Gi, n + 6 elements from 
G 2 , and 1 element from G t, that is, 3 n + 13 group elements. 


Comparison with Prior Work. To compare, the verifier’s computation in [33] 
(resp., [19]) is dominated by 28 • 7.0 = 196 (resp., 18 • 7.0 = 126) units. Hence, 
the verification of the new shuffle is effectively about 5.4 (resp., 3.5) times faster 
than that of the Lipmaa-Zhang (resp., Fauzi-Lipmaa) shuffle. Since verification 
is a bottleneck of mix- nets, this constitutes of a major improvement. 
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In [33], the prover’s computation is dominated by 2 8n + 11 exponentiations, 
16n + 6 in Gi and 12n + 5 in G 2 (this also includes reshuffling) which yields 
16 • 0.9 + 12 • 1.8 = 36 units. In [19], the prover’s computation is dominated by 
18n+3 exponentiations, 14n+3 in Gi and 4n in G 2 (this also includes reshuffling) 
which yields 14-0.9+4- 1.8 = 19.8 units. Hence, in the new protocol, the prover is 
about 1.5 times more efficient compared to [33], but about 1.2 times less efficient 
compared to [19]. 

As mentioned above, the most efficient shuffle scheme up to now [25] works in 
the random oracle model which allows to obtain better computational complexity 
both for the prover (6-0.9 = 5.4 units) and verifier (6-0.9 = 5.4 units), assuming 
that computation is done in Gi. In reality, non pairing-friendly groups have 
usually somewhat faster arithmetic than pairing-friendly groups. Hence, there is 
still a significant gap. 

10 On GBGM Versus Knowledge Assumptions 

A knowledge assumption guarantees that if an adversary, given an input (that 
includes the CRS and some auxiliary input), outputs some values then there 
exists an extractor running on the same input that outputs the same values 
together with some witness. Following [15], each input to the knowledge assump- 
tion has a well-defined knowledge component. Apart from that, the precise def- 
inition of a knowledge assumption is left to the imagination of its proposers. 
However, it is known that knowledge assumptions are unacceptable if the aux- 
iliary input is not well chosen [5], and hence special care has to be taken when 
defining them. 

In contrast, in the GBGM, the adversary can compute output values as a 
product or pairing of given inputs (and other previously computed values), so 
it is assumed that she knows a polynomial relationship between the discrete 
logarithms of its outputs and inputs. There is little need for imagination of how 
to define the GBGM, since this has been done before in sufficient detail [34,38]. 
The known impossibility results about the generic (bilinear) group model [17,21] 
use quite contrived constructions. 

We think that GBGM is preferable to knowledge assumptions, hence Table 1 
has a highlighted cell for arguments that do not use knowledge assumptions. 
The validity of knowledge assumptions can and should be proven in the GBGM 
anyhow; indeed, one should be very suspicious of knowledge assumptions that 
cannot be proven in the GBGM. However, this should be done very carefully, 
taking into account the precise shape of the CRS and the adversary’s auxiliary 
input. To guarantee correct use of a knowledge assumption, we think that it is 
prudent that one proves in the GBGM the security of the knowledge assumption 
given the auxiliary string the adversary gets in the concrete application. This 
seems to hint that one should reprove in the GBGM the security of all used 
knowledge assumptions in each individual paper. 

Instead of proving the security of non-falsifiable knowledge assumptions (on 
top of several novel computational assumptions like PP and SP [28] or PSP [19]) 
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in the GBGM, and then using such assumptions in the security proof, we think 
it is more reasonable to work directly in the GBGM. Moreover, GBGM model 
arguments tend to be more efficient, in particular since there is a reduced need 
to compute the knowledge components. 

In fact, most of the known knowledge assumptions make a very specific 
use of the power of the GBGM. E.g., reinterpreting the knowledge assump- 
tions used in say [19] in the language of GBGM, one assumes for a specific 
(unique!) random variable the following holds: for any polynomial F, if 
F(X i, . . . , Xk , . . • , X m ) = 0 and F(X i, . . . , X&, . . . , X m ) has /ik as a coefficient of 
Xk then Hk = 0. It is questionable why this concrete coefficient is handled differ- 
ently from all other coefficients; in the GBGM, from F(X i, . . . , X m ) = 0 one can 
derive that all coefficients of F(X i, . . .,X m ) = 

are equal to 0. 
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A Preliminaries: Zero Knowledge 


Let 7Z = {(rqrc)} be an efficiently computable binary relation with \w\ = 
poly (\u\). Here, u is a statement, and re is a witness. Let C = {u : 3 re, (rq re) G 71} 
be an NP-language. Let n = \u\ be the input length. For fixed n, we have a rela- 
tion 7Z n and a language C n . Here, as in [28], since we argue about group elements, 
both C n and 7Z n are group-dependent and thus we add gk as an input to C n and 
7Z n . Let K n ( gk) := {(rqre) : (gk,rqre) G 7Z n }. 

A non-interactive argument for a group-dependent relation family 7Z consists 
of four PPT algorithms: a setup algorithm setup, a common reference string 
(CRS) generator gencrs, a prover pro, and a verifier ver. For gk setup(l^,n) 
(where n is the input length) and (crs = (crs p , crs v ), td) <— gencrs(gk) (where 
td is not accessible to anybody but the simulator), pro(crs p ; rq re) produces an 
argument 7 r, and ver(crs v ; rq tt) outputs either 1 (accept) or 0 (reject). Here, 
crsp (resp., crs v ) is the part of the CRS given to the prover (resp., the verifier). 
Distinction between crs p and crs v is not important from the security point of 
view, but in many cases crs v is significantly shorter. 

A non-interactive argument F is perfectly complete , if for all n = poly (ft), 

gk < — setup(l /c , n), ((crs p , crs v ), td) <- gencrs(gk), (u, w) 7Z n { gk) :] 

Hr = 1 . 

ver(gk, crs v ; u, pro(gk, crs p ; u, w)) = 1 


F is adaptively computationally sound for £, if for all n = poly (ft) and non- 
uniform probabilistic polynomial-time adv, 


gk <- setup(l K ,n), ((crs p , crs v ), td) gencrs(gk), 

(rq 7 r) adv(gk, crs p , crs v ) : (gk, u) ^ C n A ver(gk, crs„; u,7r) = l 




0 . 
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We recall that in situations where the inputs have been committed by using 
a computationally binding trapdoor commitment scheme, the notion of com- 
putational soundness does not make sense (since the commitments could be to 
any input messages). Instead, one should either proof culpable soundness or the 
argument of knowledge property. 

is adaptively computationally culpably sound [28,29] for £, if for all 
n = poly (/«), for all polynomial-time decidable binary relations 7£ gullt = {7£ gullt } 
consisting of elements from C and witnesses w gUi]t , and for all non-uniform prob- 
abilistic polynomial-time adv, 


Pr 


gk <- setup(l*, ft), ((crs p , crs v ), td) <- gencrs(gk),' 
(ft, 7T, w gUi]t ) <— adv(gk, crSp, crs v ) : 

(gk, ft, re gullt ) G 7 A ver(gk, crs v ; ft, tt) = 1 




0 . 


For algorithms adv and X ac j v , we write (y;y f ) <— (adv| |X ac j v )(x) if adv on 
input x outputs y, and X ac j v on the same input (including the random tape of 
adv) outputs y ' . 

is an argument of knowledge , if for all n = poly (ft) and every non- 
uniform probabilistic polynomial-time adv, there exists a non-uniform probabilis- 
tic polynomial-time extractor X, s.t. for every auxiliary input aux E {0, l} poly (^), 


Pr 


gk <- setup(l*,n), ((crs p , crs v ), td) <- gencrs(gk), 

((u,7r);w) <- (adv| |X adv )(crs p , crs v ; aux) : 

(ft, w) 0 1Z A ver(crs v ; ft, tt) = 1 




0 . 


Here, aux can be seen as the common auxiliary input to adv and X ac j v that is 
generated by using benign auxiliary input generation [5]. 

IF is perfectly zero-knowledge , if there exists a probabilistic polynomial-time 
simulator X 7 , such that for all stateful adversaries adv and n = poly (ft), 


gk <— setup(l K ,n), 


gk <— setup(l K , n), 

((crs J ,,crs t ,),td) <- gencrs(gk), 


((crsp, crs v ); td) «- gencrs(gk), 

(u,w) <— adv(gk, crsp, crs„), 

= Pr 

(u,w) adv(gk, crsp, crs v ), 

tt <— pro(gk, crs p ; u, w) : 


7 r <— X 7 (gk, crsp, crs v ;u, td) : 

_ (gk, u, w) £ lZ n A adv(gk, tt) = 1 _ 


_ (gk, ft, w) elln A adv(gk, tt) = 1 _ 


Here, the prover and the simulator use the same CRS. That is, we have same- 
string zero knowledge. A same-string statistical zero knowledge argument stay 
secure even when using the CRS an unbounded number of times. 
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Abstract. Distance bounding protocols become more and more impor- 
tant because they are the most accurate solution to defeat relay attacks. 
They consist of two parties: a verifier and a prover. The prover shows 
that (s)he is close enough to the verifier. In some applications such as 
payment systems, using public-key distance bounding protocols is prac- 
tical as no pre-shared secret is necessary between the payer and the 
payee. However, public-key cryptography requires much more computa- 
tions than symmetric key cryptography. In this work, we focus on the 
efficiency problem in public-key distance bounding protocols and the for- 
mal security proofs of them. We construct two protocols (one without 
privacy, one with) which require fewer computations on the prover side 
compared to the existing protocols, while keeping the highest security 
level. Our construction is generic based on a key agreement model. It 
can be instantiated with only one resp. three elliptic curve computa- 
tions for the prover side in the two protocols, respectively. We proved 
the security of our constructions formally and in detail. 


Keywords: Distance bounding • RFID • NFC • Relay attack • Key 
agreement • Mafia fraud • Distance fraud • Distance hijacking 


1 Introduction 

Nowadays, various technologies, such as contactless payment (e.g. NFC), access 
control in a building, remote keyless system (e.g. car keys) are part of our lives 
since they provide us efficient usage of time and accessibility. However, these 
applications are exposed to simple but dangerous attacks such as relay attacks. 
A malicious person can abuse all these technologies by just relaying messages. 

Distance bounding (DB) is a solution to detect the relay attacks. The detec- 
tion of the attack is simpler, cheaper and more practical than preventing it 
because prevention could require a special hardware equipment [4] . The first DB 
protocol is introduced by Brands and Chaum [9]. Basically in DB, the verify- 
ing party measures the physical distance of the proving party by sending the 
challenges and receiving the responses (they are generally 1 or 2 bit(s)). In the 
end, if too many rounds have too long round trip times or too many incorrect 
responses, the verifier rejects the proving party since he may be exposed to a 
relay attack. 
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Threats for DB is not limited to only relay attacks. The other threats are 
the following: 

Distance Fraud ( DF ): A malicious, far-away prover tries to prove that (s)he 
is close enough. 

Mafia Fraud (MiM) [13]: A man-in-the- middle (MiM) adversary between a 
verifier and a far-away honest prover tries to make the verifier accept. 

Terrorist fraud (TF) [13]: A far-away malicious prover, with the help of the 
adversary, tries to make the verifier accept, but without giving any advantage 
to the adversary to later pass the protocol alone. 

Distance Hijacking (DH) [12]: A far-away malicious prover takes advantage 
of some honest and active provers who are close to the verifier to make the 
verifier grant privileges to the far-away prover. 

Privacy threat : An adversary tries to learn any useful information such as 
the identity of a prover. In strong privacy , the adversary tries to identify the 
identity of a prover with access to the prover’s secret (e.g. by corruption). 

DB protocols are categorized as symmetric DB protocols (the verifier and the 
prover share a secret) [5-8, 16,23-25,34] and public-key DB protocols (the verifier 
and the prover only know the public key of each other) [9,10,17,20,35,37,38]. 

In some applications, we cannot assume that the prover and the verifier have 
established a secret. For example, in a payment system, it is not realistic to 
assume that the payment terminal and the customer share a secret. We can 
mention as an instance of a payment protocol the EMV standard [1] which 
now uses the public-key DB protocol PaySafe from [11]. However, this protocol 
sends nonces of several bits through the time-critical channel. Normally, a time- 
critical exchange should only take a few nanoseconds to reach a distance bound 


Table 1 . The review of the existing public- key DB protocols. / means that it is secure 
for corresponding threat model and x means it is not. /* means that it is secure 
against the adversaries that cannot relay the messages close to the speed of light. EC 
is elliptic curve, ZK is zero knowledge, NIZK is non- interactive zero knowledge, AKA 
is authenticated key agreement. Public key (PK) computations are counted only on 
prover side, n is the number of rounds in the challenge phase and s is the security 
parameter. 


Protocol 

MiM 

DF 

DH 

TF 

Privacy 

Strong privacy 

PK computations for the prover 

Brands-Chaum [9] 

V 

V 

X 

X 

X 

X 

1 commitment, 1 signature 

HPO [20] 

/ 

V 

X 

X 

V 

X 

4 EC multiplications 

GOR [17] 

V 

V 

X 

X 

X 

X 

4 EC multiplications, 1 encryption, 

1 NIZK proof 

PaySafe [11] 

V* 

X 

X 

X 

X 

X 

1 signature 

PrivDB [37] 

/ 

V 

V 

X 

/ 

V 

1 signature, 1 IND-CCA encryption 

ProProx [38] 

V 

V 

V 

V 

X 

X 

n + 1 commitments, n ZK proofs 

eProProx [35] 

V 

V 

V 

V 

V 

/ 

1 encryption, s hashing, n + 1 com- 
mitments, n ZK proofs 

Simp-pkDB 

V 

V 

X 

X 

X 

X 

1 IND-CCA decryption 

Eff-pkDB 

V 

V 

V 

X 

X 

X 

1 AKA protocol 

Eff-pkDB p 

/ 

V 

V 

X 

V 

V 

1 IND-CCA Encryption, 1 AKA 
protocol 
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of meters with the speed of light, but sending a string of several bits typically 
takes microseconds. This is why usual DB protocols only exchange single bits 
through the time-critical phases. Actually, the protocol from [11] does not protect 
against adversaries running computations at the speed of light but only against 
adversaries using standard equipment which induce natural delays. 

Although public-key distance bounding protocols are useful, it can cause 
considerable energy consumption on the prover side since public-key cryp- 
tography needs heavier computations than symmetric-key cryptography. Energy 
constraints on most of the powerless devices using RFID and NFC technologies 
cause very limited computation resources. One of the solutions could be to add 
more computational power to these devices but it increases their costs. 

In this paper, we construct new protocols called Eff-pkDB, Eff-pkDB p , and 
Simp-pkDB (Eff-pkDB p is the privacy-preserving variant of Eff-pkDB). 

Table 1 shows the security and the efficiency properties of previous protocols 
and our protocols. We can see that most of the previous public-key DB protocols 
[9,10,17,35,37,38] do not concentrate on this efficiency problem, except HPO 
[20]. So far, HPO is the most efficient one among them since it requires only 
4 elliptic curve (EC) multiplications on the prover side, but it is not strong 
private [36] and it is not secure against DH [22] and TF. In addition to this, 
its security is based on several ad-hoc assumptions [20] which are not so well 
studied: “OMDL”, “Conjecture 1”, “extended ODH” and “XL” . 

GOR [17] was constructed to have strong privacy, but it has been shown in 
[36] that it is neither strong private nor private. 

ProProx [38] satisfies all the security properties except privacy. Its version 
eProProx [35] is secure against all threat models and strong private. However, 
both ProProx and eProProx suffer from heavy cryptographic operations as zero- 
knowledge (ZK) proofs. These are the only TF-secure protocols, but we can see 
that their cost is unreasonable. 

PrivDB [37] and our new protocol Eff-pkDB p have the same security prop- 
erties. However, PrivDB is a bit less efficient on the prover side than Eff-pkDB p 
and it has no light privacy-less variant, contrarily to Eff-pkDB p . 

Our lighter protocol Eff-pkDB and our first attempt Simp-pkDB in 
Appendix B are the most efficient public-key DB protocols as seen in Table 1. 
Eff-pkDB is secure against DF, MF, DH but it is not private. Simp-pkDB is 
secure only against DF, MiM and not private. It is more efficient than the Brand- 
Chaum protocol which has the same security level with Simp-pkDB. We focus on 
Eff-pkDB in the rest of the paper since it gives higher security level. Eff-pkDB’s 
variant Eff-pkDB p uses one extra encryption and it is strong private. We propose 
an instance of these protocols based on the Gap Diffie-Hellman (GDH) problem 
[30] in EC with a random oracle. The detailed efficiency analysis is presented in 
Sect. 6. 

PaySafe [11] is very efficient but we do not compare it with the other protocols 
and our protocols since it assumes weaker adversarial model. It is only secure 
against MiM. It is not secure against DF, DH and TF because the response of 
the prover in the time critical phase which is a nonce picked by the prover does 
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not depend on any message of the verifier. It also does not protect the privacy 
of the prover. 

Our contributions are: 

- We design two public-key DB protocols. The first protocol is secure against 
DF, MF and DH but it is not private. It uses only one public key 
related operation on the prover side. Basically, this protocol can be used in 
applications not requiring privacy in a very efficient way. Then, we modify this 
protocol by adding a public-key encryption to make it strong private. Both 
protocols are quite efficient compared with the previous protocols. 
Our constructions are generic based on a key agreement protocol, a weakly- 
secure symmetric DB protocols, and a cryptosystem. We formally prove the 
security following the model of Boureanu- Vaudenay [8] which was adapted to 
public- key DB in Vaudenay [37] . 

- We define a new key agreement (KA) security game (D-AKA). In literature, 
the extended Canetti-Krawczyk (eCK) security model [27] is widely accepted 
for KA. However, a weaker security model (D-AKA) is sufficient for the 
security of our new public-key DB protocols since we care both the efficiency 
and the security. Finally, we design a D-AKA secure key agreement protocol 
(Nonce-DH) based on the hardness of the GDH problem and a random oracle. 
The Nonce-DH key agreement protocol can be used in our DB constructions. 

We show in Appendix B another reasonable protocol Simp-pkDB which was 
our first attempt to construct an efficient and a secure protocol. Although this 
protocol is quite efficient and does not require any public-key of a verifier, it fails 
in DH-security. This shows that it is hard to make a protocol which is secure for 
MiM, DF, and DH at the same time. Adding privacy in protocols is yet another 
challenge. Strong privacy cannot be achieved so easily as shown in Sect. 5.2. HPO 
and GOR failed to on this. 

Organization of the paper: In Sect. 2, we give the formal definitions for the 
notion of DB and all necessary security definitions we are considering in our new 
protocols. In Sect. 3, we describe one time DB protocol OTDB [37] and give new 
security results on this protocol. OTDB and all the results about OTDB can 
be employed by Eff-pkDB or Eff-pkDB p in a very efficient way. In Sect. 4, we 
introduce our new and weaker KA security model (D-AKA) . Then, we construct 
a new KA protocol Nonce-DH which is D-AKA secure. We have Nonce-DH 
to show that both Eff-pkDB and Eff-pkDB p can employ it and to make more 
precise efficiency analysis on these protocols. In Sect. 5, we introduce Eff-pkDB 
and Eff-pkDB p with all security and privacy proofs. Finally, in Sect. 6, we do the 
efficiency and security analyses of all previous public-key DB protocols in detail. 

2 Definitions 

The formalism in DB started by Avoine et al. [2]. Then, the first complete model 
was introduced by Diirholz et al. [15] where the threat models are defined according 
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to the number of tainted time critical phase. The SKI model by Boureanu et al. 
[5-7] is another formal model which includes a clear communication model between 
parties in DB. The last model BV model [8] by Boureanu and Vaudenay is a more 
natural multi-party security model. 

In this section, we give the definitions from the literature that we use in our 
security proofs. 

2.1 Public Key Distance Bounding 

Definition 1 (Public key DB Protocol [37]). A public key distance bound- 
ing protocol is a two-party probabilistic polynomial-time (PPT) protocol and it 
consists of a tuple (/Cp, /Cy, V, P, B). Here, (/Cp, /Cy) are the key generation algo- 
rithms of P and V, respectively. The output of 1C p is a secret/public key pair 
(skp, pk P ) and similarly the output of ICy is a secret/public key pair (sky, pky). 
P is the proving algorithm, V is the verifying algorithm where the inputs of P 
and V are from JCp and JCy. B is the distance bound. P(skp, pk P , pk y ) and 
K(sky,pk y ) interact with each other. At the end of the protocol, K(sky,pk y ) 
outputs a final message Outy and have pk P as a private output. If Outy = 1, 
then V accepts. If Outy = 0, then V rejects. 

A public-key DB protocol is correct if and only if under honest execution, 
whenever a verifier V and a close (to V) prover P run the protocol, then V 
always outputs Out y = 1 and pk P . 

Remark that this definition combines identification with DB: pk P is not an 
input of the algorithm V, but it is an output. So, V learns the identity of P 
during the protocol. 

We formalize the security notions of DB protocols. In the setting below, we 
have parties called provers, verifiers and other actors. Each party has instances 
and each instance I has its own location. It is called close to the instance J, if 
d(I, J) < B and far from J, if d(I, J) > B where d is a distance function. 

An instance of an honest prover runs the algorithm denoted by 
P(sk P , pk P , pky). An instance of a malicious prover runs an arbitrary algorithm 
denoted by P*. The verifier is always honest and its instances run V(sk y, pky). 
Without loss of generality, we say that the other actors are malicious. They may 
run any algorithm. 

The locations of the participants are elements of a metric space. We summa- 
rize the communication and adversarial model (See [5] for the details): 

DB protocols run in natural communication settings. There is a notion of 
time, e.g. time-unit, a notion of measurable distance and a location. Besides, 
timed communication follows the laws of physics, e.g., communication cannot be 
faster than the speed of light. An adversary can see all messages (whenever they 
reach him). He can change the destination of a message subject to constraints. 

This communication and adversarial model will only play a role in the DF 
and MiM security (defined below) but we will not have to deal with it. Indeed, 
we will start from an existing weakly secure symmetric DB protocol (such as 
OTDB [37]) and reduce the DF and MiM security of our protocol to the security 
of that protocol. So, we do not need to formalize more this model. 
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Now, we explain the security games for the distance fraud, mafia fraud and 
distance hijacking from [37]. 

Definition 2 (Distance fraud [37]). The game begins by running the key 
setup algorithm ICy which outputs (sky,pk y ). The game includes a verifier 
instance V and instances of an adversary. Given pk v , the adversary generates 
(skp, pkp) with an arbitrary key setup algorithm /C*(pky) (instead oflCp ). There 
is no participant close to V. The adversary wins ifV outputs Out y = 1 and pk P . 
A DB protocol is DF-secure, if for any such game, the adversary wins with neg- 
ligible probability. 

Definition 3 (Mafia fraud (MiM security) [37]). The game begins by 
running the key setup algorithms JCy and JCp which output (sky, pky) and 
(skp, pk P ), respectively. The adversary receives pky and pk P . The game consists 
of several verifier instances including a distinguished one V, an honest prover P 
with its instances which are far away from V and an adversary with its instances 
at any location. The adversary wins if V outputs Out y = 1 and pk P . A DB 
protocol is MiM-secure if for any such game, the probability of an adversary to 
win is negligible. 

Definition 4 (Distance hijacking [37]). The game consists of several verifier 
instances V, V\, V 2 , ..., a far away adversary P, and also honest prover instances 
P', P'l, P 2 .... A DB protocol (JCp, JCy , V, P, B) having an initialization, a chal- 
lenge and a verification phases is DH-secure if for all PPT algorithms JCfi and 
A, the probability of P to win the following game is negligible. 

- JCy ^ (sky, pk y), JCp / (skp/, pkp,). 

- JCp (pk P ,, pky) — ► (skp, pkp) and if pk P = pk p/; the game aborts. Then, 
instances of P run *4(skp, pk P , pky, pk P ,) ; P', P p P 2 , ... run P(sk p ypk v ), 
V,Vi,V 2 ,... run V(sky,pky). 

- P interacts with P', P^, P 2 , ... and V, Vi , V 2 , - - • during the initialization phase 
ofV and P' concurrently. 

- P' and V continue interacting with each other in their challenge phase and P 
remains passive even though he sees the exchanged messages. 

- P interacts with P', PJ_, Pj, ... and V, Vi,V 2 ,... in the verification phase 
concurrently. 

The adversary wins ifV outputs Outy = 1 and pk P . 

The notion of initialization/challenge/verification phase is arbitrary but the 
notion of DH-security depends on this. To make it correspond to the notion in 
[12], the challenge phase must correspond to the time critical part where the 
verifier and the prover exchange challenge/response so fast that responses from 
far away would be rejected. 

Definition 5 (HP VP Privacy Game [19]). The privacy game is the follow- 
ing: Pick b E {0, 1} and let the adversary A play with the following oracles: 
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- CreateP (ID) — > Pi : It creates a new prover identity of ID and returns its 
identifier Pi . 

- Launch() — > tt : It launches a new protocol with the verifier Vj and returns the 
session identifier i r. 

- Corrupt (Pi) : It returns the current state of Pi . Current state means the all 
the values in Pi ’s current memory. It does not include volatile memory. 

- DrawP(P^Pj) — > vtag : It draws either Pi (if b = 0) or draws Pj (if b — 1) 
and returns the virtual tag reference vtag. If one of the provers was already 
an input of DrawP — ► vtag' query and vtag' has not been released, then it 
outputs 0. 

- Fr ee(vtag) : It releases vtag which means vtag can no longer be accessed. 

- SendP (vtag, m) — > m' : It sends the message m to the drawn prover and returns 
the response m' of the prover. If vtag was not drawn or was released, nothing 
happens. 

- SendV(7r,ra) — > m' : It sends the message m to the verifier in the session i r 
and returns the response m! of the verifier. If i r was not launched, nothing 
happens. 

- Result (tt) —> b' : It returns a bit that shows if the session i r is accepted by the 
verifier (i.e. the message Out y). 

In the end of the game, the adversary outputs a bit g. If g = b, then A wins. 
Otherwise, it loses. 

A DB protocol is strong private if for all PPT adversaries, the advantage of 
winning the privacy game is negligible. 

We distinguish strong and weak privacy [33]. The weak privacy game does 
not include any ‘Corrupt’ oracle. The other kind of classification is wide and 
narrow private. Wide privacy game is allowing to use the ‘Result’ oracle while 
the narrow privacy game does not. In this paper, we implicitly consider wide 
privacy by making Outy a protocol message, which means we always obtain this 
bit without using ‘Result’ oracle. 

2.2 Symmetric Distance Bounding 

In this section, we give the useful definitions about the symmetric distance 
bounding that we need to use for our public key distance bounding protocols. 
Therefore, we do not explain all security notions for symmetric DB protocols. 

Definition 6 (Symmetric DB Protocol [37]). A symmetric distance bound- 
ing protocol is a two-party PPT protocol and it consists of a tuple (/C, V, P, B). 
Here, 1C is the key generation algorithm, P is the proving algorithm and V is the 
verifying algorithm. The inputs of P and V is the output s of 1C. B is the dis- 
tance bound. P(s) and V(s) interact with each other. At the end of the protocol, 
V(s) outputs a final message Outy. If Outy = 1, then V accepts. If Outy = 0, 
then V rejects. 

A symmetric DB protocol is correct if and only if under honest execution, 
whenever a verifier V and a close (to V) prover P run the protocol, then V 
always outputs Outy = 1. 
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Definition 7 (One Time DF (OT-DF) [37]). The game begins by running a 
malicious key setup algorithm K* which outputs s. It consists of a single verifier 
instance V running V(s) and instances of an adversary P* . P* receives s. There 
is no participant close to V. The adversary wins if V outputs Outy = 1. A 
symmetric DB protocol is OT-DF-secure, if for any such game, the adversary 
wins with negligible probability. 

Definition 8 (One Time MiM (OT-MiM) [37]). The game begins by run- 
ning the key setup algorithm JC which outputs s. It consists of a single verifier 
instance V running V(s), a single far away prover instance P running P(s ) and 
instances of an adversary. The adversary wins if V outputs Outy = 1. A sym- 
metric DB protocol is OT-MiM- secure, if for any such game, the probability that 
the adversary wins is negligible. 

Multi- verifier OT-MiM: The OT-MiM game with more than one verifier instance 
is called as multi-verifier OT-MiM- security. We defined this new notion to be 
able to have the result in Theorem 1 which helps us to prove the security of our 
constructions. 

Definition 9 (One Time DH (OT-DH) [37]). The game consists of a ver- 
ifier instance V, a far away adversary P, and also honest (and close) prover 
instance P'. A symmetric DB protocol (/C, V, P, B) having an initialization, a 
challenge and a verification phases is OT-DH-secure if for all PPT algorithms 
A, 1C* , the probability of P to win the following game is negligible. 

- 1C* — > s, 1C — > s' . Then, P' runs P(s'), V runs V(s) and P runs M(s). 

- P interacts with P' and V in their initialization phase concurrently. 

- P' and V continue interacting with each other in their challenge phase and P 
remains passive even though he sees the exchanged messages. 

- P interacts with P' and V in their verification phase concurrently. 

The adversary wins ifV outputs Outy = 1. 

Definition 10 (Multi- verifier Impersonation Fraud (IF) [3]). The game 
begins by running the key setup algorithm 1C which outputs s. It consists of ver- 
ifier instances running V(s) and an adversary with no inputs. The adversary 
wins if any verifier instance outputs Outy = 1. A distance bounding protocol is 
multi-verifier IF-secure, if for any such game, the probability of an adversary to 
win is negligible. 

The above definition is with several verifiers, contrarily to others, because we 
will only use multi- verifier IF security. 

MiM-security covers multi- verifier IF-security. So, if a DB protocol is MiM- 
secure, then it is multi- verifier IF-secure. 

We will see in Theorem 2 that OT-MiM-security also implies multi- verifier 
IF-security for a DB following the canonical structure. 
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Definition 11 (Canonical Structure [37]). A symmetric DB proto- 
col (/C, V, P, B ) follows the canonical structure, if there exist an initializa- 
tion/challenge/verification phases, P does not use s during the initialization 
phase, V does not use s at all except for computing the final Outy ; and the 
verification phase is not interactive. 

Remark that the notion of phase is used in DH and OT-DH security. 


3 OTDB 

As an example of one-time secure protocol, we can give the protocol OTDB by 
Vaudenay [37] which is a symmetric DB adapted from Hancke-Kuhn protocol 
[18]. The OTDB protocol follows the canonical structure (See Definition 11), 
only requires one xor operation before the challenge phase on the prover side 
and it is OT-DF, OT-MiM, multi- verifier OT-MiM and OT-DH secure [37]. (See 
Fig. 1.) We complement these known results by showing multi- verifier OT-MiM 
security and multi- verifier IF-security. 

Theorem 1. OTDB is multi- verifier OT-MiM secure. 


Proof. Tq: In this game, an adversary A plays multi- verifier OT-MiM game. 
Here, we have a distinguished verifier instance V with other instances {Vi, ..., Vk} 
and one prover instance P. The success probability of Po is po. 

Pi : We reduce Po to Pi where at most one verifier instance outputs 1. Let’s 
say E is an event in Pq where at least two verifier instances output 1 (Outy = 1). 
To reduce Po to Pi, we show that Pr [E] is negligible. 

First, we define hybrid games P;j’s to analyze Pr [E]. Tij is similar to Po 
except the game stops right after Vi and Vj have sent their final outputs and 
all Outy is replaced by 0 except V and Vj. The adversary wins the game if 
Outy. = Outy^. = 1. 


VM 

pick m e {0, l} 2n 


pick a G {0, 1}, start timers 
stop timer; 


initialization phase 

m 


challenge phase 

for i = 1 to n 

c i 


verification phase 

a = s ® m, 

checktimer; < 2 P,r; = Out v 

a2i-\-ci — i 


EW 

a = s ® m 


r% — C'2i+c; — 1 


Fig. 1. OTDB 
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In we define three kinds of arrays for the challenges. The first array Cy. 
includes the challenges sent by V, the second array Cy. includes the challenges 
sent by Vj and the third array Cp includes the challenges seen by P. The bits 
in Cy. and Cy j are independent. We also define a response function resp fe (c) = 
d2k+c-i for each round k. Since the bits of the secret s are independent, the bits 
of {resp fc (0)| |resp fe (l)}^ =1 are independent as well. If Cy.[k] 7^ Cy j [k], then the 
adversary could have taken Cp[k\ = c where c is equal either Cy.[k] or Cy.[k\ 
and learned resp k (c). So, he responds correctly to either Vi or Vj for sure, but 
to the other instance with probability We define an event Eij ^ where the 
responses are correct for Vi and Vj in round k. Clearly, all events are 

independent. So, = Yl k Pr[Eij^\. Hence, 


Pr [E ijik \ < Pr [C Vi [k] = C Vj [k]]+PT[E ijik \C Vi [k] ^ C Vj [k ]] 
x Pr [C Vi [k]^C Vj [k]}<\ 

So, the adversary wins with the probability (|) n which is negligible. 
Now, we can analyze E. 

Pr[-E] < Pr [r itj ] = negl(n) 

Since E happens with the negligible probability, we can reduce Iq to and 
conclude pi — po is negligible. For to succeed, only V must produce Outy = 1. 

i~2 : We reduce A to i~2 where we simulate all verifier instances except V. We 
can do this simulation because the messages but Outy sent by a verifier does 
not depend on the secret. Since Outy = 0 for all verifier instance except V in the 
winning case (only V can output 1), _pi < P2- 

Now in i~2, we are in OT-MiM game where there is only one verifier instance 
V and one prover instance P. By using the OT-MiM-security result of OTDB 
[37], we deduce P2 is negligible so po is negligible. □ 

We prove the following result which will be used in Theorem 6. 

Theorem 2. If a (symmetric) DB protocol following the canonical structure is 
OT-MiM secure, then it is multi- verifier IF-secure. 

Proof We take an adversary M. playing the multi- verifier IF game. M. interacts 
with polynomially many verifier instances Vj’s. We define adversaries ^’s play- 
ing the OT-MiM game. Ai simulates M and takes the verifier instance V as V in 
the OT-MiM game. Concretely, we number the V^’s by their order of appearance 
during the simulation of A4. When M queries V\, ..., V*_i, T^+i, ..., V& (where k 
is the total number of verifier instances), Ai just simulates them (this is possible 
since the protocol follows the canonical structure. So, no message from the veri- 
fier except Outy depends on 5). If Outy needs to be returned to Ad, Ai returns 
0. When M queries Vi, Ai relays it to V and sends the response of V to Ad. 
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Let Ei be the event in the multi- verifier IF game which is Outy. = 1 and 
all previously released Outy are equal to 0. Clearly, we have Pr[Atwins] = 
JT >;L Pr[A4 winsAEy. On the other hand, Pr[At winsAE^] < Pr[^wins] because 
for all coins making M. win the multi- verifier IF-game and Ei occur at the same 
time, we have Outy = 0 for all j <i and Outy = 1 so the same coins make 
win the OT-MiM game. So, Pr[Adwins] < J2i>i Pr[A wins]. Due to OT-MiM 
security, Pr^wins] is negligible for every i. So, Pr[.A/f wins] is negligible. So, we 
have multi- verifier IF-security. □ 

Thanks to Theorem 2, OTDB is multi- verifier IF-secure. 

4 Authenticated Key Agreement (AKA) Protocols 

In this section, we show our new KA security model and some preliminaries about 
the AKA protocols. The security models in this section are used to construct 
secure and private public-key DB protocols in Sect. 5. 

We note that the DB protocols we constructed in Sect. 5 can employ any 
eCK-secure [27] key agreement protocol to have the same security properties. 
However, eCK-security is stronger than we need in our protocols. Therefore, we 
define a weaker notion to have simpler, more efficient and secure public- 
key DB. Table 3 in Appendix A shows that Nonce-DH which is secure in our 
weaker model is more efficient than the previous KA protocols. 

Definition 12 (AKA in one-pass). A one-pass AKA protocol is a tuple 
(Gen^, Gen#, D, A , B ) of PPT algorithms. Let A and B be the two parties. A and 
B generate secret/public key pairs (sk^, pk A ) and (sk#, pk B ) with the algorithms 
GenA(l n ) and Gen#(l n ) ; respectively where n is the security parameter. B picks 
N from the sampling algorithm D and runs B( sk#, pk B , pk A , N) which outputs 
the session key s. Then , (s)he sends N and finally, A gets the session key s by 
running A(sk^, pk A , pk#, N) (See Fig. 2). We say that AKA is correct, if A and 
B obtain the same s at the end of the protocol. 


A(skA, pk A , pkg) 


A(sk A , pk A , pk B , N) 


B(ske, pkg, pk A ) 

n ^ d( r) 

s < B(sk#, pk B , pk A , N) — ► s 


Fig. 2. The structure of an authenticated key agreement (AKA) protocols in one pass. 


Definition 13 (Decisional- Authenticated Key Agreement (D-AKA) 
security). We define two oracles set up with sk^, pk A ,sk#, pk#. 


Oa(.,.): ObC) : 

return A( sk^, pk^, N' <— D(l n ) 

s’ B( sk B , pk B , .,N') 
return s ' , N' 
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Given b G {0, 1} and the oracles Oa ( ■ , •)> Ob(-), the game K A ^ is: 

1. Challenger executes Gen^(l n ) — > (sk^, pk A ), Gen j e(l n ) — > (sk^pkg), sets up 
the oracles , calls Ob{p^a) { s o,N) and picks si G {0, l} n . Then, he sends 
Sb, N , pkg, pk A to the adversary A. 

2. A has access to the oracle Ob { •) and Oa(-,-) under the condition of not 
querying the oracle Oa with the input (pk B ,N). Eventually, A outputs b' . 

3. The advantage of the game is 

Adv(KA“) = Pr[KA“5 = 1] - Pr[KA“ = 1]. 

A KA protocol (Geru(l n ), Gen#(l n ), D, A,B) is D-AKA secure if for all PPT 
algorithms A, Adv(KA^^ a ) is negligible. 

We show that eCK-security implies D-AKA security in Theorem 8 in 
Appendix A. It means that our new public-key DB protocols can employ eCK- 
secure key agreement protocols as well. 

Note that as a result of Lemma 1 in Appendix A, the probability that the 
same nonce is picked by the oracle B is negligible when we have D-AKA security. 


Definition 14 (D-AKA P privacy). Given b G {0,1} and the oracle Ga(-,-) 
(defined in Definition 13), the game KA b~A{n) '* jS: 

1 . Challenger runs Gen^(l n ) — ► (sk^, pk A ) and Gen#(l n ) — > (skg^pk^) , sets 
up the oracle and gives pk A , pk Bi and sk^ to A. 

2. A selects sk Bo and pk Bo and sends them to the challenger. 

3. Challenger executes D(l n ) — ► N, B(sk Bb ,pk Bb ,pk A Eb , N) — ► s. Then, he 
sends s to the adversary A. 

4- A has access to the oracle Oa- Eventually, A outputs b' . (Remark that A does 
not know N .) 

5. The advantage of the game is 

Adv(KA“) = Pr[KA“ = 1] - Pr[KA“f = 1]. 

A KA protocol fGeru(l n ), Gens(l n ), D, A, B) is D-AKA P private if for all 
PPT algorithms A, Adv(KA^)^ aP ) is negligible. 

A One-Pass AKA Protocol (Nonce-DH): We construct a D-AKA secure proto- 
col (Nonce-DH) based on the Diffie-Hellman (DH) [14] as in Fig. 3. Here g is a 
generator of a group of prime order q. g and q depend on a security parame- 
ter. The parties know each others’ public keys beforehand where pk A = g skA 
and pk B = g skB and sk^ and sk B are the corresponding secret keys which are 
uniformly picked in 7L q . 

The party B has input (sk B , pk B , pk A ). He randomly picks N from {0, 1}^ and 
computes B(sk B , pk B , pk A , N) = H{g, pk B , pk A , pk^ B , N) to get s. The party A 
computes A(sk^, pk A , pk B ,N) = Et(g, pk B , pk A , pk^ A , N) and gets s. Here, El is 
a deterministic function. 

Clearly, Nonce-DH is correct since H is deterministic. 
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A(skyi, pk A , pk B ) B(sk B ,pk B ,pk A ) 

pick N € {0, l} e , 

H(g,pk B ,pk A ,pk B A ,N) -* s * — H(g,pk B ,pk A ,pk A B , N) s 


Fig. 3. The Nonce-DH key agreement protocol. 


Theorem 3. Assuming that the Gap Diffie-Hellman problem [30] is hard and 
I = f2(n), Nonce-DH is D-AKA secure and D-AKA P private in the random 
oracle model 

The proof is in Appendix C. 

5 Efficient Public Key Distance Bounding Protocol 

In this section, we first introduce Eff-pkDB which is secure against DF, MF and 
DH and then Eff-pkDB p a variant of it preserving the strong privacy as well. 

5.1 Eff-PkDB 

Eff-pkDB (Fig. 4) is constructed on an AKA in one-pass and a symmetric DB 
protocol. P and V first agree on a secret key s using an AKA protocol. Then, they 
together run a symmetric key DB protocol (symDB) by using s. Using OTDB 
as symDB and Using Nonce-DH as an AKA protocol will appear to be enough 
for its security. 

Theorem 4. If symDB is OT-DF-secure, then Eff-pkDB is DF-secure. 

Proof sketch: The malicious and far away prover with its instances play the DF 
game. We can easily reduce it to the game where V and the adversary receive 
the same s' from outside (even if maliciously selected). Since symDB is OT-DF- 
secure, the prover passes the protocol with negligible probability. □ 

Theorem 5. If symDB is multi- verifier OT-MiM-secure and the key agreement 
protocol with the algorithms Geru, Gen#, A, B, D is D-AKA secure then Eff- 
pkDB is MiM- secure. 


V(sk^, pk v ) P(sk P , pk P , pk v ) 

N <- D(l n ) 

A(sky, pk Vl pk P , N) — ► s ^ B(skp, pk P , pk v , N) — ► s 

symDB(s) 


Outy 


Fig. 4. Public-key DB protocol based on D-AKA secure KA (Eff-pkDB) 
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Proof. Pi is a game and pi denotes the probability that A succeeds. 

To : The adversary plays the MiM game in Eff-pkDB with the distinguished 
verifier V, V’s instances and the prover instances. V receives pk P and a given N. 
We call “matching instance” the instance who sends this N. 

A : We reduce A to A where no nonce produced by any prover instance 
is duplicated or equal to any nonce received by any a verifier instance before. 
Thanks to Lemma 1 in Appendix A, p\ — po is negligible. So, the matching 
instance (if any) is unique and sets N before it is sent to V. 

A : We simulate the prover instances and V as below in this game. Basically, 
in i~2, the prover and the verifier do not use the secret generated by the oracles 
O b and Oa, respectively. 


Pj 0 (m A) 

run O b ( pk v ) (s 0 ,N') 

send AT 7 , pk P 
pick si 

store (A" 7 , si, pk P ) in T 
run symDB(si) 


V(-) (in r 2 ) 

receive TV 7 , pk P 
if (AT 7 ,.,pk P ) GT 


retrieve s from T 
where (TV 7 , s, pk P ) G T 
else: 

s^O A (pk P ,N') 
run symDB(s) 

With the reduction from A to A? we show that the secret generated by A 
and B are indistinguishable from the randomly picked secret. The reduction is 
showed below: 

We define the hybrid games A,t to show p 2 — Pi is negligible. Here, t G 
{0, 1, 2, ..., k} and k is the number of prover instances bounded by a polynomial. 

r 2 j : V is simulated as in P 2 and the j th instance of P is simulated as in P 2 
for j < i and as in for j > i. Clearly, T^o = A and A,/c = A- 

First, we show that A,i and A,i+i are indistinguishable. For this, we use an 
adversary B that plays the D-AKA game. B receives pk A , pk p , N from the 
D-AKA challenger and simulates against the adversary A which distinguishes 
A,i and A,i+i- B assigns pky = pk A and pk P = pk p . B simulates each prover 


Pj as described below. 


pm 


if j 7^ i + 1 
0 B (pk v ) - 
if j < i 

pick s' 


(s', N') 


else: 

s' ^ s b and N' ^ N 

if j < i + 1 

store (TV 7 , s 7 , pk P ) to T 
send AT 7 , pk P 
run symDB(5 7 ) 

Note that if b = 0 which means s b is generated by the oracle B then B 
simulates the game P 2 ^. Otherwise, he simulates A,i+i- 
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For the verifier simulation, B first checks, if (AT', ., pk P ) is stored by himself 
as V in /2- Otherwise, he sends (pk P , N') to the oracle Oa and receives s'. Since 
(TV, Sb,pk P ) is always stored in T, (pk P , 7 V) is not queried to Oa oracle. In the 
end of the game, A sends his decision. If A outputs i, then B outputs 0. If A 
outputs i + 1, then B outputs 1. Clearly, the advantage of B is p2,i — P 2 ,i+ 1 * 
Due to the D-AKA security, we obtain that p 2 ^ — P 2 ,i+i is negligible. From the 
hybrid theorem, we can conclude that £>2,0 — P2,k is negligible where £>2,0 = Pi 
and p 2i k = P2 • 

P 3 : We simulate the prover instances as below so that they do not run the 
oracle Ob to have N. The only change in this game is the generation of the 
nonce. Since the prover in P 3 picks the nonce from the same distribution that 
Ob picks, ps = P2- This game shows that the prover generates N' (and also si) 
independently from Or. 

P(-) (m A) 

pick N' e D(l n ) 
send TV', pk P 
pick si 

store (AT', si, pk P ) to T 
run symDB(si) 

i~4 : We reduce P 3 to the multi-verifier OT-MiM-security game P4 where 
there is only matching instance and the other instances are simulated. With 
this final reduction, we show that the adversary has to break the multi-verifier 
OT-MiM-security of symDB in order to break the MiM-security of Eff-pkDB. 

The reduction is the following. A 3 plays the P 3 game. We construct an adver- 
sary Af in P4. Af receives N from the matching prover in P4. Af takes Pi as a 
matching prover in P 3 where i E { 1 , ..., fc}. Af simulates all of the provers except 
Pi against A 3 . For P p Af just sends (pk P , N). In the end, if Pi is the matching 
instance in P 3 and A 3 wins then Af wins. Therefore p 3 < YUP^i where p 4^ is 
the probability that Af wins. Due to multi- verifier OT-MiM-security, all p^/s 
are negligible. So, p 3 is negligible. Hence, po is negligible. □ 

Theorem 6 . If symDB is OT-MiM-secure, OT-DH- secure and follows the 
canonical structure and if the key agreement protocol with the algorithms 
Gen^, Gen p , A, B, D is D-AKA secure then Eff-pkDB is DH-secure. 

Proof. Pi is a game and Pi denotes the probability that Pj succeeds. 

Po : The adversary P with its instances plays the DH-security game in Eff- 
pkDB with the distinguished verifier V and its instances and an honest prover 
P'. The probability that the adversary succeeds in P 0 is po. 

Pi and P2 : These games are like in the proof of Theorem 5 except that P j 
is replaced by P' . The reduction from Po to Pi and P2 is similar to the proof of 
Theorem 5 . So we can conclude that P2 — Po is negligible. 

We let N be the nonce produced by the instance of P' and s\ be its key which 
is playing a role during the challenge phase of V in the DH game. 

We reduce P2 to P 3 in which all Outy from a verifier instance who receives 
pk P and N is replaced by 0 during the initialization phase. Intuitively, in this 
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case, Outy cannot be equal 1 because if it is 1, it means P' impersonates P. 
The reduction is as follows: During the initialization game, P' sends messages 
which do not depend on si because of the canonical structure, and which can 
be simulated. So, we can reduce this phase to the multi-verifier IF game and 
use Theorem 2 to show that p% — P2 is negligible. This reduction shows that the 
DH-adversary P cannot win the game with sending pkp and N generated by P'. 

We reduce A to A where the game stops after the challenge phase for V. 
Since the verification phase which is after the challenge phase is non-interactive 
and Outy is determined at the end of the challenge phase, p 4 = P3. 

We reduce A to A which is OT-DH game. In A, si has never been used 
so s (the key of V which is given by the adversary) is independent from sy In 
this case, P' and V run symDB with independent secrets. So, p$ = p±. Because 
of the OT-DH security of symDB, p$ is negligible. □ 

5.2 Eff-pkDB p 

Eff-pkDB is not strong private as the public key of the prover is sent in clear. 
Adding one encryption operation to Eff-pkDB is enough to have strong privacy. 

Eff-pkDB p in Fig. 5 is the following: The prover and the verifier generate 
their secret /public key pairs by running the algorithms Genp(l n ) and Geny(l n ), 
respectively. We denote (skp, pk P ) for the secret /public key pair of the prover and 
(sky, pky) for the secret /public key pair of the verifier where sky = (sky 1 ,sky 2 ) 
and pk y = (pky l? pky 2 ) and the first key is used for the encryption and the sec- 
ond key is used for the AKA protocol. The prover picks N from the sampling 
algorithm D and generates s with the algorithm F?(skp, P kp, pky 2 , N). Then, he 
encrypts pk P and N with pk^ . After, he sends the ciphertext e to the verifier. 
The verifier decrypts e with sk^ and learns N and pk P which helps him to under- 
stand who is interacting with him. Next, the verifier runs A(sky 2 , pky 2 , pkp,7V) 
and gets s. Finally, the prover and verifier run a symmetric DB protocol symDB 
protocol with s. 

Assuming that the AKA protocol is D-AKA secure and symDB is OT-X 
secure symmetric key DB protocol for all X E {DF,MiM, DH} and follows 


V (sky , pk v ) P(sk P , pk P , pk v ) 

N <- D(l n ) 
B(sk P , pk P , pk v 2 ,N) -► s 

pkp, N = Dec skVl (e) # 2 e = Enc pkvi (pk P , N) 

A(sky 2 , pky 2 , pkp, A) s 

symDB (s) 

Outy- 


Fig. 5. Eff-pkDB p : private variant of Eff-pkDB 
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canonical structure, we can easily show that Eff-pkDB p is X-secure from The- 
orems 4 to 6. To prove this, we start from an adversary playing the X-security 
game against Eff-pkDB p . We construct an adversary playing the same game 
against Eff-pkDB to whom we give sk^ . The simulation is straightforward. 

Theorem 7. Assuming the key agreement protocol is D-AKA P secure and the 
cryptosystem is IND-CCA secure , then the Eff-pkDB 9 is strong private in the 
HP VP model (Definition 5). 


Proof A is a game and pi denotes the probability that A succeeds. 

Jo : The adversary A plays the HPVP privacy game. 

A : The verifiers skip the decryption when they receive a ciphertext produced 
by any prover and continue with the values encrypted by the prover. Because of 
the correctness of the encryption scheme pi = po. 

A : This game is the same with A except the provers encrypt a random 
string instead of pk P , N. The verifier retrieves e and 5 from the table T so that 
it does not decrypt any ciphertext that comes from a prover as in A- Thanks 
to the IND-CCA security (Verifiers are simulated using a decryption oracle due 
to our A reduction. The use of this oracle is valid in IND-CCA game), P 2 — Pi 
is negligible. So, P and V works as follows: 


FV) (m A) 

pick N G D(l n ) 
s <- H(sk P , pk P , pky 2 , N) 

pick r 

e <- Enc pkvi (r) 
store (e, s) to T 
send e 

run symDB(,s) 


V { 0 (in r 2 ) 
receive e 
if (e, .) € T 
retrieve s from T 
where (e, s) G T 
else: 

(pk\ N) <- Dec skvi (e) 


s <- A(sk V2 ,pk V2 ,pk',N) 
run symDB(,s) 

This reduction shows that the adversary cannot retrieve pk P and N from the 
encryption. 

A : It is the same with A except that we simulate the prover as below. In 
this game, s is generated independently from skp and pk P . 

P(-) (in r 3 ) 

(sk, pk) <— Gen B (l”) 

pick N e D( l n ) 

run s <— B{ sk, pk, pk V2 , N) 

pick r 

e <- Enc pkv , i (r) 
store (e, s) to T 
send e 

run symDB(5) 

We defined the hybrid games A,t to show p% — P 2 is negligible. Here, t G 
{0, 1,2, ...,£;} and k is the number of prover instances bounded by a polynomial. 

A,z : V is simulated as in A an d the j th instance of P is simulated as in A 
if j < i and as in A if j > i. 
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First, we show that 7^ and /344-1 are indistinguishable. For this, we use 
an adversary B that plays D-AKA P game. B receives pk A , pk Bi and sk Pl from 
the D-AKA P challenger, picks (sk Po ,pk Po ) and sends them to the challenger. 
Finally, B receives s. After, he begins simulating against the adversary A that 
wants to distinguish r 3 i and T 3 i+1 . 

~a+i (•) 

pick r 

e <- Enc pkv ,(r) 
store (e, s) to T 
send e 

run symDB(s) 

B assigns pk y = pk A and pk P = pk Pi . For all of the prover simulations, if 
j ^ 1 , Pj is simulated normally. V is simulated using the Oa oracle. Corrupt 

can be simulated since sk Pl is available. 

Note that if s is generated from H(sk Po , pk Po , pky, N) then B simulates 73^+1 
and if it is generated from B( sk Pl , pk Pi , pk V ,N) then B simulates 7^. 

For the verifier simulation, B first checks if (e, .) is stored by himself as V in 
/3. Otherwise, he decrypts e and sends (pk Pj ,N) to the oracle (^(pkp, N) and 
receives s. In the end of the game, A sends his decision. If A outputs i, then B 
outputs 1. If A outputs i + 1, then B outputs 0. Clearly, the advantage of B is 
Ps,i ~ P 3 ,i+i which is negligible because of the D-AKA P assumption. From the 
hybrid theorem, we can conclude that p3 ? o and ps^ is negligible where ps,o = P2 
and =p 3 . 

Now, in 73, no identity is used by the provers. Hence, A does not have any 
advantage to guess the prover which means p 3 = As a result of it, po — \ is 
negligible. 

Consequently, if we use D-AKA secure and D-AKA P private key agreement 
protocol in Eff-pkDB p , then we have DF, MF, DH secure and strong private 
public-key DB protocol. For instance, Nonce-DH key agreement protocol is a 
good candidate for Eff-pkDB p . 

Difficulties of having strong privacy: The strong privacy is the hardest privacy 
notion to achieve in DB protocols. Sending all prover messages with an IND-CCA 
secure encryption is not always enough to have strong privacy. We exemplify 
our argument as follows: Clearly, Eff-pkDB protocol is still DF-MiM and DH- 
secure, if we replace the nonce selection by a counter. So, we can make a new 
version of Eff-pkDB p based on the counter version of Eff-pkDB where the prover 
sends his public key and the counter by an IND-CCA encryption. However, 
clearly, it does not give strong privacy because when an adversary calls Corrupt 
oracle, he learns the counter of two drawn provers. Since the adversary knows 
the corresponding secret keys for both of them, he can easily differentiate the 
drawn provers based on the counter. This attack is not possible in Eff-pkDB p 
which uses a nonce instead of a counter because the nonce is in the volatile 
memory. So, the adversary does not learn it with the Corrupt oracle. 
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Table 2. The review of the existing public- key DB protocols. 


Protocol 

Security 

Privacy 

PK operations 

Number of computations 

Brands-Chaum [9] 

MiM, DF 

No Privacy 

1 commitment, 1 sig- 
nature 

1 EC multiplication, 2 hash- 
ings, 1 mapping, 1 modular 
inversion, 1 random string 
selection 

HPO [20] 

MiM, DF 

Weak Private 


4 EC multiplications, 2 ran- 
dom string selections, 2 
mappings 

PrivDB [37] 

MiM, DF, DH 

Strong Private 

1 signature, 1 IND- 
CCA encryption 

3 EC multiplications, 

2 hashings, 2 random 

string selection, 1 modular 
inversion, 1 mapping, 1 
symmetric key encryption, 1 
MAC 

Simp-pkDB 

MiM, DF 

No Privacy 

1 decryption 

1 EC multiplication, 1 hash- 
ing, 1 symmetric key decryp- 
tion, MAC 

Eff-pkDB 

MiM, DF, DH 

No privacy 

1 D-AKA secure KA 
protocol 

1 EC multiplication, 1 hash- 
ing, 1 random string selec- 
tion 

Eff-pkDB p 

MiM, DF, DH 

Strong Private 

1 IND-CCA Encryp- 
tion, 1 D-AKA secure 
KA protocol 

3 EC multiplications, 2 
hashings, 2 random string 
selections, 1 symmetric key 
encryption, 1 MAC 


6 Conclusion 

Our main purpose in this work was to design an efficient and a secure public- 
key DB protocol. First, we designed Eff-pkDB which is secure against DF, MiM 
and DH. We did not consider privacy in this one because privacy is not the 
main concern of some applications. Therefore, Eff-pkDB can be employed by 
the applications that do not need privacy. Eff-pkDB is one of the most efficient 
public key DB protocols compared to the previous ones (See Table 2). 

Second, we added strong privacy to the Eff-pkDB protocol and obtained Eff- 
pkDB 25 . We succeeded it by adding one public-key IND-CCA secure encryption. 
In this case, the protocol is not as efficient as before but still one of the most 
efficient ones with the same security and privacy properties. 

In Table 2, we give the security properties of existing public-key DB protocols 
along with the number of computations done on prover side. We use the number 
of elliptic curve multiplications and hashing as a metric in our efficiency analysis. 
We exclude GOR, ProProx and eProProx (in Table 1) since they clearly require 
a lot more computation than the other public-key DB protocols. In our counting 
for the number of computations in Table 2, 1 commitment is counted as 1 hashing 
operation. For the signature, we prefer an efficient and existentially unforgeable 
under chosen-message attacks resistant signature scheme ECDSA [21]. ECDSA 
requires 1 EC multiplication, 1 mapping, 1 hashing, 1 modular inversion and 1 
random string selection. For the IND-CCA encryption scheme, we use ECIES 
[31] which requires 2 EC multiplications, 1 KDF, 1 symmetric key encryption, 
1 MAC and 1 random string selection. For the D-AKA secure key agreement 
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protocol, we use Nonce-DH which requires 1 EC multiplication, 1 hashing and 
1 random string selection. 

We first compare the protocols considering the security and the efficiency 
trade-off. Eff-pkDB and Simp-pkDB are the most efficient ones. However, Simp- 
pkDB is secure only against MiM and DF. After Eff-pkDB, the second most 
efficient protocol is Brands-Chaum protocol [9] but this protocol is only secure 
against MiM and DF while Eff-pkDB is secure against DH as well. 

Now, we compare the protocols considering security, privacy and efficiency 
trade-off. In this case, HPO requires 4 EC multiplications while PrivDB and 
Eff-pkDB p require 3 EC multiplications and 1 hashing. Hashing is more efficient 
than elliptic curve multiplication so it looks like PrivDB and Eff-pkDB p are 
more efficient. However, HPO has an advantage in efficiency if it is used in a 
dedicated hardware allowing only EC operations. On the other hand, Eff-pkDB p 
and PrivDB are secure against MiM, DF, DH and strong private while HPO is 
only MiM and DF secure and only private. 

Eff-pkDB p and PrivDB have the same security and privacy properties and 
almost the same efficiency level. However, if we analyze the efficiency with more 
metrics, we see that PrivDB requires extra 1 modular inversion and 1 mapping. 
More importantly, Eff-pkDB p has lighter version Eff-pkDB which can be used 
efficiently in the applications which do not need privacy. 

One of the important useful property of Eff-pkDB is that it can employ any 
D-AKA secure key agreement protocol to satisfy DF, MiM and DH security. 

Acknowledgements. This work was partly sponsored by the ICT COST Action 
IC1403 Cryptacus in the EU Framework Horizon 2020. 

A More Results About D-AKA Security Model 

The Extended Canetti-Krawczyk (eCK) Security Model [27]. The eCK 

security model consists of t parties with their certificated public keys. The key 
exchange protocol is executed between two parties A and B. When A starts a 
key exchange protocol with T>, it is called as a session and A is the owner of 
the session and B is the peer. A (initiator) starts the protocol by sending a 
message Ma, then B (responder) responds with a message Mb- The session id 
sid corresponds to an instance of 4 or 5. 

There is a probabilistic polynomial time (PPT) adversary A controlling 
all communication and some instances. The activation of the parties starts by 
Send(A, H, message) (or Send(T>, A, message)). Besides Send, A can do following 
queries: 

- Long-Term Key Reveal (A): Outputs the long term public- key of A. 

- Ephemeral Key Reveal (sid) : Outputs an ephemeral key of a session sid. 

- Reveal (sid): Outputs the session key of a completed session sid. 

- Test (sid): If sid is clean then outputs s Reveal(sid) if 6 = 1, outputs 
s < — {0, 1}^ if b = 0 (A is the size of the session key). 

The advantage is the difference of the probability that A gives 1 for b = 0 and 
6 = 1 . 
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Table 3. Existing KA protocols with their security and efficiency. Efficiency column 
shows the number of exponentiation done by per party. 


KA Protocol 

Efficiency 

Security 

MQV [29] 

2.5 

unproven 

HMQV [26] 

2.5 

CK 

KEA+ [28] 

3 

CK 

NAXOS [27] 

4 

eCK 

CMQV [32] 

3 

eCK 

Nonce-DH 

1 

D-AKA 


A clean session is basically a session where winning the game for A is not 
trivial. See [27] for more details. 

Theorem 8. If a key agreement protocol is eCK secure [27], then it is D-AKA 
secure. 

Proof. Let’s assume that there is an adversary A playing D-AKA game. We con- 
struct an adversary B simulating the D-AKA game and playing the eCK game. 
B receives all the public keys in the eCK game. B first picks two parties A and 
B. Then, he creates a session sid between them by sending the query Send(A,B, 
message) and he assigns the ephemeral public key of B as a nonce N. Then, he 
sends the query Test (sid) and receives s^. Finally, he sends s N , pk B , pk A to A. 
Whenever A calls the oracle Ob( pk^,), B creates a new session sid ' with A ' on 
behalf of B as explained above. Similarly, he assigns the ephemeral public key of 
B as a nonce N' . After, he sends the query Reveal(sid') and receives the session 
key s'. As a response of Ob( pk^), he sends s',N' to A. In addition, whenever 
A calls the oracle 0^(pk B /, TV"), first, B checks if (pkg,, N") equals (pkg, N). If 
it is not equal, he creates a new session sid" on behalf of B' with the ephemeral 
public key N" and calls the oracle Reveal (sid") to receive the session key s" . 
Then, he responds to A with s" . In the end, B outputs whatever A outputs. 
The simulation of D-AKA game is perfect. So the advantage of B equals to the 
advantage of A. Therefore, since the advantage of B is negligible, the advantage 
of A is negligible as well. □ 

As a result of Theorem 8, we can conclude any eCK secure key agreement 
protocol can be used in Eff-pkDB. However, we suggest using D-AKA secure key 
agreement protocols since they may require less public- key operations. 

Lemma 1. We consider D-AKA secure key agreement protocol (Gen^,Gen#, 
D,A,B). We define the random variables (sk^, pk A ) Gen^(l n ) ; (sk^, pkg) <— 
Gen jB (l n ) ; and ( s,N ) <— Ob{ pk A ) and ( s',N ') <— 0#(pk A ). We have that 
Pr[7V = N'] is negligible. Furthermore, for all values u which could depend on 
skyi, pk A ,sk B , pk B , Pr[7V = u\ is negligible. 
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Proof. We define an adversary A playing the D-AKA game as follows: 

A 

receive TV, pk 5 , pk A 
(s',7V')^0 B (pk A ) 
if N' = N 
if s' = Sb 

output 0 
else: 

output 1 

else: 

output b' <— r {0, 1} 

In this strategy, A wins if N = N' (except si = so and 6 = 1). Otherwise, 
he wins with | probability. 

Pr[*4 win] =1(1 - Pr [N = AT']) + Pr [N = N'} - Pr[iV = N' , Sl =s 0 ,b= 1] 

= l + \ = N'] - Pr[7V = N', Sl =s 0 ,b= 1] 

We know from the D-AKA security that Pr[*4win] — | is negligible. Pr[«i = 
so] = 2 _n is negligible as well. So, Pr[7V = N f ] is negligible. Now, we need to 
show that it holds for all values u. 

Let v be the most probable value for N. We have 

Pr [N = N'}=J2 = N' = w] 

W 

= ^ Pr[iV = w] 2 

W 

> Pr[7V = vf 

So, we have the following inequality in the end: 

Pr[JV = u] < Pr[A^ = v] < ^Pr [N = N 7 } 

We know that Pr [N = N'] is negligible so Pr [N = u] is negligible. 

□ 


B Mafia and Distance Fraud Secure Public Key DB 

We consider the Simp-pkDB protocol in Fig. 6. In Simp-pkDB the prover P 
selects a nonce N G {0, l} n where n is security parameter and sends it to the 
verifier together with pk. Then verifier V selects a secret s G {0, l} n , encrypts 
it with N by the public key pk of the prover and sends the encryption e to P. 
After receiving e, P decrypts it with the secret key sk and gets s, N. If the N is 
the nonce by P, then they run one-time secure symDB(,s). 

We show that this protocol is MiM-secure but not DH-secure. Simp-pkDB 
requires only one operation which is IND-CCA decryption. 
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V P(pk, sk) 

pick s G {0, l} e < pick N G {0, l} e 

e Enc pk (s||iV) t s,N = Dec s k(e) 

Verify(iV) 

symDB(s) 

Outv 


Fig. 6. Simp-pkDB 


Theorem 9. If symDB is DF -secure then Simp-pkDB is DF- secure. 

Proof. It is trivial. 

Theorem 10. If symDB is one-time MiM-secure and the cryptosystem resists 
chosen- ciphertext attacks (IND-CCA secure) then Simp-pkDB is MiM-secure. 

Proof. A is a game and pi denotes the probability that A succeeds. 

To : Adversary plays MiM game in the protocol in Fig. 6 with the verifier 
with its instances, the prover with its instances and other actors. Let’s assume 
that the number of prover instances is k where k is polynomially bounded. 

Let s, pk, N and e be the values seen by the distinguished instance V of the 
verifier. Here e = Enc p k(s||7V). We group the prover’s instances as the following: 

1 . The provers seeing N and e, 

2 . The provers seeing e but another nonce N' . 

3 . The provers not seeing e (see a ciphertext e' which is not e). 

The probability that an adversary succeeds in To is po. 

A : We reduce To to A where the first group has up to one prover instance 
P. We call V and P the matching instances. The probability that more than one 
prover picks same N is bounded by (2)2^ which is negligible. So, p\ — po is 
negligible. 

T 2 : We reduce A to A where the matching P receives e after V has released 
e which means that e which is encryption of s\\N is only sent by the verifier. In 
A, the probability that V selects s after P has received e so that Dec S k(e) = s 
is which means that p 2 — Pi is negligible. 

T3 : We reduce T 2 to T3 where the provers are simulated as below: 

The prover in the first group after receiving e run symDB (s) without decrypt- 
ing e. Since e was released before, the value of s is already defined. The provers 
in the second group, abort the protocol after receiving e. The provers in the third 
group, call decryption oracle Dec s k(.) after receiving e' and check if the nonce 
is the same nonce that was chosen by them. Then they run symDB (s') with s' 
obtained from the decryption oracle. 

The simulation gives identical result so the success probabilities in T 3 and 
T 2 are the same. 
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A : We reduce A to A- We simulate V in A- The simulation of V after 
selecting s encrypts a random plaintext instead of s\\N. 

A and A are indistinguishable because of the IND-CCA security of the 
encryption scheme. We construct an adversary B playing IND-CCA game and 
simulating MiM game against the adversary A. 

B receives pk from the IND-CCA game challenger and then B forwards it to 
A. Firstly, B picks N,s G {0, 1} £ and r G {0, 1} 2£ and assigns mo = s\\N, mi = 
r. Then he sends mo and mi to IND-CCA game challenger and receives the 
response e & where e b = Enc p k(rao) or Enc p k(mi). If A interacts with V then B 
sends e&, if A interacts with P, then B sends N . For the simulation of other 
prover instances P' (controlled by A), when P' asks for the decryption of e', 
B sends e! to IND-CCA game challenger and receives decryption of e' to send 
P'. In the end, if A succeeds then B outputs 0, otherwise he outputs 1. If A 
succeeds given b = 0, then it means that he succeeds A and if A succeeds given 
b = 1 then it means that he succeeds A- Therefore we have the following success 
probability of B. 


Ad v(S) = P r[B — > 1|6 = 0] + P r[B — > 1|6 = 1] = Po ~ Pa 

Since we know that the advantage of B is negligible, we can deduce that 
P 3 ~P 4 is negligible (if we multiply negligible function with a polynomial we still 
have a negligible function). 

A : Now in A we have at most two matching instances and they both 
run symDB(,s) with the same and fresh random s. In A? The rest of the game 
(including the selection of pk and sk and the the decryption oracle Dec S k(.)) is 
simulated by the adversary, A and A work the same. So P 4 = p$. So they run 
symDB(s). The success probability p$ of A is negligible because of the security 
of OT-MiM-security of symDB. 

As a conclusion, since pi~po = negl,p 2 ~ Pi — negl,p 2 — P 3 = 0?P4 — ps = negl, 
P 5 — P 4 = 0 and P 5 = negl, we deduce that po is negligible. 

DH-Security: The protocol in Fig. 6 is not secure against DH because of the 
attack in Fig. 7. In this attack, the malicious and far away prover P uses honest 
and close prover P' so that in the end V accepts P. 

Basically, P chooses the same nonce that P' chose. Then V encrypts s\\N 
with the public key pkp of P and then sends it to P. P decrypts e with his own 
secret key skp and then behaves as if he is the verifier and prepares encryption 
e! — Enc p k p/ with using P n s public key pkp/ and sends it to P'. Since e' is valid 
encryption for P', he continues by executing symDB (s) with V. In the end of the 
protocol, V accepts P since V has the P’s public key. P' is used by P only to be 
able to pass the distance bounding phase of symDB(s) protocol. 

C Security of Nonce-DH 

Definition 15 (Gap DifRe-Hellman (GDH) [30]). Let G be a prime order 
group and g G G be a generator. We have the following problems: 


V (pkp) 

pick s 

e = EnCpkp (s| |iV) 
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P(pk P , sk P ) 

N,pkp/ 


N,pk P 


P (pk p/ , sk P / ) 
pick N 


s,N = Decskp(e) 
e' = Enc pkp ,(s||iV) 

> s,N = Decsk p , (e') 

Verify(iV) 


symDB(s) 


Outy 


Fig. 7. DH attack on Simp-pkDB. 


- Computational Diffie- Heilman Problem (CDH): Given g,X,Y G G 

compute Z = g lo 9g x -log g Y ' 

- Decisional Diffie-Hellman Problem (DDH): Given g,X,Y : Z G G, 
decide if Z m g l °9g x - l °9g Y or Z = g r where r is a random element. 

The GDH problem is solving the CDH given (g,X,Y) with the help of a DDH 
oracle which answers whether a given quadruple is a Diffie-Hellman quadruple. 

Theorem 11. Assuming that the GDH problem is hard and £ = Q(n), Nonce- 
DH is D-AKA secure in the random oracle model. 


Proof. The game Tq is the D-AKA game. The challenger works as follows: He 
picks q and g as described in Nonce-DH. He randomly picks sk^skg G Z q , 
and computes pk A = g skA , pk B = g skB . He picks randomly si G {0, l} n and 
then he assigns (so,N) <— O^(pk^). Then, he picks b G {0,1} and gives 
g, q, pk A , pkg, TV, s^ to the adversary A. A has access to the oracle H, OH.,.) 


(with the restriction not asking for pk B ,N) 

qAiA 

Input: pk^TV' 

if (pk b ,N') equals (pk B ,N) 

send _L 

else: 

H(g, pk' B ,pk A ,pk% kA ,N') 

send s 

HG) 

Input: U 

if (u, .) e T 

send V where (U,V) G T 

else: 

pick V G {0, l} n 
save ( U , V) to T 
send V 


and Ob(-) defined below. 

®b{-) 

Input: pk^ 
pick N' e {0, 1 } e 
8^H(g,pk B ,pk' A ,pkf B ,N') 
send (s,N f ) 


H'(-) 

Input: (w,x,y, z, N f ) 
if w = g and 1 <— DDH(g, x, y , z) : 

z <— JL 

send H (re, x, ?/, z, N') 
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We let 1 be a special symbol which is unavailable to A. The success proba- 
bility of A in i~b is po . 

We reduce To to Ti where the oracle Ob never selects again the nonce N 
(which is obtained by the first call). Since a nonce in To is equal to N with the 

probability \pi — Po\ < \ f where qb is the number of queries to Ob- Due to 
i = i?(n), pi — po is negligible. 

We reduce Ti to T2 where we replace H with H' . H' is defined with access 
to a DDH oracle (as Definition 15) as the following: 

Since there is one-to-one mapping in the transformation of (<7, x, y, z, A 7 ), the 
success probability of T2 remains the same which means P2 = pi . 

We define another game T3 where the only difference from T2 is that we 
replace the oracle Ob with the oracle 0 ' B . 

Q'b(-) 

Input: pk' A 

pick N' g {oaY 
s <- H(g,pk B ,pk' A ,±,N') 
send (s,A') 

Note that O f B queries H instead of H' and A' 7^ A due to the reduction 
to Ti. T3 is exactly same with T2 so the success probabilities ps and P 2 are the 
same as well. 

Now in T3, sk# is used only by the DDH oracle. 

We reduce T3 to T4 where A does not make the query H'(g,pk B ,pk A ,z, A ) 
with 2 = pk^ B . Indeed, any such query can be filtered using the DDH oracle and 
stopped to solve the GDH problem. Since the GDH problem is hard, A in T3 
selects z = pk^ B given (pk A , pk B ) with negligible probability. Therefore, p^ — p% 
is negligible. 

In T4, H(g, pkg, pk A , _L, N) is queried only once and this query is done by 
the challenger. Lastly, we reduce T 4 to T 5 where the challenger picks a random 
so instead of picking so = H(g , pk B , pk A , _L,7V). 

T4 and T5 are the same because if (<7, pk B , pk A , _L, N) is never being queried 
again, it is not necessary that H stores ((<7, pk s , pk A , T, TV), sq) i n T. So, p^ = p$. 

In T5, <§0 and si play a symmetric role and could be erased with b from the 
game after s 5 is released. So, the state of the game after erasure of 6, so and si 
are independent from b. Hence, p$ = \ leading to po — \ is negligible. 

□ 

Theorem 12. Assuming that i = Nonce-DH is D-AKA P private in the 

random oracle model. 

Proof. The game Tq is D-AKA P game. The challenger works as follows: He picks 
q and g as described in Nonce-DH. He selects sk^,sk J B 1 G Z g , and computes 
p k A = g skA and pk Bi = g skB 1 . Then, he sends pk A , pk Bi and sk^ to A. A selects 
sk# 0 and pk Bo and sends them to the challenger. Next, the challenger picks 

b G {0,1}, N G {0,1}*, queries (^, pk B{> , pk A , pk^ Sb , A") to H and receives s. 
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He sends s to A. A has access to the oracle H as defined in the proof of 
Theorem 11, and to the oracle Oa(-> ■)• 

We reduce A to A where A never selects the same nonce with N in the 
query of the oracle H or Oa- The probability that he selects N is ^ so P2 — Pi 
is negligible. 

We reduce A to A where Ob picks s at random instead of a response from H. 
Since, the query (<7, pk B , pk A , pk A Bb , AT) by the challenger is never done again, 
we have pi = P2- Now, b is never used in A- It means that s is independent from 
6, so P2 = Therefore, po — \ is negligible. 

□ 
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Abstract. We introduce a new class of protocols called Proofs of Work 
or Knowledge (PoWorKs). In a PoWorK, a prover can convince a verifier 
that she has either performed work or that she possesses knowledge of 
a witness to a public statement without the verifier being able to distin- 
guish which of the two has taken place. We formalize PoWorK in terms 
of three properties, completeness, /-soundness and indistinguishability 
(where / is a function that determines the tightness of the proof of work 
aspect) and present a construction that transforms 3-move HVZK proto- 
cols into 3-move public-coin PoWorKs. To formalize the work aspect in a 
PoWorK protocol we define cryptographic puzzles that adhere to certain 
uniformity conditions, which may also be of independent interest. We 
instantiate our puzzles in the random oracle (RO) model as well as via 
constructing “dense” versions of suitably hard one-way functions. 

We then showcase PoWorK protocols by presenting a number of appli- 
cations. We first show how non- interactive PoWorKs can be used to 
reduce spam email by forcing users sending an e-mail to either prove 
to the mail server they are approved contacts of the recipient or to 
perform computational work. As opposed to previous approaches that 
applied proofs of work to this problem, our proposal of using PoWorKs 
is privacy-preserving as it hides the list of the receiver’s approved con- 
tacts from the mail server. Our second application, shows how PoWorK 
can be used to compose crypto currencies that are based on proofs of work 
( “Bit coin- like” ) with cryptocurrencies that are based on knowledge rela- 
tions (these include cryptocurrencies that are based on “proof of stake” , 
and others). The resulting PoWorK-based crypto currency inherits the 
robustness properties of the underlying two systems while PoWorK- 
indistinguishability ensures a uniform population of miners. Finally, we 
show that PoWorK protocols imply straight-line quasi-polynomial simu- 
latable arguments of knowledge and based on our construction we obtain 
an efficient straight-line concurrent 3-move statistically quasi-polynomial 
simulatable argument of knowledge. 
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1 Introduction 

We introduce a new class of prover verifier protocols where the prover wishes 
to convince the verifier that it is either in possession of a witness to a publicly 
known statement or that it has invested a certain amount of computational 
effort. A Proof of Work or Knowledge (PoWorK) enables the prover to achieve 
this objective while at the same time ensuring that the verifier is incapable 
of distinguishing which way the prover has followed: performing the work or 
exploiting her knowledge of the witness. 

At an intuitive level a PoWorK protocol is a disjunction of a proof of work 
and a proof of knowledge. Proofs of knowledge are a fundamental notion in 
cryptography [GMR85] with a very wide array of applications in the design of 
cryptographic protocols. They have been studied extensively, both in terms of 
efficient constructions, e.g., [Sch89], as well as in terms of their composability 
with themselves or within larger protocols, see e.g., [CDS94,DNS98,CGGM00, 
Can01,CF01,Pas03,Pas04]. Proofs of work on the other hand, were first intro- 
duced in [DN92], further studied in [RSW96,Bac97, JB99,DGN03,CMSW09], 
and were primarily applied as a denial of service network or spam protection 
mechanism; recently they have also found important applications in building 
decentralized cryptocurrencies (notably Bitcoin [Nak08] but also many others). 

In an interactive proof protocol, we are interested primarily in two basic 
properties, soundness and zero-knowledge, that represent the adversarial objec- 
tives of the prover and the verifier respectively: the prover must not be able to 
convince the verifier of false statements while the verifier should not extract any 
knowledge from interacting with the prover beyond what can be inferred by the 
public statement. An important class of prover verifier protocols is the 3-move 
honest-verifier zero knowledge (HVZK) protocols. They are three-move proto- 
cols that are “public-coin”, i.e., the verifier in the second move merely selects a 
random value (that is drawn independently to the statement of the prover’s first 
move) and submits it to the prover. 3-move HVZK protocols capture a very wide 
class of practical proofs of knowledge (including Schnorr’s identification scheme 
[Sch89]) but also all languages in AfV can be shown with a (computational) 
HVZK protocol via reduction to e.g., the Hamilton cycle protocol [Blu87]. The 
class of V-protocols possesses very useful properties including being closed under 
conjunction and disjunction operations [CDS94]. 

Given the above, one may construct a PoWorK protocol for a language 
C as follows: the verifier samples a cryptographic puzzle, puz, and submits 
it to the prover. The prover provides a commitment and shows that she 
either possesses a witness w showing that the statement x belongs to C or 
that the commitment if contains a solution to puz. It is easy to prove that 
this is a general four-move protocol that implements a PoWorK for any lan- 
guage C and any cryptographic puzzle. On the other hand, it is known that for 
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zero-knowledge proofs, two-round protocols do not exist for non-trivial languages 
[G094] and this result remains true even if the zero-knowledge property is 
relaxed to 0(A logC ( A ))-simulatability [Pas03], in the sense that only languages 
decidable in quasi-polynomial time may have two-round quasi-polynomial-time 
simulatable protocols. 

1.1 Our Results 

We define and construct efficient three-move PoWorK protocols as well as rele- 
vant cryptographic puzzles. Morerover, we demonstrate how PoWorK can instan- 
tiate systems that reduce email spam while preserving user privacy, how they 
are useful in composition of cryptocurrency systems and how they can give rise 
to concurrent simulatable protocols. In more details: 

Definition of PoWorKs. Our formalization entails two definitions, 
/- soundness and (statistical) indistinguishability. In /- soundness we require that 
any prover that has running time (in number of steps) less than a specified para- 
meter calibrated according to the function / of the running time of the puzzle 
solver, it is guaranteed to lead to a knowledge extractor. The importance of 
the function / is to provide a safe running time upper bound under which the 
complete protocol execution is successful only via an (a-priori) knowledge of the 
witness. Indistinguishability on the other hand, ensures that a malicious veri- 
fier is incapable of discerning whether the prover performs the proof of work 
or possesses the knowledge of the witness. We note that timing issues are not 
taken into account in our model (i.e., we assume that the prover always takes 
the same amount of time to finish no matter which one of the two strategies it 
follows). What we do care about though, is that the prover who performs a proof 
of work spends at least a certain amount of computational resources. Note that 
indistinguishability easily implies witness indistinguishability [FS90], and thus 
any PoWorK is also a witness indistinguishable protocol. 

PoWorK Constructions. We present a three- move public-coin protocol 
instantiating a PoWorK given any 3-move HVZK protocol with special sound- 
ness. Our protocol transformation preserves the structure and round complexity 
of the given 3-move HVZK protocol. Observe that the verifier cannot simply 
provide a puzzle challenge since this would violate the public-coin characteristic 
of the protocol. To achieve our construction we require puzzle generation algo- 
rithms that have a suitable uniformity characteristics, specifically, we require 
that the domain of puzzles (the “puzzle space”) and the challenge space of the 
3-move HVZK protocol are statistically very close (in terms of the distribu- 
tions induced by the puzzle sample algorithm and the verifier in the protocol). 
Given such suitable puzzle distribution we present a protocol where the prover 
is capable of generating a puzzle solution on the fly (utilizing the verifier’s public 
coins) and solve it, if she wishes. To establish the practicality of our approach we 
also construct puzzles that are “dense” within {0, 1} Z and hence consistent with 
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the challenge space of many natural 3- move HVZK protocols. Our dense puzzle 
based PoWorK construction has the characteristic that is black-box with respect 
to the underlying puzzle system (which is suitable for puzzles whose security is 
argued, say, in the RO model). 


Definition and Instantiations of Puzzles. We give formal definitions of 
cryptographic puzzle systems PuzSys that are easy to generate, hard to solve, 
and easy to verify. We define additional properties like density and amortiza- 
tion resistance and we give two instantiations. Our first instantiation utilizes the 
random oracle model [BR93] while the second relies on complexity assumptions. 
More specifically, we use Universal One Way Hash Function families (UOWHF) 
[NY89] to build extractors with special properties, invoking a variant of left- 
over hash lemma [Dod05] . We then combine this special extractor with suitably 
hard one-way functions to obtain our second puzzle instantiation; we present 
an instantiation of this methodology for the discrete-logarithm problem. As an 
intermediate result, which may be of independent interest, we show how to con- 
vert any arbitrary oneway function to a “dense” oneway function over {0, 1}^^ 
for some £(•) and security parameter A E Z + (cf. Theorem 3). 

Our puzzle definitions are close in spirit to previous formalizations 
[RSW96, WJHF04, CMSW09,MMV11,BGJ+16] with the following distinctions. 
In [CMSW09] the hardness of a puzzle is defined as a monotonically increas- 
ing function that maps the running time of an adversary to the success rate of 
solving the puzzle. Contrary to this, our definition, motivated by our proof of 
knowledge application, imposes a sharp time threshold, below which the suc- 
cess rate of solving a puzzle becomes negligible. Also, contrary to time-lock 
puzzles [RSW96, WJHF04,MMV11,BGJ+16], we do not restrict the paralleliz- 
ability of our puzzles as such feature does not hurt (and may even be desirable) 
in the PoWorK context. Parallelizable puzzles, like the ones we are focusing on 
here, have become very popular by their applications to cryptocurrencies. The 
requirement there is that the puzzle solver should spend a minimum of compu- 
tational resources to find a solution to the puzzle (and may or may not choose 
to parallelize). 


Applications. Generally speaking, PoWorKs can be used in applications where 
we would like to allow access to either “registered” or “approved” users (who 
know a witness) or to every user who is willing to invest computational effort. 
The key property of PoWorKs is that they enhance privacy since they do not 
leak the type of user (i.e. approved or not) to the entity that verifies access. A 
nice illustration of this type of application of PoWorKs is in regard to reducing 
spam email Dwork and Naor proposed using proofs of work to control spam 
e-mails [DN92]. The gist of the idea is that every non-approved contact of a 
receiver would have to perform some work (i.e. invest computational effort) in 
order to send her an email. A downside of the method is that the mail server 
has to maintain an updated list of “approved-contacts” for every user; this can 
be a privacy concern for the users (not to mention the cost of updating the 
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approved contacts database). We show how by using PoWorK’s, one can still 
enforce the non-approved senders to perform work while preserving user pri- 
vacy, since the mail server (who acts as a PoWorK verifier) will not be able to 
distinguish between approved and non-approved contacts because of PoWorK 
indistinguishability property. 

Our second application is related to cryptocurrencies based on blockchains to 
maintain the ledger of transactions. These systems can be naturally divided by 
the mechanism they use to produce the next block in the blockchain as follows: 
first there are “puzzle-based” ones, (e.g., Bitcoin [Nak08] and many others that 
followed 1 ), and then there are “knowledge-based” ones, that include those 2 that 
use “proof-of-stake” , “proof-of-activity” or other type of consensus mechanism 
that relies e.g., on a public-key infrastructure, e.g., [BLMR14,DM16,Mazl5]). 
We demonstrate how given two cryptocurrencies Ci, C 2 of each type, one can use 
PoWorK to fuse them into a single cryptocurrency C with the following proper- 
ties: (i) in C, the miners that perform Ci-type of mining are indistinguishable from 
those that perform C 2 -type of mining, (ii) C would reach consensus in the sense of 
persistence of transactions in the ledger under the conjunction of the conditions 
that systems Ci,C 2 would do, (iii) C would satisfy liveness under the disjunction 
of the conditions that systems Ci,C 2 would do. 3 PoWorK-based cryptocurren- 
cies that fuse the knowledge-based and the puzzle-based approach have novel 
features in the context of cryptocurrencies: for instance, by composing a regular 
Bitcoin-like cryptocurrency Ci with a centralized cryptocurrency C 2 supported 
by a single authority, we get a cryptocurrency C that resembles Bitcoin but has 
a trusted authority with a trapdoor that enables it to regulate and normalize 
the block production rate. Such systems may offer a more attractive solution for 
nation-states or central banks that wish to issue centralized cryptocurrencies, 
however they do not want to be constantly involved with block production and 
they prefer to leave ledger maintenance to the public, while retaining the ability 
to issue blocks in case of an emergency situation (e.g., many miners go offline due 
to a software problem). The PoWorK indistinguishability property is critically 
useful in this setting, since it enables the regulation of the block production rate 
made by the trusted party to be indistinguishable to everyone, thus ensuring 
that the trusted party’s involvement will be unnoticed and hence will have no 
impact to the economy that the cryptocurrency supports. 

Our third application relates to zero-knowledge protocols and concerns quasi- 
polynomial time straight-line simulatable arguments of knowledge. This class 
of protocols was introduced by [Pas03] and was motivated by the construc- 
tion of concurrent zero-knowledge proofs in the plain model (as opposed to 
using a “setup” assumption). In [Pas03] a four-move argument of knowledge 
was presented that is quasi-polynomial time simulatable. We show that any 
suitable PoWorK protocol (see Theorem 1 for the precise formulation) implies 


1 E.g., Litecoin, Dogecoin, Ethereum, Dashcoin, etc. 

2 E.g., Peercoin, NXT, Nushares, Faircoin etc. 

3 For definitions of properties like liveness and persistence of the ledger we refer to 
e.g., [GKL15,BMC+15]. 
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quasi-polynomial time straight-line simulatable arguments of knowledge. Given 
our 3-move PoWorK construction, this immediately yields a 3-round protocol in 
this setting which is optimal in terms of efficiency (round complexity is optimal 
and computational overhead is just two exponentiations for prover and verifier 
in total when using the elliptic curves from [BHKL13]); we note that a simi- 
lar result in terms of rounds can be obtained via a different route, specifically, 
via the efficient OR composition with an input-delayed 17-protocol as recently 
observed in [CPS+16], however the resulting complexity overhead would be at 
least 5 exponentiations for prover and verifier in total when instantiated using 
discrete logarithms. 

Roadmap. The rest of this paper is organized as follows. In Sect. 2, we provide 
basic notation, and formalize cryptographic puzzles, the additional properties 
of dense samplable puzzles and the property of amortization resistance, as well 
as the notion of PoWorKs by defining completeness, /-soundness and indistin- 
guishability. In Sect. 3, we present our efficient dense puzzle based construction 
built upon an arbitrary 3-move special sound HVZK protocol for a language C 
and some puzzle system, and prove that our construction achieves /-soundness 
and indistinguishability. In the same section, we present two dense puzzle instan- 
tiations. Finally, in Sect. 4, we describe the applications of PoWorKs. Namely, 
(i) a method to reduce the amount of spam email while preserving the privacy 
of the receiver, (ii) the composition of knowledge-based and puzzle-based cryp- 
tocurrencies that gives rise to PoWorK-based cryptocurrencies, (iii) an efficient 
3- move straight-line concurrent statistically / \ poly ( 1 °s A ) -simulatable argument of 
knowledge as defined in [Pas03,Pas04]. 

Alternative PoWorK Constructions. In the full version of this work [BKZZ15] we 
provide a second PoWorK construction based on the Lapidot-Shamir 3-move spe- 
cial sound computationally special HVZK protocol [LS90] , which is less efficient 
than the dense puzzle based construction but works for all puzzle systems; note 
that this construction is not black-box with respect to the puzzle and depending 
on the puzzle may not be public-coin. A third way to construct PoWorK’s can 
be derived from the recent efficient OR composition technique that was intro- 
duced in [CPS+16] that can be used with “input-delayed” 17-protocols, where 
the statement need not be determined ahead of time. It is easy to see that in 
the case a puzzle accepts an “input-delayed” A7 proof of knowledge of the puzzle 
solution (e.g., a puzzle based on discrete- logarithms), a third possible construc- 
tion method for PoWorK’s is facilitated. We stress however that these alternative 
methods for constructing PoWorK’s do not combine well with puzzles based on 
hash functions and thus may be of only theoretical interest in the context of our 
primitive. 

2 Definitions 

We start by setting the notation to be used in the rest of the paper. By A 
we denote the security parameter and by negl(-) the property that a function 
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$ 

is negligible in some parameter. Let z Z denote the uniformly at random 
selection of z from space Z and Z\[X,Y] the statistical distance of random 
variables (or distributions) X, Y. Composition of functions is denoted by o. 

Let (V(y) V)(x,z) denote the interaction between a prover V and a 

verifier V on common input x, auxiliary input 2 , and V's private input y. 
For an algorithm B that is part of an interactive protocol let views and 
outputs denote the views and the output of B respectively. Let Steps# ( 2 ;) 
be the number of steps (i.e. machine/operation cycles) executed by algorithm 
B on input x, and Steps v ((V(y) V)(x,z)) be the number of steps of V, 
when interacting on inputs x,y,z 4 . If Rc is a witness relation for the lan- 
guage C G MV (i.e. Rc polynomial-time-decidable and (x,w) G Rl implies 
that | re | < poly(|x|)), we define the set of witnesses for the membership xGf 
as Rl(x) = {w : (x,w) G Rl }• 


2.1 Cryptographic Puzzles 

Roughly speaking, a cryptographic puzzle should be easy to generate, hard to 
solve, and easy to verify. Given a specific security parameter A, we denote the 
puzzle space as VS\ , the solution space as SS\, and the hardness space as TLS\. 
We first define puzzles with a minimum set of properties, and then add extra 
properties that are useful in our constructions. 

Definition 1. A puzzle system PuzSys = (Sample, Solve, Verify) consists of the 
following four algorithms: 

- Sample(l A ,ft) is a probabilistic puzzle instance sampling algorithm. On input 
the security parameter 1 A and a hardness factor h G HS\, it outputs a puzzle 
instance puz G TS\. 

- Solve(l A , ft, puz) is a probabilistic puzzle solving algorithm. On input the secu- 
rity parameter 1 A ; a hardness factor h G HS\ and a puzzle instance puz G 
TS\, it outputs a potential solution soln G SS\. 

- Verify (1 A , ft, puz, soln) is a deterministic puzzle verification algorithm. On input 
the security parameter 1 A ; a hardness factor ft G HS\ , a puzzle instance puz G 
TS\ and a potential solution soln G SS\ it outputs true or false. 

Subsequently, we define the following properties for a puzzle system. 


Completeness: We say that a puzzle system PuzSys is complete , if for every 
ft G HSy. 


Pr 


puz Sample(l A , ft); soln <— Solve(l A , ft, puz) : 
Verify(l A , ft, puz, soln) = false 


negl(A). 


Note that the number of steps that Solve takes to run is monotonically decreasing 
in the hardness factor ft and may exponentially depend on A, while Verify should 
run in polynomial time in A. 

4 In this work we focus on parallelizable puzzles so counting in number steps as opposed 
to actual running time is more intuitive. 
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g- Hardness: We say that a puzzle system PuzSys is g-hard for some function 
g , if for every adversary A, for every auxiliary tape z G {0, 1}* and for every 
ft G HSy. 


Pr 


puz Sample(l A , ft); soln A(z, 1 A , ft, puz) : 

Verify(l A , ft, puz, soln) = trueA 

ASteps^z, 1\ h, puz) < (/(Steps So | ve (l A , h, puz)) 


= negl(A). 


Dense Samplable Puzzles. In addition to the standard puzzle definition, for 
our PoWorK construction in Sect. 3 we need puzzles that can be sampled by 
just generating random strings (i.e. the puzzle instances should be “dense” over 
{0, 1}^ A,/ ^ for some function i and A, ft G Z + ). Formally it holds that for some 
function £ in A and ft, 


Z\[Sample(l\/i),U £(AiA )] = negl(A), 

where U stands for the uniform distribution over {0, 1 }A A ^). For such puz- 
zles we will require some additional properties. First there should be a puzzle 
sampler that outputs a valid solution together with puz: 

- SampleSol(l A , ft) is a probabilistic solved puzzle instance sampling algorithm. 
On input the security parameter 1 A and a hardness factor ft G HS\ , it outputs 
a puzzle instance and solution pair (puz, soln) G TS\ x SS\. 

Correctness of Sampling: We say that a puzzle system PuzSys is correct with 
respect to sampling, if for every ft G HS\ , we have that: 

Pr [ (puz, soln) <— SampleSol(l A , ft) : Verify(l A , ft, puz, soln) = false] = negl(A). 

Efficiency of Sampling: We say SampleSol is efficient with respect to the puzzle 
g-hardness, if for every A G Z + , ft G T~LS\ and puz G VS\ , we have that: 

Steps Samp | eSo ,(l A , h) < <jf(Steps So | ve (l A , h, puz)). 


Statistical Indistinguishability: We define the following two probability distrib- 
utions 

D Sj a,/i d — {(puz, soln) <— SampleSol(l A , ft)} and 

d — {p uz Sample(l A , ft), soln <— Solve(l A , ft, puz) : (puz, soln)} . 

We say a PuzSys is statistically indistinguishable , if for every A G Z + and ft G 

ns x : 

A[D s ,\,h,Vp,\,h\ = negl(A). 

(r, ft)-Amortization Resistance. For certain applications it is important that 
the puzzle is not amenable to amortization. We say that a g-hard puzzle sys- 
tem, PuzSys, is (r, ft)- amortization resistant if for every adversary A, for every 
auxiliary tape 2 G {0, 1}* and for every ft G HSx'- 
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VI < i < k : puz i Sample(l A , /i); 

{solni, . . . , soln fe } A(z, 1 A , h, {puz 1? . . . , puz fe }) : 

(VI <i<k: Verify(l A , h, puz-, solry) = true )A = negl(A). 

A(steps^(2, l\/l,{P UZ l}i=l) < T(E l fc =i5( Ste P s Soive( lA > ft >P uz i)))) 

Informally, (r, /^-amortization resistance implies a lower bound on the hardness 
preservation against adversaries that attempt to benefit from solving vectors of 
puzzles of length k. 

2.2 Definition of PoWorK 

In a PoWorK, the prover V may interact with the verifier V by running in either 
of the two following modes: (a) the Proof of Knowledge (PoK) mode, where V 
convinces V that she knows a witness for some statement x, or (b) the Proof 
of WorK (PoW) mode, where V makes calls to the puzzle solving algorithm 
to solve a certain puzzle. For some language in A fV and a fixed puzzle system 
PuzSys, we define PoWorK to satisfy: (i) completeness, (ii) /-soundness (for some 
“computation-scaling” function /) and (iii) indistinguishability, as follows: 

Definition 2 (PoWorK). Let C be a language in NT and Re be a witness 
relation for C. Let PuzSys = (Sample, Solve, Verify) be a puzzle system anf f 
be a function. We say that {V, V) is an f- sound Proof of Work or Knowledge 
(PoWorK) for C and PuzSys, if the following properties are satisfied: 

(i) . Completeness: for every x G C D {0, i} poly ( A ) ? w e R c (x), z G {0, 1}* and 

every hardness factor h G TLS \ , it holds that 
(i.a) Pi[out\? <— (T(w) V)(x,z,h) : outy = accept] > 1 — l/poly(A) and 

(i.b) Pi[outy <— /p Solve ( lA A*} V)(x,z,h) : outy = accept] > 1 — l/poly(A) . 

(ii) . f -Soundness: For every x G {0, l} p °l y(A) , y, z G {0,1}* , every hardness 

factor h G TLS\ and prover V * define by ir X: y :Z: h,\ the probability 

puz <— Sample(l A , h); outy <— {T*(y) V)(x, 2 :, h) : (outy = accept) 

r ASteps-p, ((V*(y) V)(x, z, h)) < /(Steps So , ve (l\ h, puz)) 

f -Soundness holds if there are non-negligible functions s , q such that for 
any V* , there exists a PPT witness- extraction algorithm JC such that for 
any X e N,x e {0, l} poly(A) , 2 G {0,1 }*,h G HS\, if ^ X , y , z , h ,x > s( A) 
(representing the knowledge error), then 

Pr [JC V * (x,y,z,h) G Rc(x)] > q{ A) . 

(Hi) Statistical (resp. Computational) Indistinguishability: for every x G 
£n{0, l} poly(A) , w G Rc(x ), 2 : G {0,1}*, for every hardness factor h G HS\ 
and for every verifier (resp. PPT verifier) V*, the following two random 
variables are statistically (resp. computationally) indistinguishable: 

D PoJf d - {viewy. <- {V(w) <-► V*){x,z,h)} 

D PoVV d — {viewy* <— (•p Solve (l V*)(x, 2 ,/l)| . 
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Intuitively, soundness is related to the hardness of solving a presumably hard 
cryptographic puzzle. The hardness threshold T is set to be the (probabilistic) 
computational complexity (in number of steps) of the puzzle solver, when the 
latter is provided some output of the puzzle sampling algorithm, scaled to some 
function /. According to Definition 2, any prover who does not know a witness, 
cannot convince the verifier in less than f{T) steps with some good probability. 
Observe that in the definition of /- soundness, the convincing capability of the 
prover is limited by the hardness of solving puzzle challenges. This implies that 
in an /-sound protocol, provers who do not know (per the knowledge extractor) 
are forced to “work” in order to convince the verifier. The indistinguishabil- 
ity property of PoWorKs implies that a (potentially malicious) verifier cannot 
distinguish the running mode (PoK or PoW) that V follows. 

3 The Dense Puzzle Based PoWorK Construction 

In this section, we show how to transform an arbitrary 3-move, public coin, spe- 
cial sound, honest verifier zero-knowledge (SS-HVZK) into a 3-move public-coin 
PoWorK. Our construction is lightweight and requires dense samplable puzzle 
systems that we formalized in Sect. 2.1. In our full version [BKZZ15] we provide 
a second construction which is less efficient, non-black-box on the puzzle, but it 
works for all puzzle systems and may not be public-coin (depending on the puz- 
zle). For both constructions, we consider a puzzle system PuzSys that achieves 
completeness and ^-hardness for some function g : N — > M + . In addition, for 
dense samplable puzzle systems, we require correctness, efficient samplability, 
and statistical indistinguishability. 


3.1 Preliminaries 

The puzzle, solution and hardness spaces are denoted by VS\,SS\,HS\, as in 
Sect. 2.1. Our PoWorK protocols are interactive proofs between a prover V and 
a verifier V, denoted by (P, V). 

The challenge space of our dense puzzle based construction (P,V), denoted 
by CS a, is determined by the security parameter A. From an algebraic point 
of view, CS\ is set to be a group with operation 0, where performing 0 and 
inverting an element should be efficient. For the first construction, we require 
that VS\ C CS\. For instance, we may set CS\ as the group (GF(2 £ ( a ), 0), 
where £(X) is the length of the challenges and 0 is the bitwise XOR operation. 
Of course, one may select a different setting which could be tailor made to the 
algebraic properties of the underlying primitives. 

Let ChSampler be the algorithm that samples a challenge from CS\. For a 
fixed security parameter, we define the following random variables (r.v.): 

- The challenge sampling r.v. Ca,^ d = ChSampler(l A , h). 

- The puzzle sampling r.v. Pa ,h d — {puz Sample(l A , h) : puz}. 
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Finally, we denote by x 0 D (resp. D lnv ) the r.v. of performing ® on some fixed 
x G CS\ and an element y sampled from r.v. D (resp. inverting an element 
sampled from D). The r.v. D ® x is defined similarly. Formally, 

* © D d = f {y <- D : x © y}, D © x = 7 {y <- D : y © x}, D lnv = 7 {y <— D : -y}. 

3.2 The Dense Puzzle Based Compiler 

We now provide a detailed description of our protocol (P, V), which can 
be viewed as a compiler that can transform a SS-HVZK protocol 77 = 
(Pl/7, P2 t 7, Verqj) for C G MV and a g-hard puzzle system PuzSys into a 3-move 
PoWorK. The resulting PoWorK protocol achieves ©(g)-hardness and statistical 
indistiguishability. From a syntax point of view, our compiler will set the chal- 
lenge space of the PoWorK CS\ to be equal to CSn • We denote by SirriTj the 
HVZK simulator of 77. 

The protocol (P, V) can be executed in either of the two following modes: 

1. Proof of Knowledge (PoK) mode: V has a witness w G 7 Zc(x) as private 
input. In order to prove knowledge of w to V, V runs PI77 and P2 tj as 
described by the original SS-HVZK protocol, with the difference that instead 
of providing P2 n with the challenge c from V directly, V runs the puzzle 
sampler algorithm to receive a pair of a puzzle and its solution, (puz, soln), 
computes the value c = c ® puz and runs P2 n with challenge c. 

2. Proof of Work (PoW) mode: V has no private input and tries to convince 
V that it has performed a minimum amount of computational “work” (i.e. 
at least some expected number of steps). To achieve this, V runs SirriTj to 
simulate a transcript of the original SS-HVZK protocol. Then, it receives the 
challenge c from V and computes the value puz = (— c) ® c. It runs the Solve 
algorithm on input puz, and if puz is a puzzle in VS\ (which, as we argue 
later, must occur with high probability), then it obtains a solution soln of 
puz, except for some negligible error. 

The verification mechanism, must be the same for both modes, so that indis- 
tinguishability can be achieved. Namely, the verifier checks that: (i) the relation 
c = c ® puz holds, (ii) the transcript of the SS-HVZK protocol is accepting and 
(iii) the prover has output a correct pair of a puzzle puz and some solution soln 
of puz. The protocol (P, V) is presented in detail in Fig. 1. 


3.3 Security of the Dense Puzzle Based Construction 

In order to prove that our protocol satisfies soundness and indistinguishabil- 
ity, we need to assume that the challenge and puzzle distributions satisfy some 
plausible properties and that the presumed ^-hardness of the puzzle system 
dominates the step complexity of the group operation and challenge sampling 
algorithms. In detail, we require that: 

(A). The challenge and puzzle sampling distributions are statistically close. 
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Statement: x £ C n {0, i}P°h( A ). 

Statement: x £ C n {0, i} poly ( A ) 

Prover’s private input: w £ Rc(x). 

Prover’s private input: — 

V: (a, 0 1 ) £- PI n (w,x). 

V : • execute (a, c, r) S\rr\n{x); 

V^V:cl. 

V^V:d. 

V «— V: c 4— ChSampler(l A , 7); 

V V: c <— ChSampler(l A , 7); 

V : • sample a puzzle-solution pair 

V : • set puz = (— c) ® c; 

• compute a puzzle solution 

(puz,soln) SampleSol(l A , 7); 

soln Solve(l A , 7, puz); 

• set c = c © puz; 

V —> V: c, r , puz, soln. 

• execute r <— P2jj(0i, c); 

V V: c, r , puz, soln. 


Verification: 

Verification: 

1. c = c © puz. 

1. c = c ® puz. 

2. Ver/j(^, a, c, r) = 1. 

2. Verij(^, a, c, r) = 1. 

3. Verify(l A , 7, puz, soln) = true. 

3. Verify(l A , 7, puz, soln) = true. 


(a) Knowing the witness (PoK) (b) Doing work (PoW) 

Fig. 1 . The Dense Puzzle Based PoWorK Construction for fixed security parameter A 
and pre-determined hardness factor 7 £ 77<Sy, given a 3-move-SS-HVZK protocol 77 
for language C and a dense samplable puzzle system PuzSys satisfying that VS\ C 
CS\ — CSn ; Ch Sam pier is the challenge sampling algorithm over CS\. 


(B) . The challenge sampling distribution is (statistically) invariant to any 

group operation, i.e. (a) inverting a challenge sampled from CS\ and (b) 
performing ® operations on some element x in CS\ = CSn and a sam- 
pled challenge. Observe that these two assumptions imply that the puzzle 
sampling distribution is also (statistically) ®-invariant. 

(C) . With high probability, the number of steps needed for Steps So | ve (l A , 7, puz) 

to solve a g-hard puzzle puz according to Py scaled to the puzzle hardness 
function g , is more than the number of steps of performing group operations 
(inversion and ® operation), or sampling from CS\. 

The assumptions described are stated formally in Fig. 2. Assumptions (A) 
and (B) can be met for meaningful distributions, widely used in cryptographic 
protocols. For example, when Cy^ and Py^ are close to uniform, it is straight- 
forward that assumption (A) holds. Moreover, since the uniform distribution 
is invariant under group operations, we have that assumption (B) also holds. 
The assumption (C) is expected to hold for any meaningful cryptographic puz- 
zle construction. Indeed, if solving a puzzle is believed to be hard (on average) 
within a bounded amount of steps T, then performing efficient tasks, such as 
group operations or sampling a challenge in the space where this puzzle belongs 
must be feasible in a number of steps much less than T. 
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(A) . For every hardness factor h G 7iS\, the r.v. C\,h and Pa,/i are ei -statistically close, 

where ei(-) is a negligible function. 

(B) . For every x G CS\ and hardness factor h G LLS \, the r.v. Ca,^ is €2 -statistically close to 

the r.v. x® CA,h, Ca,^®x and C^, where 62 is a negligible function. 

(C) . There exists a constant k < 1 and a negligible function ea(-) s.t. for every hardness factor 

h G HS\ and every r, r' G CS\ 

Pr[puz <- Sample(l A , h) : n ■ s(Steps Solve (l A , h, puz)) > 

> Steps ChSampler (l A , h) + Steps lnv (r) + Steps ffi (r, r')] > 1 - e 3 (A), 

where StepS| nv , Steps 0 denote the number of steps needed for inversion and group opera- 
tion in CS\. 


Fig. 2. Assumptions for our Dense Puzzle Based PoWorK Construction, where Ca^ 
and Pa,/i are the challenge sampling and the puzzle sampling distributions respectively. 


We prove that our dense puzzle based construction is a PoWorK, assuming 
(A), (B) and (C), the ^-hardness of PuzSys and the soundness and ZK properties 
of the original SS-HVZK protocol. The soundness of our protocol is in constant 
relation with the hardness of PuzSys. 

Theorem 1 . Let C be a language in A fV and let 77 = (PI 77 , P2tj, Veryj) be 
a special-sound 3-move statistical HVZK protocol for C , where the challenge 
sampling distribution is uniform. Let PuzSys = (Sample, SampleSol, Solve, Verify) 
be a dense samplable puzzle system that satisfies g-hardness for some function 
g. Define (V,V) as the protocol described in Fig. 1 when built upon 77, PuzSys 
and assume that (A), (B), (C) in Fig. 2 hold. Then, {V,V) is a ((1 — k)/2) • g- 
sound PoWorK for C and PuzSys with statistical indistiguishability , where k is 
the constant defined in assumption (C). 

Proof. Completeness: By the completeness of 77 and the correctness of PuzSys, 
the dense puzzle based PoWorK construction is complete in the case that V 
executes the PoK mode of the protocol. Regarding the PoW mode, an honest 
execution of PuzSys is incorrect, only if either of the two following cases is true: 

(i) . puz = (— c) ®cG CS\ \ VS a, i.e. puz is not a puzzle. By assumptions (A), 

(B) in Fig. 2, this happens with negligible probability, since 

A[ Pa, h, C Kh ] < ei (A) A A[C x , h , © c] < 2 • e 2 (A) => 

=*► A[P Xih , © c] < ei (A) + 2 • e 2 (A), 

where we applied (B) two times (one for inversion and one for ® operation). 

(ii) . puz is a puzzle, but the puzzle solver algorithm Solve does not output a 

solution for puz. Namely, we have that Verify ( 1 A , 7, puz, soln) = false. By the 
completeness property of PuzSys, this also happens with negligible proba- 
bility. 
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Therefore, (V,V) achieves completeness with high probability, as required in 
Definition 2. 

((1 — ft)/2) • ^-Soundness. First, we make use of the special soundness PPT 
extractor K n of n to construct a knowledge extractor JC that on input (x,y,z,h) 
and given the code of an arbitrary prover V, executes the following steps: 

1. By applying standard rewinding, JC interacts with V(y) for statement 
x and auxiliary input z, using two challenges ci,C 2 sampled from 
C x ,h and receives two protocol transcripts (di, ci, (ci, fi, puz 1? solni)) and 
(di,c 2 , (c 2 ,r 2 , puz 2 , soln 2 )). 

2. 1C runs JCn on input (x, (di, ci, fi), (di, c 2 , f 2 )). 

3. JC returns the output of JCn • 

Since Kn is a PPT algorithm, JC also runs in polynomial time. 

Assume that for some x G {0, l} poly ( A ) , y e {0,1 }*,z G {0,1}*, h G TLS \ , 
there exists a prover V * and a non- negligible function s(-) s.t 

Pr[puz Sample(l A , h)\ outv ( V*(y ) V)(x, z, d) : (cmtv = accept)A 

A Stepsp. <-► V)(a:,z,/i)) < ((1 - k)/2) • g(Steps So | ve (l A , h, puz))] > s{ A). 

We construct an algorithm W that makes use of V * to break the ^-hardness 
of PuzSys. The input that W receives is ((#, y, z), 1 A , d, puz), where (x,y,z) is 
the auxiliary input and puz sampled from Sample(l A , d). Then, W executes the 
following steps: 

1. It samples ci by running ChSampler(l A , d). 

2. It interacts with V*(y) for statement x, auxiliary input 2 :, hardness factor h 
and challenge c\. It receives the transcript (di,ci, (ci,fi, puz 1? solni)). 

3. It computes the inverse of puz, denoted by (—puz). 

4. It computes c 2 = ci ® (—puz). 

5. It rewinds V * at the challenge phase and provides V * with challenge c 2 . It 
receives a second transcript (di, c 2 , (c 2 , r 2 , puz 2 , soln 2 )). 

6. It returns the value soln 2 . 

By the assumption for V * and the splitting Lemma, we have that when V * is 
challenged with two honestly selected ci , c 2 , it outputs two accepting transcripts 
by running in no more than ((1 — k)/ 2) • g(Steps So | ve (l A , d, puz)) steps with at 
least (s(A)/2) 2 probability. By Equal we denote the event that this happens and 
Ci = c 2 holds. Obviously, either Equal, or -lEqual will occur with probability at 
least (s( A)/2) 2 /2 = s(A) 2 /8. 

Assume that Equal happens with at least s(A) 2 /8 probability. We will show 
that this case leads to a contradiction; namely, W will output a solution of puz 
while running in no more than g(Steps So | ve (l A , h, puz)) steps, hence breaking the 
^-hardness of PuzSys. 


916 


F. Baldimtsi et al. 


We observe that for any puz, if both transcripts generated by the interaction 
with V * are accepting and the values ci, c 2 are equal, then we have that 


(c 2 = Cl © (-puz)) A (c 2 = c 2 © puz 2 ) A (Cl = c 2 ) => puz 2 = ( - (-puz)) = puz, 

where the second equality holds due to verification step 1. Therefore, it holds 
that 


Verify(l A , h, puz 2 , soln 2 ) = true <^> Verify(l A , h, puz, soln 2 ) = true. (1) 

By the assumptions (A), (B) in Fig. 2, we have that there are negligible 
functions ei(A),e 2 (A) s.t. for any c\ that V * returns, 

A[£i © c'£ h , 2i © P£, v h ] < 2ei(A) and zA[C a>/i , ^ 0 C 1 ^] < 2e 2 (A), 

where in the first and second inequality, we applied assumptions (A) and (B) 
respectively two times (one for inversion and one for ® operation). Therefore, 
by the triangular inequality we have that 

A[C Xth ,ci ©P&] < 2d (A) + 2e 2 (A). (2) 

Eq. (2) implies that the probability distribution of c 2 = ci®(— puz) that W com- 
putes is [2ei(-) + 2e 2 (-^-statistically close to the challenge sampling distribution 
of V. 

By construction, the running time of W (in number of steps) is at most 

2 • Steps-p. ((V*(y) V)(x, z, ft)) + Steps(((-puz)))+ 

+Steps(ci 0 (-puz)) + Steps ChSamp | er (l\ ft). 

By assumption (C) in Fig. 2, there is a negligible function and a constant 
k < 1 s.t. 

Pr[puz <- Sample(l A , ft) : k ■ 5 (Steps So | ve (l A , ft, puz)) < Steps ChSamp | er (l A , ft) + 
+Steps((— puz)) + Steps(ci 0 (-puz))] < e 3 (A). 

(3) 

When Equal occurs, then it holds that 

Steps v ,({V*{y) <r+V)(x,z,h)) < ((1-k)/2) ■ fl(Steps So , ve (l A , ft, puz)), 

hence by the assumption for V * and Eqs. (2) and (3), the probability that the 
running time of W is bounded by 

Steps w (l\ (x, y, z), ft, puz) < 

< 2 • Steps v ,((T*{y) V)(x, z, ft)) + k • 5 r(Steps So , ve (1 A , ft, puz)) < 

< (2 • ((1 - k)/ 2)) • </(Steps So | ve (l A , ft, puz)) + k • 5 (Steps So | ve (l A , ft, puz)) = 

= 5 f (Steps So , ve (l A , ft, puz)), 
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is at least Pr [Equal] — ( 2 ei(A) + 262(A) + €3 (A)). By Eqs. ( 1 ), (2) and ( 3 ), and 
the assumption Pr[Equal] > s(A) 1 2 3 /8, we have that for auxiliary tape (x,y,z) 
and hardness factor ft: 


Pr 


puz Sample(l A , ft ); 

soln* W(1 A , {x,y, z),h , puz) : 
Verify(l A , ft, puz, soln*) = true A 
ASteps w (l\ (x, y, z), ft, puz) 

< #(Steps Solve (l A ,ft,puz)) 


> s( A) 2 /8 — (2ei(A) + 262(A) + 63(A)), 


which contradicts to the ^-hardness of PuzSys, as s(A ) 2 /8 — ( 2 ei(A) + 262(A) + 
63(A)) is a non- negligible function. Therefore, it holds that Pr [Equal] < s(A) 2 /8 
which implies 

Pr[-iEqual] > s(A) 2 /8. ( 4 ) 

By the construction of 1C and the special soundness property of 77, we have 
that 1C will return a witness for x whenever ICn is provided with different ci, cq,. 
Define q( A) = s(A) 2 /8. By Eq. ( 4 ), when 1C is given oracle access to V * it holds 
that 

Pr[lC v (x,y,z,h) E Rc{x)\ = Pr[-<Equal] > q( A). 

Thus, we conclude that our protocol is ((1 — ft)/ 2 ) • g-sound. 

Statistical Indistinguishability. Assume that the protocol described in Fig. 1 
does not satisfy the PoWorK indistinguishability property in Definition 2 . Then, 
for some (x, z, ft) there exists a verifier V* that w.l.o.g. outputs a single bit and 
can distinguish between: 

Dp 0 /6 = {viewy* (V(w) V*)(x,z,h)} and 

D iW = {viewy, <— ^Solve(l A ,/i,-) ^ v*) (x, z, h) | . 

with non- negligible advantage 77(A). 

In the following, we will show that if such a V* exists, then we can construct 
an adversary B who breaks the statistical (auxiliary input) HVZK property of 
the underlying 3 -move protocol 77 = (PI77, P2;j, Ver^j). This means that B can 
distinguish between: 

D77 = | (a, <j>\) <- PI77 (w,x);c£- CS n \ ? P2jt(<£i,c) : (a,c,f)j and 

Dsim = {(a, c, r) <- Sim^x, (z, h)) : (a, c, r)} 


with some non-negligible advantage rj f ( A), where (z, ft) is the auxiliary input. 
Namely, B takes as input (x, (z, ft), (a,c, r)), and works as follows: 

1. Invokes V* with input x, z, ft and first move message a. 

2. V* responds back with his challenge c. 

3. B computes puz = (— c) ® c and runs Solve on input (l A ,ft, puz) to receive 
back soln. 
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4. B sends (c, r, puz, soln) to V*. 

5. B returns V*’s output 6*. 

By construction of S, what is left to argue is that puz = (— c) ® c and 
soln <— Solve(l A , ft, puz) are indistinguishable from a pair (puz', soln 7 ) that was 
picked by SampleSol(l A , ft). We stusy the following two cases: 

1. B's input is sampled according to T>n By the assumption (B) in Fig. 2 and 
for any c returned by V*, we have that: 

A[C x , h ,C' Ph ®c] <2e 2 (A), 

where we applied (B) two times (one for inversion and one for ® operation). 
By assumption (A), we have that 


A[Cx, h ,Px,h]<e 1 (\). 


By the triangular inequality, we have that for the distribution of puz = (— c)® 
c, it holds that 

4\[P a ,hi Ca)/?, ® c] < ei(A) + 2e 2 (A). 

By the statistical indistinguishability property of PuzSys (Definition 1), 
we have that the distribution {soln <— Solve(l A , ft, puz) : soln} is 64 (A)- 
statistically close to the distribution {(soln', puz') SampleSol(l A , ft) : soln'}, 
for some negligible function 64. Consequently, the probability distribution of 
puz that B computes is [ei(A) + 262 (A) + e 4 (A)]-statistically close to the puzzle 
sampling distribution. 

2. B's input is sampled according to Dsi m - in this case, it is straightforward 
that B simulates perfectly the PoW mode of the PoWorK protocol. 

By the above and given that the probability of success of V* is at least 77(A), 
we have that 


| Pr[(d, c, r) <- Dij : B(x, (z, ft), a, c, r) = 1]- 

- Pr[(a, c, r) e- D Sim : B(x, (z, h),a, c,r) = 1] | > 


> 


> 


(Pr [viewy* <— D v PoK : V* (viewy;*) = 1] - (<q(A) + 2e 2 (A) + e 4 (A))) 


- Pr [viewy* P> V PoW : V* (viewy*) 1] 


> 


Pr [viewy* <— D v PoK : V (viewy*) = 1] — 

- Pr [viewy* <- P> V PoW : V* (viewy* ) = 1] - (ei(A) + 2e 2 (A) + e 4 (A))) > 
> 77(A) — (ei(A) + 2e 2 (A) + e 4 (A)). 


Therefore, B is successful in breaking the statistical HVZK property of the 
underlying 3- move SS-HVZK protocol with non- negligible advantage 77' (A) = 
77(A) — (ei(A) + 2e 2 (A) + e 4 (A)). This leads us to the conclusion that the protocol 
in Fig. 1 is a PoWorK with statistical indistinguishability. □ 
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Remark. Theorem 1 can be extended to encompass the case where the pro- 
tocol LI to be compiled in the construction described in Fig. 1 achieves T(A)- 
computational HVZK , i.e. it is HVZK for every verifier B which runs in T( A) 
steps. Specifically, in the indistinguishability proof the running time of the HVZK 
adversary B is (in number of steps) bounded by: 

Steps v . (((PI77, P 2 n )(w), \Zer n (c))(x,z,h))+ 

+Steps, nv (c) + Steps e ((— c), c) + Steps So , ve (l A , h, puz). 

Therefore, we can prove that if T( A) is an asymptotically larger function than the 
time of the puzzle solving algorithm, then our dense puzzle based construction 
achieves computational indistinguishability. 

3.4 Dense Puzzle Instantiation in the Random Oracle Model 

We now instantiate a dense puzzle system in the random oracle model. For a 
given security parameter A, let O : {0, 1}* 1 — ► {0, l} m be a random oracle, where 
m > A/2. Our dense puzzle system is described in Fig. 3. 

Theorem 2. Let A G Z + be the security parameter. Define VS\ = {0, 1}\ 
SS\ = {0, 1} X , and TLS\ = [log 2 A, A/4]. Let O be a random oracle mapping 
from {0,1}* to {0,1}™ where m > A/2. For any h G HS\ , the puzzle sys- 
tem PuzSys described in Fig. 3 is correct, complete with Solved running time 
2^+2 log e ffi C i en tly samplable, statistically indistinguishable, and g -hard, where 
g{T) = T x ! c , for any constant c > 2. In addition, for any k that is 0(2 A / 8 ) ; 
PuzSys is (id (•), k) -amortization resistant, where id(-) is the identity function. 

Proof. Please see the full version [BKZZ15]. 


Define VS\ = {0, 1} A , <S<S A = {0, 1}\ and HS X = [log 2 A, A/4]. Let H(-) := 
LSB A /2(0(-)), where LSB^ stands for k least significant bits. 

- Sample(l A , h): Return puz {0, 1} A . 

- SampleSol(l A , h): Pick random x {0, 1} A and y {0, 1} A ^ 2 . Return puz = 
(H(x, y ), y) and soln = x. 

- Solve(l A , h, puz): 

• Parse puz to (z, y); set soln = T and initialize an empty set X. 

• For ctr = {l, . . . , 2^ +21og A }: 

Randomly pick x {0, 1} A \ X, and add x to X. Set soln = x if LSB/^z) = 
LSB h (H(x,y)). 

• Return soln. 

- Verify(l A , h 1 puz, soln): Parse puz to (z,y). Return true if and only if 156^(2;) = 
LSB^(i4(soln, y)). 


Fig. 3. The Dense Puzzle system from the random oracle O. 
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3.5 Dense Puzzle Instantiation from Complexity Assumptions 

In this section, we show how to construct a puzzle system whose puzzle instance 
distribution is statistically close to the uniform distribution (over {0, l} m( ^) 
without random oracles. The main challenge is, given an arbitrary oneway func- 
tion 'ip : X \— > y, to build another oneway function with uniform output dis- 
tribution (on random inputs) while still maintaining its onewayness. As an 
intuition, we would like to first map the output of the given oneway func- 
tion from y to {0, 1} £ using an efficient injective map (which is usually the 
bit representation of y G y), and then apply a strong extractor on it. Let 
Ext : {0, l}^ x {0, l}^ i — * {0, l} m be a strong extractor as defined at Definition 3. 

Definition 3. Function Ext : {0, l} 1 x {0, l} d i— ► {0, l} m is (t, e) -strong extrac- 
tor if for any t-source X (over {0, 1} £ ), we have A[(S, Ext (A, S')), (S, U m )] < e, 
where S <— {0, l} d and U m <— {0,l} m are drawn uniformly and independently 
of X. 

The new oneway function 'ip 17 : A x {0, l} d i— > {0, l} m x {0, l} d is defined 
as 2p u (x,s) = (Ext(\p(x),s),s). According to LHL [HILL93], if H oc (x) > m + 
21og(l/e), then the output of ip u is at most e-far from the uniform distribution 
over {0, i} m+c ^ However, in order to maintain its onewayness, we need an extra 
property of the strong extractor - Target Collision Resistance (TCR), i.e. given x 
and 5, it is computationally infeasible to find x' such that x ^ x' and Ext(x, s) = 
Ext(x',s). We construct TCR strong extractors from regular universal oneway 
hash functions (UOWHFs), initially proposed by Naor and Yung [NY89]. We 
first formally define the TCR property for a strong extractor in Definition 4. 

Definition 4. Let Ext : {0, 1}^ A ^ x {0, l} d ^ i— » {0, l} m ( A ) be a strong extractor. 
We say Ext is target collision resistant if for all PPT adversary A, the following 
probability: 

Pr \x - -4(1 A ); * <- {o, l} d(A) : x‘ - A(s) : 1 = neg|(A) . 

x, x' G {0, lW Ai/x'A Ext(x, s) = Ext(x', s) 

A stronger notion, collision resistant extractors , was introduced by Dodis 
[Dod05] . Collision resistant extractors were applied to construct perfectly oneway 
probabilistic hash functions proposed [CMR98] in 2005. The construction of such 
collision resistant extractors relies on a variant of leftover hash lemma proved by 
Dodis and Smith [DS05]. Our observation is that in the same way that [Dod05] 
employ regular collision resistant hash functions (CRHF) to derive collision 
resistant strong extractors, we can use regular universal oneway hash function 
(UOWHF), to obtain TCR strong extractor. The notion of UOWHF was ini- 
tially proposed by Naor and Yung [NY89] where they showed that UOWHFs 
can be constructed by composing oneway permutations with (weakly) pairwise 
independent hash functions. Since then, many constructions of UOWHFs have 
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been proposed, assuming the existence of regular oneway functions [SY90] or 
any oneway functions [Rom90,HHR+10]. 5 

We would like to use Iri^n — {H( a ,b)( x ) = ax + fr|Va / 0,a,6 G GF(2 n )} as 
the family of pairwise independent permutations and a regular UOWHF family 
T\ to construct our TCR strong extractors. Define i^(-) := (i^(-),i), where 
Fi G T\. Our TCR strong extractor is constructed as Ext(x, (i, s)) = Fi o H s (x). 
Note that regularity of the UOWHFs is important to ensure that the output 
distribution of such strong extractors is close to the uniform distribution, as 
Fi(Ui i(a)) = (a). On the other hand, some UOWHF constructions give regular 
UOWHFs by default (i.e. , the UOWHFs constructed by the oneway permutation 
based approach [NY89]). 

Dense Oneway Functions and Dense Puzzles from Complexity 
Assumptions. We apply a TCR strong extractor for our construction. The 
key to the construction will be a “dense” oneway function: a oneway function 
is e - dense oneway if its output distribution is at most e-far from U m for some 
m G Z + . We now present a transformation of a one-way function to a dense one- 
way function via the application of a TCR-strong extractor. The TCR property 
will ensure that any attempt to invert the dense one-way function will result to 
an inversion of the underlying one-way function. Formally we prove the following. 

Theorem 3. Let Ai, A 2 G Z + be the security parameters. Let Vw : Y Al 1 — » y\ 1 
be an arbitrary oneway function , and define H\ 1 = for random 

variable X drawn uniformly from X\ 1 . Assume there exists an efficient injective 
map Caj : DAi ^ {0, 1 p A2) . If 

ExtA 2 (x, (s\, s 2 )) : {0,lp A2) x {0, 1} A2+2 ^ (A2) h-> {0, 

is a (. H\ 1 ,e)-TCR strong extractor, then 

Sl ,S 2 ) = (Ext A2 (C Al (x)), (S ! , S 2 )), S 2 ) 

is an e-dense oneway function with range {0, i| 2 ^( A2 )+^ 1 - 21 °g( 1 /e)- 1 am ^ 
domain Y Al x {0, 1} A2+2 

Proof Please see the full version [BKZZ15]. 

The above result paves the way for constructing dense puzzles from complex- 
ity assumptions. Essentially, given a function with moderately hard characteris- 
tics making it suitable for a puzzle, it is possible to transform it to a dense puzzle 
by applying a suitably hard TCR extractor ( “suitable” here means that breaking 
the TCR property should be harder than solving the puzzle). We now illustrate 
this methodology by applying it to the discrete logarithm problem. More gen- 
erally this methodology transforms any puzzle in the sense of Definition 1 to a 
dense puzzle (assuming again a suitably hard TCR extractor). 

5 We note that, on the contrary, CR strong extractors cannot be built from arbitrary 
oneway functions, since Simon [Sim98] gave a black-box separation between CRHFs 
and oneway functions. 
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The DLP Based Puzzle and Calibrating Its Hardness. Consider the 
discrete logarithm problem (DLP) as the candidate oneway function for our 
puzzle. Let G = ( G ) be some (multiplicative) cyclic group where the DLP is 
hard, and G is a generator with order p, which is a Ai-bit prime. The oneway 
function ipQ : 7L V i— > G is defined as i/jg( x ) = G x . It is shown by Shoup [Sho97] 
that any probabilistic algorithm takes steps to solve the DLP over generic 

groups. Analogously, [GJKY13] shows any probabilistic algorithm must take at 
least a/2 pe steps to solve DLP with probability e in the generic group model. To 
build a puzzle, we would like to calibrate the hardness of the DLP by revealing 
the most significant bits of the pre-image. For example, for a puzzle with hardness 
factorh < [ Al 2 ~ 1 j , we pick x G {0,1}^ and y G {0, 1} L( Al — X )/ 2 J uniformly at 
random, and set the puzzle as (Ext^^G^ + 2 h • y), (si, $ 2 )), ^ 2 , y)- We assume 
the calibrated DLP is still moderately hard with respect to the min-entropy of 
x. Note that a similar assumption was used by Gennaro to construct a more 
efficient pseudo-random generator [GenOO] . It is easy to see that this assumption 
holds for DLP in generic groups, i.e. given i/jg( x + 2 h • y) and y, the best generic 
algorithm must take at least y/2 h+1 e steps to solve DLP with probability e. We 
note that this problem is closely related to leakage-resilient cryptography [AM11, 
ADVW13]. 

On the other hand, due to the out-layer extractor, we cannot directly adopt 
any known (generic) DLP algorithms, such as [GTY07, GPR13]. Instead, our 
puzzle solver just exhaustively searches for a valid solution. There is a subtle 
caveat, namely the expected running time of solving a puzzle with hardness 
factorh, i.e. x <— {0,1}^ is designed to be 2 h , whereas the TCR property of 
UOWHF is only guaranteed against PPT adversaries with respect to A 2 (the 
security parameter of the UOWHF). To address this issue, we introduce an 
additional assumption, that is the expected running time of any adversary A 
(in number of steps) can break the TCR property of the underlying UOWHF 
with non-negligible probability on x <— {0, l} h is uj(2 h / 2 ), (i.e. breaking TCR is 
expected to happen after the birthday paradox bound). The dense puzzle system 
from DLP (combining with TCR strong extractors) is depicted in Fig. 4. 

Theorem 4. Let A G Z + be the security parameter and h G [log 4 A + log 2 A + 
1, log 5 A] be the hardness factor. Let Ext a : {0, 1} A x {0, 1} 3A 1 — » {0, i} A+log A g e 
a TCR strong extractor such that the expected running time of any adversary A 
that breaks its TCR property with non-negligible probability on x <— {o> 1 } is 
uo(2 h / 2 ). Assume ipc : Z p 1 — ► G is a hard DLP in generic groups such that the 
best generic algorithm must take at least ^/2 h+1 e steps to solve it with probability 
e. The puzzle system PuzSys = (Sample, SampleSol, Solve, Verify) described in 
Fig. 4 is correct, complete with Solved running time 2 h , efficiently samplable, 
statistically indistinguishable, and g-hard, where g{T) = T x l c for any constant 
c > 2. In addition, for any k that is 0( 2 log A ) ; PuzSys is (id (•) , k) -amortization 
resistant, where id(-) is the identity function. 

Proof. Please see the full version [BKZZ15]. 
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Define VS\ = {0, i} 7A/2 + log4 A , SS\ = {0, l } log4 A , and US\ = [log 4 A + log 2 A + 
1, log 5 A], For the given A, select a pre-defined ExtA : {0, 1} A x {0, 1} 3A {0, l} A+log A . 

Set the DLP 'ipc : i— >• G over the pre-defined elliptic curve, where p is A-bit prime such that 

there exists an efficient injective map £ : G h-» {0, 1} A . (We will omit this map £ in the rest of 
the description for notation simplicity.) 

- Sample(l A , ft): Return puz «— {0, i} 7A / 2 + log A 

- SampleSol(l A , ft): 

• Pick random si {0, 1} A , S 2 <— {0, 1} 2A , x <— {0, l} h and y <— {0, 1} A ^ 2 . 

• Return puz = (ExtA {^g{x -\-2 h • y), (si, S 2 )), S 2 , y) and soln = x. 

- Solve(l A , ft, puz): 

• Parse puz to (z, si,S 2 ,y); set soln = _L and initialize an empty set X. 

• For ctr = 

o Randomly pick x {0, l} h \ X, and add x to X. 
o Set soln = xif z = ExtA {^g(x + 2 h • y ), (si, S 2 )). 

• Return soln. 

- Verify(l A , h, puz, soln): Parse puz to (z, si, S 2 , y). Return true if and only if z = 
Ext A (V^g (soln + 2 h • y), (si, s 2 )). 


Fig. 4. The Dense Puzzle system From DLP. 


Remark. For notation simplicity, we let the puzzle space “independent” of the 
hardness factor ft, therefore we have to limit ft within a small interval to ensure 
(i) 'ipdz + 2 h - y) has enough entropy and (ii) it is infeasible to break the TCR 
property of the underlying UOWHF within 2 h / 2 steps. In practice, for any desired 
ft, we can always pick a suitable ExtA : {0? 1} A x {0 5 1} 3A 1 — > {0, i| A + /l_1 °s A_1 > 

3.6 Instantiation of the Dense Puzzle Based PoWorK 

We instantiate our PoWorK protocol as described in Fig. 1 by building it upon 
the Schnorr identification scheme [Sch89] and the dense puzzle system instan- 
tiation in the RO model 6 (see Sect. 3.4). The description of our instantiation is 
presented in the full version of this work [BKZZ15]. 

4 Applications 

Below we present some practical and theoretical applications of our PoWorK. 
When using PoWorK in practice we must ensure that the verifier cannot distin- 
guish between the two types of provers based on their response time. In Sect. 2.2 
we argued that for our indistinguishability proofs, V(w) (i.e. the prover who 
knows the witness) should perform some idle steps so that his running time will 
be lower bounded by the time that one would need to solve the puzzle. However, 


The construction using the DLP based puzzle system is similar. We chose to employ 
the RO instantiation for simplicity in presentation. 
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enforcing a real user to wait is not ideal. Luckily though, the time needed for 
a prover who solves a puzzle (i.e., does not know the witness) depends on his 
total computational power and on whether the puzzle is parallelizable or not. 
Provers who own specialized hardware (e.g., based on ASICs) or that have access 
to powerful computer clusters (in case that a puzzle is parallelizable) might be 
able to solve the puzzle very fast - paying of course the relevant computation 
cost. Thus, when applying PoWorK in practice, the time that takes a prover 
to respond to a challenge is not a distinguishing factor: the prover might have 
as well solved the puzzle in constant time by fully parallelizing its computation 
or alternatively, for the case of non-interactive PoWorK’s the receiver may not 
know when the prover started proof computation. Finally note that in any case, 
we do care that the prover has paid the corresponding computational cost and 
he is not able to amortize a previous solution of a puzzle to solve a new one. 


4.1 Email Spam Application 

Using proofs of work to reduce the amount of spam email was suggested back in 
1992 by Dwork and Naor [DN92]. Their idea can be summarized in the following: 

“If I don’t know you and you want to send me a message, then you must prove 
that you spent, say, ten seconds of CPU time, just for me and just for this 
message” [DN92]. 

In their proposal there exists some special software 7 that operates on behalf of 
the receiver and checks whether the sender has properly computed the proof 
of work or the sender is an approved (by the receiver) contact The reason that 
this approach helps to reduce spam is mainly economic: in order for spammers to 
send high volumes of emails they would have to invest in powerful computational 
resources which makes spamming non cost-effective. 

A disadvantage of the method described above is that the list of the approved 
contacts (i.e. email addresses) of the receiver has to be given to this special 
software/mail server in order to check whether the sender belongs in this list or 
not - in which case she will have to perform additional computation. This violates 
the privacy of the receiver who needs to reveal which of her contacts she considers 
to be approved and thus allows them to send emails “for free”. Adopting our 
PoWorK protocol would give a privacy preserving solution to the spam problem: 
given the indistinguishability feature of PoWorK, the software/ verifier does not 
need to know the approved list of contacts, in fact it does not even need to know 
whether the incoming email is from an approved contact or a non-approved user 
who successfully fulfilled the computational work. 

Non-interactive Po WorKs. Sending an email should not require any extra com- 
munication between the sender and the mail server. Our 3-move PoWorK is 
public-coin, thus can be turned into non-interactive by applying the Fiat- Shamir 
transformation [FS86]. Namely, the prover, instead of receiving a challenge from 

7 This special software could for example run on the receiver’s mail server or be an 
independent program running on the receiver’s side. 


Indistinguishable Proofs of Work or Knowledge 925 


the verifier, hashes the first move message a together with the context of the 
email and the email address of the receiver into c, and provides the verifier with 
the whole proof, 7 r, which includes (a, c, r) and the context of the email, in one 
round. 

Multi-witness Hard Relation. In order for a user to approve a list of contacts 
she will have to provide each one of them with a unique witness for the same 
statement (in order to ensure indistinguishability) . Let Rc be a multi- witness 
hard relation with a trapdoor for a language {x \ 3w : (x,w) E Rc}- A rela- 
tion is said to be hard if for (x,w) E Rc , a PPT adversary given x can only 
output w' s.t. (x,w f ) E Rc with negligible probability. A multi-witness hard 
relation with a trapdoor is described by the following algorithms: (a) a trapdoor 
generation algorithm sets a pair of a statement x and associated trapdoor t: 
(x,t) ^GenT (Rc), (b) an efficient algorithm GenW that on input x G C and 
a trapdoor t outputs a witness w such that (x, w) G Rc and, (c) a verification 
algorithm 1/0 Ver(i?£, x, w) outputs 1 if (x,w) G Rc and 0 otherwise 8 . 

PoWorK Based Spam Reducing System. Consider a PoWorK scheme as pre- 
sented in Fig. 1 for a security parameter A, a puzzle system PuzSys and a multi- 
witness hard relation with a trapdoor Rc as described above. A spam reducing 
system SRS consists of the following algorithms: 

- MailS erverSetup{ 1 A ): the mail server S ma u on input the security parameter, 
A, selects the hardness of the puzzle system h G HS\. 

- Receivers etup(l x ,/z): user 7 Z (i.e. the receiver) runs (x,£) ^GenT (Rc and 
sends x and her email address adu to the mail server (potentially signed 
together). The trapdoor t is secretly stored by 7 Z. 

- ApproveContact (t,x): in order for 7 Z to approve a sender <S, it will run w <— 
GenW(t,x) and will give w G Rc{%) to the sender (unique witnesses allow for 
revocation). From now on, S can use w to send emails to 7 Z. 

- SendEMail(w , h,x): a sender S with input the public parameters v, statement 
x G C and with a private input w G Rc(%) U {T}, prepares a PoWorK proof 
7 r = (a, c, r). If <S is an approved contact of 7 then she will use the witness w 
to perform the PoK side of PoWorK, while if 7Z is not an approved contact (i.e. 
w = _L) she will have to execute the PoW side. To compute 7 r non-inter actively 
she will fix c to be 7L(a, m), where a is the first message of PoWorK, m stands 
for the body of the email 9 , and H is a hash. The rest of PoWorKis computed 
as before. 


8 Examples of multi-witness hard relations with trapdoors are (a) the DL representa- 
tion problem [Bra94,BF99] over prime order groups, (b) the representation problem 
in composite modular groups [ACJT00] which has constant size parameters in the 
number of adversarial parties. 

9 We can assume that the email body also contains a time-stamp (or that the time- 
stamp is added later by the mail server) and also includes (ads, adn) which are the 
sender /receiver email addresses. 
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- ApproveEMail(h,x,7T ): is run by the mail server S ma u who verifies i r and 
outputs 0/1. If proof is it valid, then S ma u forwards the enclosed email to 7 Z. 

Note that our proposal, similar to [DN92,DGN03], requires to implement addi- 
tional protocols between the sender and the recipient (i.e. a change in the inter- 
net mail standards would be required). In the full version of this work [BKZZ15] 
we discuss some interesting extensions of our protocol that address revocation, 
prevention of witness sharing and solving “useful” puzzles. 


Security. Although a formal definition and description of properties of an email 
system is out of the scope of this paper, we do define and prove spam resistance 
and privacy. Briefly, spam resistance guarantees that the mail server will allow 
an email message to reach the recipient if and only if a valid proof (of work or 
knowledge) has been attached. At the same time for a non-approved contact the 
number of valid proofs of work prepared should not affect the time required to 
prepare a new one (similar to puzzle amortization property). Privacy implies 
that the mail server cannot distinguish whether the sender of a message is an 
approved contact of the recipient or not. 

Definition 5. Let SRS be a spam reducing system built upon a PoWorK (V,V) 
for a language C £ NT and a puzzle system PuzSys = (Sample, Solve, Verify). 
We define spam resistance and privacy of SRS as follows: 


(i). (cr, k)~ Spam Resistance: We say that SRS is (cr, k )- spam resistant if there 
exists a PPT witness- extraction algorithm K, such that for every hardness 
factor h £ HS\, auxiliary tape z £ {0,1}* and every adversary A, if for 
non-negligible functions a i(-),^2(*) ; 


Pr 


(t,x) <— Receivers etup(l x , h )\ VI <i<k: puz- Sample(l A , h)\ 
{■Xi = (a*, Cj, r;)} i6 [ fe ] <- A(z, l x ,h,x) : 

(VI <i<k: ApproveEMail(h,x,7Ti) = l)A 
A(Vz A 3 £ [k] : 7T; a Kj) A 

A^Steps^z, A h, x) < cr(E* fe =i Steps Solve (l\ h, puzj)) 


ai(A), 


then Pr[/C- 4 ( 2 , 1 A , h, x) £ Rc(x)] = 02 (A). 

(ii). Privacy: We say that SRS is private, if for every hardness factor h £ HS\, 
auxiliary tape z £ {0, 1}* and every adversarial mail server A, it holds that: 


Pr 


(t,x) 


<— Receivers etup(l x , h)\ w ApproveContact(t , x)\ 

it SendEMail(w , h, x) : A(z, h , x, it) = 1 


-Pr 


7T 


(t,x) Receivers etup(l x , /i); 

SendEMail(E, h, x) : A(z, h, x, it) = 1 


negl(A). 


We prove the following theorem for a private spam reducing email system: 
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Theorem 5. Let SRS be a spam reducing system built upon dense puzzle-based 
PoWorK (V,V) for a g-hard and (r, k) -amortization resistant dense puzzle sys- 
tem PuzSys = (Sample, Solve, Verify), where k is polynomial in A, r is an increas- 
ing function and g is a subadditive function. Let H be a hash function with out- 
put domain equal to challenge sampling space CS\ modeled as a random oracle. 
Assume that the worst-case running time of Solve(l A , •, •) is o(|C<Sa|) and that 
(y/r o g(Solve(l A , •, •)) is super-polynomial in A. Then , the email system described 
above is private and (y/r o g , k)- spam resistant. 

Proof. Please see the full version [BKZZ15]. 

Intuitively, the privacy holds because of the indistinguishability of PoWorK. 
The (y/r o g, k)-spam resistance property holds because of the soundness of 
PoWorK and the amortization resistance of the underlying PuzSys. 

4.2 PoWorK-Based Cryptocurrencies 

Proofs of work is the basic primitive used in achieving the type of distributed 
consensus required in cryptocurrencies, notably Bitcoin [Nak08] and many others 
that use the same approach. The main idea is that a proof of work operation 
can be used to calibrate the ability of parties to build a hash chain that contains 
transaction records, commonly referred to as the blockchain. 

An important feature of a blockchain is its decentralized nature. Given the 
view of a participant (commonly referred to as a miner) that includes its view 
of the blockchain, a fresh instance of a puzzle of a specified difficulty is created 
(which itself may depend on the blockchain) and has to be solved in order to add 
another block in the chain. Formally, the operation of a PoW-based miner as used 
in Bitcoin and numerous other cryptocurrencies (such as Litecoin, Namecoin, 
Dogecoin) is as shown in Fig. 5. 


Let (B i , . . . , B n ) be the current blockchain where Bi is a tuple (L, Ti,m,7ri) with U a time- 
stamp, Ti a set of transactions, m = H(Bi-i) (for a hash function H ) and i n is such that 
Verify(l A , hi, H(Bi),m) = true. The hardness hi is calculated via a function operating on 
the time-stamps as follows hi = HC(U, . . . , ti- 1 ). A new block B n+ 1 is created as follows. 

1 . Collect transactions into a vector T n+ i . 

2. Calculate h n +i = HC(£i, . . . ,t n ). 

3. Set puz = H(tn+i, T n +i) where t n + i is a current timestamp and run Solve(l A , h, puz) 
to produce a so In = 7r n +i. 

4. If the above step is successful, broadcast B n + 1 = (t n +i , Tn + i , u n + i , 7r n +i). 


Fig. 5. Miner operation in a puzzle-based cryptocurrency (using a puzzle PuzSys = 
(Sample, Solve, Verify) that is dense). HC(-) is the puzzle hardness calculation function 
which depends on the timestamps of the blocks of the current blockchain. 


Under certain assumptions about the network synchronicity and the hardness 
of the proof, the above mechanism has been shown to be robust in the sense of 
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satisfying two properties, persistence (transactions remain stable in the “ledger”) 
and liveness (all transactions are eventually inserted in the ledger) assuming that 
the honest parties are above majority [GKL15]. Puzzle-based cryptocurrencies 
have also drawn a lot of criticism due to the fact that they require a lot of 
natural resources (e.g., in [OM14] it is reported that Bitcoin mining in 2014 
already consumed as much energy as the needs of the country of Ireland for 
electricity) . 

This lead to the development of a number of systems that circumvent puz- 
zles (including, [DM16,BLMR14,Mazl5] as well as Peercoin, DasHCoin, NXT, 
Nushares, ACHCoin, Faircoin and others). These systems maintain a blockchain 
as well, however they rely on different mechanisms for producing blocks. We call 
them, generically, “knowledge-based cryptocurrencies” since the production of a 
block is associated with the production of a witness for a public-relation relation 
7 2 which parameterizes the system. Formally, we present the miner 10 operation 
in Fig. 6. 


Let {B i, . . . , B n ) be the current blockchain where Bi is a tuple ( ti , 71, 7 Tj), for U, Ti, Ui 

defined as in Figure 5 and 7r i being a NIZK that shows Xi E {x \ 3w : (x, w) E 72}, where 
Xi = V (B i, . . . , Bi-i,ti, Ti) for i = 1, . . . , n. The miner, equipped with secret-key sk, 
produces the next block as follows. 

1 . Collect transactions into a vector T n+ i . 

2. Calculate the pair (x n +i, aux) <— V(B i, . . . , B n , £ n+ i, T n +i) where t n +i is the cur- 

rent time. Then calculate W s k{x n + i,aux) = w n + 1. If w n + 1 ^ T it holds that 
(^n+l 5 ) E 72. 

3. If the above step is successful, compute a NIZK proof 7 r n +i for x n +i using witness ru n +i • 

4. Broadcast B n +i — (^n+i? Tn+i? ^n-i-i, 7Tn+i). 


Fig. 6. Miner operation in a knowledge-based cryptocurrency parameterized by rela- 
tion 72. The function K(-), given the blockchain information, the current set of trans- 
actions and the time-stamp produces a statement x , while the function W s k( •) given a 
statement produces a witness w so that (x,w) E 72. 


A trivial way to construct a knowledge-based cryptocurrency would be to 
have a a single trusted authority with a public and secret key pair, (pfc, sfc), act- 
ing as the sole miner. * 11 At a time-step n + 1, the function V(-) would set simply 
x n + 1 = (t n+1 ,T n +i,u n +i) and W sk (x n+1 ) would produce a signature on x n+1 
that would serve as 7r n+ i (there is no need for a NIZK). Another example of a 
knowledge-based cryptocurrency is NXT. On a high level, in this system each 
miner (called forger) has a digital signature public and secret key, (pfc, sfc), asso- 
ciated with her account. The function V(B\, . . . , F> n , £ n+ i, T n +i) (run by each 

10 Note that we use the term “miner” for symmetry. Miners are associated with puz- 
zle based cryptocurrencies and thus different terminology has been introduced in 
knowledge-based systems including “mintettes”, “forgers” and others. 

11 For instance, this would be a single “mintette” instantiation of [DM16]. 
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miner), operates as follows: it parses T n+ i to recover the public pk of the miner 
(note that it is always present in the transaction collecting the fees). Then, 
based on the public-key pk and the blockchain B 1 , . . . , B n it determines how 
much currency is associated with the account that corresponds to the public-key 
pk ; this results in a time-window d G M + whose expectation is proportionate 
to the amount of currency in the account (the more currency, the shorter the 
expectation of d is; we omit the exact dependency in this high level descrip- 
tion). The function V(-) returns (x n+ i,aux) with x n+ i = (£ n+ i, T n+ i, u n ) and 
aux = d. The procedure W s k(x n +i , d), will produce a signature w on the message 
(t n 44, T n _|_i, u n ) if £ n+ 1 > t n + d; else, it produces _L. Note that in this system 
no NIZK is employed, one may just set 7 r n+ i = however, the system would 
operate similarly if a NIZK was employed to establish knowledge of a signature 
w on the message (£ n+ i, T n+ i, u n ). 

We now show how to construct a PoWorK-based cryptocurrency derived from 
a knowledge-based cryptocurrency Ci and a puzzle-based cryptocurrency C2 for 
a dense puzzle, see Fig. 7 . The construction is straightforward: a new block can 
be added to the blockchain by someone who can efficiently compute a proof 
7 Ti using some secret key or by someone who is computing a 7 r* by performing 
computational work. 

The properties of the composition are informally stated in the following 
(meta)-theorem; the proof of the theorem follows from the properties of PoWorK 
and is similar in spirit to the proof of Theorem 5 . The formal statement and proof 
of the theorem (that should also include a formalization of all relevant underly- 
ing properties of cryptocurrencies, both in the puzzle-based and knowledge-based 
setting, e.g., in the sense of [GKL 15 ]) is out of scope for the present exposition. 


Let (B 1 , . . . , B n ) be the current blockchain where Bi is a tuple (U,Ti, Ui,7Ti), for ti, Ti, 
Ui defined as in Figure 5 and 7r^ being a non-interactive PoWorKthat demonstrates either the 
solution of the puzzle puz = H(U, Ti) with hardness hi = R(t ±, . . . , U~ 1) or that Xi G {x \ 
3w : {x, w) G 77} where Xi = V (. B \ , . . . , Bi-\,U, Ti). 

1 . Collect transactions into a vector T n+ 1 . 

2. If a secret-key sk is available, perform steps 2-3 of Figure 6 and follow the PoK direction 
of PoWorK(cf. Figure 1), using the H(-) to compute the challenge of the verifier. 

3. Else, perform steps 2-3 of Figure 5 and follow the PoW direction of PoWorK(cf. Figure 1) 
using the if (•) to compute the challenge of the verifier. 

4. Broadcast — (tn+1) Tn+15 'M'n+l? 7r n.-)- 1 ) - 


Fig. 7. Miner operation in a PoWorK-based cryptocurrency parameterized by relation 
77 and PuzSys = (Sample, Solve, Verify). The functions F(-), W s k{-) are as in Fig. 5 and 
the function C(-) is as in Fig. 6. 


Theorem 6. (informally stated) The cryptocurrency C of Fig. 7 is the composi- 
tion of a knowledge-based cryptocurrency Ci and a puzzle-based cryptocurrency 
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C2 so that (i) the population of miners of Ci,C2 becomes a single set that is 
indistinguishable to any adversary that controls a subset of miners of C, (ii) the 
persistence property of C is upheld as long as the conditions for persistence of 
Ci,C 2 hold in conjunction. (Hi) the liveness property of C is upheld as long as 
the conditions for liveness of Ci,C2 hold in disjunction. 

4.3 PoWorKs as 3-Move Straight-Line Concurrent Simulatable 
Arguments of Knowledge 

In this section, we present a theoretical application of PoWorKs. Namely, we 
show that any PoWorK protocol that satisfies a couple of reasonable assump- 
tions, implies straight-line concurrent (A poly ( log A ))-simulatable arguments of 
knowledge. Our application is described at length in our full version [BKZZ15]. 
Here, we provide the statement of our main result. 

Theorem 7. Let C be a language in NT and let PuzSys be a puzzle system. Let 
(V,V) be a 3 -move f -sound PoWorK for C and PuzSys with statistical indistin- 
guishability such that for every hardness factor h G TiS\, it holds that: 

(i). Pr[puz <- Sample(l A , h) : /(Steps So , ve (l A , h, puz)) < A lc « A ] = negl(A). 

(ii). The worst-case running time o/Solve(l A , h, •) is A poly(logA) mdV is a poly _ 
nomial time algorithm that makes oracle calls to Solve(l A ,h, •). 

Then, (T,V) is a 3 -move straight-line concurrent statistically A poly ( logA )- 
simulatable argument of knowledge. 

Remark. In practice, we can instantiate the dense puzzle with a DL function over 
a dense elliptic curve [BHKL13] (without the need of an extractor). This means 
that we can transform a 3- move proof/argument of knowledge to a concurrent 
one with minimal computational overhead - 1 exponentiation for the prover and 
1 exponentiation for the verifier, (cf. Fig. 1(a).) Note that a similar result in 
terms of rounds and with similar assumptions (i.e. DL) can be obtained via the 
efficient OR composition with an input-delayed A7-protocol as recently observed 
in [CPS+16], however the resulting complexity overhead would be at least 3 
exponentiations for the prover and 2 exponentiations for the verifier when the 
underlying Chameleon A7-protocol is instantiated from Schnorr’s protocol. 
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Abstract. Lindell, Nissim, and Orlandi (ASIACRYPT 2013) studied 
feasibility and infeasibility of general two-party protocols that hide not 
only the contents of the inputs of parties, but also some sizes of the inputs 
and/or the output. In this paper, we extend their results to n-party 
protocols for n > 2, and prove that it is infeasible to securely compute 
every function while hiding two or more (input or output) sizes. Then, 
to circumvent the infeasibility, we naturally extend the communication 
model in a way that any adversary can learn neither the contents of 
the messages nor the numbers of bits exchanged among honest parties. 
We note that such “size-hiding” computation is never a trivial problem 
even by using our “size-hiding” channel, since size-hiding computation of 
some function remains infeasible as we show in the text. Then, as our 
main result, we give a necessary and sufficient condition for feasibility 
of size-hiding computation of an arbitrary function, in terms of which of 
the input and output sizes must be hidden from which of the n parties. 
In particular, it is now possible to let each input/output size be hidden 
from some parties, while the previous model only allows the size of at 
most one input to be hidden. Our results are based on a security model 
slightly stronger than the honest-but-curious model. 


Keywords: Secure multiparty computation • Size-hiding 


1 Introduction 

Secure multiparty computation (MPC) protocols enable parties to compute a 
function while hiding the contents of the inputs from each other. Goldreich, 
Micali, and Wigderson [GMW87] first constructed a general MPC protocol in the 
presence of semi-honest and malicious adversaries. Here, we say that a protocol 
is general when it can securely compute every efficient function. 

Most of the previous MPC protocols (implicitly) assume that the input sizes 
of parties may be revealed. However, the input sizes may be confidential in some 
settings. Let us consider the following situation: A police department has a list of 
suspected terrorists and each company has its customers’ list. The police wants 
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to know the intersection of the lists without revealing any information. However, 
if we straightforwardly utilize the standard MPC, there is no guarantee that the 
number of terrorists (i.e., input size) will be protected against companies, and 
this might cause a serious problem since the number of terrorists is often sensitive 
information. We may also consider the case where the police wants to hide the 
number of terrorists in customers’ lists (i.e., output size) from companies. For 
resolving these issues, we require MPC that hides input and output sizes. This 
type of MPC is called size-hiding computation. 

Currently, several size- hiding protocols have been proposed [MRK03,IP07, 
ACT11,CV12], but these protocols can compute only specific functionalities such 
as set intersection, homomorphic evaluation for branching programs, and data- 
base commitments. In 2013, Lindell, Nissim, and Orlandi [LN013] exhaustively 
investigated feasibility and infeasibility of general size-hiding two-party proto- 
cols. They showed that, when the output size is not hidden, every efficient func- 
tion can be securely computed while hiding one size (i.e., the input size of one 
party). Furthermore, they also proved that there is an efficient function that can- 
not be securely computed while hiding two sizes (i.e., either the input sizes of 
both parties, or the input size of one party and the output size). Recently, Chase, 
Ostrovsky, and Visconti [COV15] further strengthened the feasibility result of 
Lindell et al. by constructing a general size-hiding two-party protocol in the 
presence of malicious adversaries while hiding the input size of one party. How- 
ever, these existing works investigated only the two-party setting, and therefore, 
feasibility and infeasibility of size-hiding n-party computation for n > 2 are still 
not clear. 

1.1 Our Results 

In this paper, we study general size-hiding n(> 2)-party protocols in the presence 
of static and semi-honest adversaries corrupting up to n — 1 of the n parties. For 
a technical reason, our semi-honest model is slightly stronger than the standard 
honest-but-curious model. (See the last paragraph in this Section and Appendix.) 
To clarify our results, we classify size-hiding computations as size-hiding classes 
according to which of the input sizes and the output size must be hidden from 
which of the n parties. We note that, as in the previous work on two-party 
cases, we assume that every party wants to compute a common function. To 
study generalized settings is a future research plan. 

Our results in the secure channel model. We extend the two-party 
results [LN013] into multiparty settings in the secure channel model , in which 
an adversary cannot learn the contents of messages exchanged among honest 
parties, but may learn the number of bits of the messages. In the multiparty set- 
ting, the inputs and the output sizes can be hidden from a subset 1 of parties. See 
Table 1 (part corresponding to secure channel) for a summary. As the feasibility 

1 An input or the output size cannot be hidden from all parties because an input size 
is known to the holding party and we assume that at least one party obtains the 
output value. 
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results, when at most one input size is hidden from some parties, every efficient 
function can be securely computed (Lemma 3) . The computation is also possible 
when the output size is hidden from some parties but then the input sizes are 
not hidden. On the other hand, when two or more sizes are hidden from some 
parties, there exists a function that cannot be securely computed (Lemmas 4 
and 5). 


Table 1 . Our results (Sects. 4 and 5) 


o Secure channel model 



# of hidden input sizes 

Output size 

Feasible? 

Lemma 3 

< 1 

known 

yes 

Lemma 4 

> 2 

known 

no 

(Trivial) 

0 

hidden 

yes 

Lemma 5 

> 1 

hidden 

no 


o Strong secure channel model 



Condition for hidden sizes 

Output size 

Feasible? 

Lemma 6 

(A) 

known 

yes 

Lemma 7 

(A) 

known 

no 

Lemma 8 

(B) 

hidden 

yes 

Lemma 9 

(B) 

hidden 

no 


(A) When all parties may learn the output size; for every pair 
of parties Pi and Pj, there is a party P k (possibly P k = Pi or 
P k = Pj ) who may learn both input sizes of Pi and Pj. (B) 
When some parties must not learn the output size; for every 
party Pi who must not learn the output size, Pi may learn all 
the input sizes, and some other party may learn the input size 
of Pi and the output size. 


For example, if two of n parties must hide their input sizes from each other, 
then a general size-hiding protocol is infeasible even when the other n — 2 parties 
can support the computation. Our result assumes the existence of threshold fully 
homomorphic encryption (threshold FHE), which is, for example, derived by 
combining MPC with ordinary FHE; see Appendix A of [LN013]. The above 
result shows that almost all sizes of inputs and the output must be revealed in 
the standard setting of MPC. 

Our results in the strong secure channel model. In order to circumvent the 
aforementioned infeasibility, we introduce a new communication model, a strong 
secure channel model such that an adversary cannot learn even the number 
of bits exchanged among honest parties. We note that this model is justified 
from steganographic techniques [Cachin04,HAL09], i.e., if communications are 


940 K. Shinagawa et al. 


hidden from other parties using steganography, an adversary cannot learn the 
number of communication bits between uncorrupted parties. Moreover, secure 
steganography is implied by one-way functions, thus, our new model requires 
no additional assumption inherently. (However, it should also be noted that 
straightforward implementation of steganography requires large computational 
and communication cost.) 

We show that the feasibility of size-hiding computations is dramatically 
improved in the strong secure channel model. See Table 1 (part corresponding 
to strong secure channel) for a summary of our main result. We prove that, in 
the strong secure channel model, a general size-hiding protocol exists if either 
the condition (A) holds when the output size is known to all parties (Lemma 6) 
or the condition (B) holds when the output size is hidden from some parties 
(Lemma 8). (Unlike our results in the secure channel model, these conditions 
depend on what sizes a party may learn.) We also prove the reverse direction, 
i.e., there is a function that cannot be securely computed if a given size-hiding 
class does not satisfy the conditions above (Lemmas 7 and 9). Therefore, it is a 
necessary and sufficient condition for a general size-hiding protocol. 

Surprisingly, in contrast to the standard secure channel model, we show that 
each input/output size can be hidden from some parties, while the previous 
model only allows the size of at most one input to be hidden. For example, let us 
consider the case of three parties where Pi hides \xi\ from P 2 (but not P3), P 2 
hides \x 2 \ from P3 (but not Pi), and P3 hides \xs\ from Pi (but not P 2 ), where 
\xi\ denotes the size of the input of Pi. Now the number of hidden sizes (three) 
is beyond the limitation in the previous model mentioned above, but our new 
model allows computation of a general function even in this case. By generalizing 
this observation, we see that there are concrete cases where it is possible to hide 
all input and output sizes for any n > 2. 

The honest-but-randomness-controlling model. In the two-party setting, 
[LN013] classified size-hiding classes in terms of feasibility in the honest-but- 
curious (HBC) model. Recently, [LN013] (uploaded on IACR ePrint Archive 
on 01- Apr-20 16) revisited that some of their infeasibility results in fact 
holds in the honest-but- deterministic (HBD) model, proposed by Hubacek and 
Wichs [HW15], rather than the HBC model. In light of the revision, we have 
also to modify the model since some of our results are based on the results 
in [LN013]. However, there is an issue that the HBD model is likely to be 
incomparable with the HBC model. Alternatively, we introduce a new model, 
the honest-but-randomness-controlling (HBRC) model, where an adversary can 
use any string as its random tape. We believe that the HBRC model would be 
a reasonable security model by the following reasons. First, the HBRC model is 
stronger than the HBC model, i.e., the security in the HBRC model implies the 
security in the HBC model (see Appendix). Moreover, almost all of the previous 
standard protocols in the HBC model are also secure in the HBRC model. In 
particular, all (in) feasibility results in the two-party setting [LN013] still hold in 
the HBRC model by an easy observation. We left it as an open problem to give 
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a complete feasibility characterization of both two-party and multiparty settings 
in the HBC model. 


1.2 Our New Techniques 

In this section, we clarify the most technical part of size-hiding multiparty com- 
putations, and introduce the basic idea for our main results (Sect. 5). 

First, we recall the general two-party computation [LN013]. In their proto- 
cols, at least one of the parties always learns all sizes (i.e., the input size of the 
other party and the output size). This party can correctly compute any function 
of input x\ and x 2 by using FHE. However, in the multiparty setting, we cannot 
assume the existence of such a party who may learn all sizes, and otherwise, 
almost all sizes of inputs cannot be protected. 

For circumventing the above problem, we develop new techniques which guar- 
antee the computation of the correct output even under the situation where no 
party knows all of sizes. Our techniques are based on a novel way to use a thresh- 
old FHE, and we consider this is the main non-trivial part of this work. More 
specifically, we propose two independent techniques which handle the following 
two different cases: (1) all parties may learn the output size, and (2) some par- 
ties must not learn the output sizes. In the rest of this subsection, we explain 
them more in detail. 

(1) The case of public output size. Suppose that parties wish to compute 
a function while hiding some input sizes, but do not need to hide the output 
size. In addition, we assume that for every pair of parties Pi and Pj , at least one 
of n parties (including Pi and Pj) may learn both input sizes of Pi and Pj. In 
this setting, we call the party who has a longest input a server , and the other 
parties clients. In the protocol, all parties perform in the same way as the server 
since nobody (even the server itself) knows who is the server. We overview the 
protocol and show the idea behind it as follows. 

First, all parties invoke a threshold key generation protocol of FHE. Next, 
each pair of parties Pi and Pj exchange ciphertexts of their inputs with the sup- 
port from Pk who may learn both \xi \ and \xj \ as follows. Without loss of general- 
ity, we can assume \xi\ > \xj\. First, Pi and Pj send ciphertexts q = Enc p / C (l|| Xi) 
and Cj = Enc p k(l\\xj) to the party P&, respectively. Then, Pk computes a cipher- 
text = Enc p k(0\ Xi \-\ Xj \)\\cj and a ciphertext of zeroes = Enc^O^'^ 1 ), 

and sends C(j 5 q to Pi and c^ij) to Pj, respectively. We call the former cipher- 
text a valid ciphertext , and the latter all-zero ciphertext a dummy ciphertext. 
Note that nobody except Pk knows whether a ciphertext is the valid one or 
the dummy one, due to the security of FHE. Next, parties attempt to obtain 
the output value using homomorphic computation. However, each party cannot 
estimate the output size since he/she does not know all of input sizes. Thus, a 
circuit which computes the output value cannot be constructed (the number of 
output wires is unknown). To avoid the problem, parties first obtain the output 
size and then compute the desired function as follows. Each party Pi constructs 
a circuit that takes x[, • • • ,x' n ( x'j is either o\ Xi \~\ x j\ 1 11| \xj or 0^1 +1 ) as inputs, 
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and if one of inputs is all-zero, then outputs all-zero string, otherwise, outputs 
a representation of the size of the function value \f(x)\ of appropriate length. 
(For example, (log ft) 2 bits, where k is security parameter, can be used since it 
must hold \f(x)\ < 2^ og ^ for sufficiently large k. See also the discussion at 
the end of Sect. 4.2.) Each party Pi computes ciphertext cf ze by homomorphic 
evaluation of the circuit from the ciphertexts c 1 ^ ^ • , c'" n ^ . Then, each party 
Pi sends c* lze to all parties. Each party computes c size by homomorphic evalua- 
tion of a max function from c{ lze , • • • , c^ ze . The underlying message of c size is the 
output size since one of the party (specifically, the server) correctly computed 
the encrypted output size. All parties invoke threshold decryption protocol for 
the ciphertext c size and obtain the output size. Now we have the output size and 
thus can construct the circuit that computes the function. In the similar way, 
all parties can compute c out from which the output value is decrypted. The full 
description appears in Protocol 2 (Sect. 5.3). 

(2) The case of private output size. Suppose that parties wish to compute 
a function while hiding some input sizes, and some parties must not learn the 
output size. In this setting, we call parties who must not learn the output size 
servers , and the other parties clients. In addition, we assume that every server 
may learn all input sizes of parties, and each server may tell its input size to 
some client (we call such a client a partner). We overview the protocol and show 
the idea behind it as follows. 

First, all clients execute a threshold key generation protocol of FHE. The 
reason why servers are not involved in the threshold key generation is that 
the clients need to be able to decrypt an output ciphertext (whose plaintext 
length is related to the output size) without servers. Then, every party computes 
secret shares of its own input (the number of shares is the number of servers), 
and sends a ciphertext of a share to each server. All servers securely compute 
ciphertexts c size , whose message is the output size, and c out , whose message is 
the output, over the FHE. Here, the plaintext for the ciphertext c out is padded 
zeroes up to L bits, where L is an upper bound of the output size. Note that 
for every polynomial-time computable function /, there exists a polynomial p(-) 
such that | ,x' n )\ < p( max^a^l, • • • , \x' n \)) for all x[ G {0,1}*. Thus, 

a server can compute the bound L = p(max(|xi|, • • • , |x n |)), since every server 
knows all input sizes. Next, one server attempts to send c size and c out to all clients, 
but the length of c out is related to p( max(|xi|, • • • , \x n \)) and it may reveal the 
maximum input size (possibly private size) to clients. To avoid this, for each 
client, the server sends the ciphertext whose length only depends on sizes which 
the client may learn. Let be the maximum size which Pi may learn. The 
server sends the truncated ciphertext c out of length p{(Ji) to Pi. If a server has 
the longest input, then the partner learn the maximum input size. Otherwise, it 
is trivial that there is a client who learns the maximum input size. In any case, 
at least one of the clients has the ciphertext c out which is not truncated. Then, 
all clients collaboratively decrypt c size and obtain the output size i. Finally, all 
clients decrypt Abit ciphertexts of c out and obtain the output value. The full 
description appears in Protocol 3 (Sect. 5.5). 
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1.3 Related Works 

As earlier results relevant to size-hiding computation, Micali, Rabin, and Kil- 
ian [MRK03] provided a zero-knowledge set, which is a commitment to a set S 
that hides also the cardinality of S', where the committer can prove x E S or 
x 0 S for any string x. Ishai and Paskin [IP07] constructed a public key encryp- 
tion scheme that can evaluate any branching program in such a way that the 
size of the program is hidden. These works concentrated on efficient realization 
of specific functionalities, while our work aims at clarifying the (in) feasibility of 
general size-hiding computation depending on a given size-hiding class. On the 
other hand, Chase and Visconti [CV12] showed the first size-hiding protocol in 
the presence of malicious adversaries for a specific task, secure database com- 
mitments. Chase, Ostrovsky and Visconti [COV15] strengthened the feasibility 
results of [CV12,LN013] by constructing a general size-hiding two-party proto- 
col in the presence of malicious adversaries while hiding input size of one party. 
In contrast, we only consider the honest-but-randomness-controlling adversaries 
in this paper. We leave constructions of size-hiding MPC protocols against mali- 
cious adversaries as future work. 

2 Preliminaries 

We review the basic notations and the definition of threshold FHE. 


2.1 Basic Notations 

Throughout this paper, we use the following notations: “N” denotes the set 
of natural numbers, i.e., N = {1,2,3,- ••}. “logx” denotes the logarithm of 
x with the base two, i.e., log 2 x. u x\\y ” denotes the concatenation of x and 
y. “|x|” denotes the bit length of x. “0” denotes an empty set. If S is a 

finite set, then “ x S'” denotes that x is chosen uniformly at random 

from S. If v is a vector, u v[i ]” denotes the i-th element of the vector. If 
m = m\nri 2 ' ' • mu E {0,1}^ is a plaintext and Enc^ is an encryption algo- 
rithm for 1-bit message, “c = Enc : p fc(ra)” denotes a vector of £ ciphertexts 
(ci,C 2 ,--- , q), where c* is a ciphertext q = Enc p k{rrii). If I = {n,--- ,i*} is 
a subset of N, “xj” denotes the set xi = {x* 15 • • • , x* t }. If / = (ii, • • • ,i t ) is an 
element of N*, “xj” denotes the vector xj = (x^, • • • ,x^ t ). If ^ = {^(x, k)} x ,k 
and = {lF(x, k)} x , k are probability distributions indexed by ft E N and 
x G X K where X K is an auxiliary parameter set indexed by ft, then we say 
that ^ and IF are computationally indistinguishable, denoted by = IF” , if for 
every non-uniform probabilistic polynomial-time (PPT) algorithm V and every 
(positive) polynomial p, there exists a number ft 0 G N with the property that 
|Pr[D($(x, ft)) = 1] — Pr[P(lF(x, ft)) = 1] | < l/p(ft) for any ft G N with ft > ft 0 
and any x G X K . 
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2.2 Threshold Fully Homomorphic Encryption 

We present a definition of threshold FHE. Asharov et al. [AJL+12] constructed 
an efficient threshold FHE scheme from the learning with error assumption, 
whose threshold key generation and threshold decryption protocols have only 
one round. In general, the threshold version of FHE is implied from an ordinary 
FHE scheme [LN013]. 

Definition 1 (Threshold FHE). We say that a tuple of protocols and algo- 
rithms (ThrGen, Enc, Eval,ThrDec) is a threshold FHE scheme if (Gen, Enc, Dec) 
is a public-key encryption with message space {0, 1} ; that is secure under chosen- 
plaintext attacks, and the protocols ThrGen and ThrDec with parties Pi, • • • , P n 
realize the following functionalities and the following conditions : 

Threshold Key Generation: The functionality of ThrGen takes security para- 
meter 1 K from Pi,-- - ,P n; computes (pk,sk) <— Gen(l^) and chooses uni- 
formly random values ski,-- - , sfc n _i G {0, l}l s/c L Then, the functionality 
outputs {pk, ski) t° eac h Pi (i = 1 , • • • ,n), where sk n = sfci® • • - sk n -i(& sk . 
Threshold Decryption: For a subset I C {1, • • • ,n}, the functionality of 
ThrDec/ takes security parameter 1 K , a ciphertext c and shares of secret key 
ski, • • • , sk n from Pi, - - - , P n , computes m = Dec s / ei 0 ... 0 S / Cn (c) ; and outputs 
m to each Pi (i G I ). If it holds I = {1, • • • , n}, we omit the index I. 
Correctness: For every polynomial- size circuit C that takes n inputs, and every 
inputs of the circuit mi, - - - , m n G {0, 1}: 

Pr[Dec sfe (Eval pfc (C, Enc pfc (mi), • • • , Enc pfe (m n ))) = C(mi, • • • ,m n )\ = 1, 

where the probability is taken over the random coins of all the algorithms 

(Gen, Enc, Eval, Dec). 

Security of the Threshold Key Generation: There exists a PPT <SjhrGen 

such that for every I C {1, • • • ,n}, the view in a real execution of ThrGen 
with security parameter k is computationally indistinguishable from the output 
of tSjhrGen with inputs 1, 1 K and keys obtained by Pi (i G I ). 

Security of the Threshold Decryption: There exists a PPT <SjhrDec such 
that for every I C {1, • • • ,n}, the view in a real execution of ThrDec with 
security parameter n is computationally indistinguishable from the output of 
^ThrDec with inputs a subset I, keys, the ciphertext and the decrypted value. 

3 Size-Hiding Computation 

In this section, first, we give a definition of size-hiding classes and provide their 
graphical representations in Sect. 3.1. Second, as an extension of [LN013] to n- 
party settings, we give definitions of polynomial-time protocols and the security 
of size- hiding protocols in Sect. 3.2. Next, for later references, we review the pre- 
vious two-party results [LN013] using our graphical representation in Sect. 3.3. 
Finally, we introduce tools for proving lemmas in the later section, protocol com- 
pilers, that can derive a size-hiding protocol from another protocol in Sect. 3.4. 
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3.1 Classes of Size-Hiding 

We provide a definition of a class of size-hiding that specifies what sizes a party 
may learn in an execution of a protocol. A size-hiding class can be represented 
by (G, v), where G is a directed graph which specifies how input sizes are hidden 
(more precisely, which input size may be known to which party) , and v is a vector 
which specifies how the output size may be known to each party. A directed graph 
G with n vertices is called an input size graph with n vertices , a vector v with 
n elements is called an output size vector with n elements , and a tuple (G, v) is 
called a size-hiding class with n parties. 

An input size graph with n vertices has a set of vertices V (G) = {1, 2, • • • , n} 
and a set of edges E(G). Each vertex i E V(G) corresponds to the party P{. If 
there is an edge (j, i) E E{G) directed from j to i, the party Pi may learn 
\xj\, which is the input size Xj of Pj in a protocol execution. If there is no edge 
(j,i), the party Pi must not learn any partial information of \xj\ except trivial 
information which can be computed from other information that Pi obtained 
legally. From now on, we assume that any input size graph with n vertices has 
edges (1, 1), (2, 2), • • • , (n, n ) since Pi always knows its own input size \xi\. 

An output size vector with n elements is a member of {A, |f |, f} n , where J_, |f | 
and f are symbols that represent how to receive the output information. The i-th 
element v[i\ specifies how Pi receives the output information. If v[i\ = A, the 
party Pi must not receive any partial information of the output f(x) (except 
trivial information which can be computed efficiently). If v[i\ = |f|, the party 
Pi may learn the output size \f(x)\ but must not receive f(x) beyond the size 
information \f(x)\ (except trivial information). If v[i\ = f, the party Pi must 
learn f(x). From now on, we assume that any output size vector v contains at 
least one f since if there is no f in if, nobody obtains the output f(v) even though 
the protocol aims at computing the function /. 



forbidden party P\ 


© 


size-only party P2 full-output party P 3 


Fig. 1 . Graphical representation of parties 


We provide a graphical representation of a size- hiding class (G, v). We use a 
circle to denote a vertex of G, and an arrow i —> j to denote an edge (i, j) E 
E(G). For simplicity, we omit arrows 1 — > 1, 2 — > 2 , • • • , n — > n since the edges 
(1, 1), (2, 2), • • • , (n, n) E E(G) always exist. We also use three types of circles to 
denote the output size vector v as follows. For a vertex i, we use a double circle 
to denote v[i\ = f, a normal circle to denote v[i\ = |f|, and a forbidden circle to 
denote v[i\ = A; see Fig. 1. 

Figure 2 is an example of a size-hiding class (G, if) as follows: The input 
size graph with 3 vertices G has a set of vertices V(G) = {1,2,3} and a set 
of edges E(G) = {(1, 2), (2, 3), (1, 3), (1, 1), (2, 2), (3, 3)}. The output size vector 
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Fig. 2. Example of a size-hiding class 


with 3 elements is a vector v = (f, |f |, _L). The size-hiding class (G, v) means the 
following: The party Pi may learn \xi\, must learn /(5), and must not learn \x%\ 
nor \xs\. The party P2 may learn \xi\, \x 2 \ and |/(x)|, and must not learn \xs\ 
nor f(x). The party P3 may learn \x±\, \x 2 \, and must not learn \f(x)\. 
Throughout this paper, we use the following terminology. 

Public size is a size which all parties may learn. Formally, we say that an input 
size \xi\ is public if there are edges (i, 1), (i, 2), • • • , (i,n) G P(G), and the 
output size is public if the output size vector v is an element of {|f|,f} n . 
Private size is a size which some parties must not learn. Formally, we say 
that an input size \xi\ is private if there is a vertex j G V(G) such that 
(i,j) 0 P(G), and the output size is private if there is an index i such that 
v[i\ - _L. 

Forbidden party is a party who must not learn the output size. |_” denotes 
all indices of the forbidden parties, i.e., I± = {/ | v[i\ = T} C {1, • • • , n}. 
Size-only party is a party who may learn the output size but must not learn 
the exact output value. “I\f\” denotes all indices of size-only parties, i.e., 
!\f\ = V m = l f l) C {1 ,■■■ ,n}. 

Full-output party is a party who must learn the output, “if” denotes all indices 
of full-output parties, i.e., If = {/ | v[i] = f} C {1, • • • ,n}. 

Permitted party is a party who may learn the output size. “i p ” denotes all 
indices of permitted parties, i.e., I p = I |f| U/f. It holds I±Ul p = ij_Ui|f| U/f = 

{!)••• ,n}- 

3.2 Basic Notions for Size-Hiding Multiparty Protocols 

Our definitions of notions for size-hiding n-party protocols follow the two-party 
version of [LN013]. Let (G, v) be a size-hiding class with n parties, and let 
/ be an n-ary polynomial-time computable function / : ({0, l}*) n — > {0,1}*. 
Let 7 r be an n-party protocol with parties Pi,-- - , P n , and let k G N be a 
security parameter of 7 r. Each party Pi has an input Xi G {0,1}*, which may 
be polynomially unbounded. We denote by TIMEp. (x, k) the running time of 

Pi in 7 r for the inputs x = ,x n ). We denote by OUTPUT [ G ' v, ^\x) 

the Pi s output specified by (G, if), e.g., for the example of Fig. 2, we have 
that OUTPUT^ 0, (x) = (f(x)), OUTPUT ( 2 G ’*’ f) (x) = (11/(^1,11*11) and 
OUTPUT3 G ’ ,, ’^' ) (^) = (ll* 1 !, ll* 2 !). Now we are ready to define a polynomial- 
time protocol for (G, v, /). 
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Definition 2 (Polynomial-time protocol). Let (G,v) be a size-hiding class 
with n parties, let f be an n-ary function, and let i r be an n-party protocol. We 
say that i t is a polynomial-time protocol for ( G , v, /) if there exists a polynomial 
p(-) such that for every n G N, every x G ({0, l}*) n and every i G {1, • • • , n}, 

TIMEp. (x, k) < p(\xi\ + |OUTPUT^ G ’ S,/) (f)| + k) 

Next, we define the security of protocols against honest-but-randomness- 
controlling (HBRC) adversaries in the secure channel model (See Sect. 1.1 and 
Appendix for details of the HBRC model). In the HBRC model, a simulator 
must simulate a transcript on given random tapes which is produced by a 
randomness producer. It is a PPT algorithm that chooses corrupted parties’ 
random tapes. Formally, we say that a PPT 1Z is a randomness producer if 
7Z(1 K ,I) outputs a vector of strings fj = ,r^ t ) G ({0, 1}*)I 7 I for all 

d \i \ i ’’’i it\ ^ • 

We denote by MSIZE 7r (x) the numbers of all bits exchanged among 
Pi , • • • , P n in an execution of it with inputs x, expressed by unary expression 
such as ll m L The view of the party Pi during an execution of it with inputs x is 
defined as view^(x) = • • • , ra$ t ), where is his internal coin tosses 

and mi j is the j - th message that was received by Pi in the protocol execution. 
We also use view^(x)| ri — (^,m^, • • • , m* t ) to denote view^(x) on given ran- 
domness Here, if the length of is shorter than the length of its internal 
randomness, its internal randomness is r*| \0 k for appropriate k G N. 

Definition 3 (Security in the secure channel model). Let (G,v) be a size- 
hiding class with n parties, let f be an n-ary function, and let it be a polynomial- 
time protocol for (G, v, /). We say that it correctly computes (G, v, f) if for every 
n G N, and every x G ({0, l}*) n ; all full-output parties output f(x) at the end 
of the execution of it with the input x and security parameter n. We say that it 
realizes (G, v, f ) in the secure channel model if i r correctly computes (G, v, f) 
and for every randomness producer 7 Z, there exists a PPT S such that for every 
I Q {1, • • * , n}, every polynomials qi, • • • , q n , 

{S(1 K , /, 5/, OUTPUT^ 0 ’^’^)^), rj <— TZ(1 K , I))} k S = { (viewj^)^ , MSIZE-(£))} k ^ 
where x i e {0, 1}« i(k) , • • • ,x n e {0, 

In this paper, we focus on which size-hiding class has a general protocol. For 
a size- hiding class (G, v), we say that (G,F) is feasible if for every polynomial- 
time computable function /, there exists a protocol it that realizes (G,F, /) in 
the secure channel model. On the other hand, we say that (G, v) is infeasible if 
it is not feasible. 


3.3 Overview of the Two-Party Results 

We overview the results in the two-party setting shown by Lindell, Nissim and 
Orlandi [LN013] using our graphical representation. Later, we use them in order 
to prove infeasibility results in multiparty settings. We note that their original 
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paper shows their feasibility and infeasibility against honest-but-curious adver- 
saries. However, very recently, they (implicitly) revised the infeasibility of class 
l.d is in fact holds against honest-but-randomness-controlling (HBRC) adver- 
saries 2 rather than honest-but-curious adversaries. Since all of their protocol 
can be easily modified to the HBRC setting, the following results are based on 
the HBRC model. 

They defined three classes of size-hiding: (class 0) the input sizes of both 
parties are revealed, (class 1) the input size of one party is revealed and the 
other is hidden, (class 2) the input sizes of both parties are hidden. In addition, 
they define five subclasses of class 1, and three subclasses of class 2. 



o 



l.a 



l.b 



l.c 



l.d 


© 



l.e 





0 


2.b 



© 


Fig. 3. Graphical representations of subclasses in the two-party setting 


Let (Go, To), (Gi. a , Ti. a ), • • • , (G 2. c , Th.c) be size-hiding classes 0, l.a, • • • , 2.c 
in Fig. 3, respectively. They (implicitly) showed that size-hiding classes (Go, To), 
(Gi. a , Ti. a ), (Gi.c, Ti. c ) and (G i. e ,Ti. e ) are feasible while the other classes are 
infeasible in the HBRC model. Later in this paper, we use the following results. 

- There is a two-ary function / such that the functionality (Gi.6,Ti. 6, /) cannot 
be realized. An example of the / is the oblivious transfer; see Sect. 4.3. 

- There is a two-ary function / such that the functionality (Gi.d, v \ /) cannot 
be realized. An example of the f is an oblivious multi-input pseudorandom 
function evaluation omprf introduced in [LN013]. 

- There is a two-ary function / with constant output length such that the func- 
tionality (G2.ajT2.aj /) cannot be realized. An example of the f is the binary 
inner product {0, 1}* x {0, 1}* — > {0, 1}; see [LN013]. 


3.4 Tools for Infeasibility — Protocol Compilers 

Here we introduce auxiliary algorithms used in the proofs of our infeasibility 
results, which we call protocol compilers. Namely, to give a proof by contra- 
diction, we start with an n-party protocol for a given size-hiding class whose 
existence is assumed, and convert it by the protocol compilers into a two-party 
size-hiding protocol for some size-hiding class, where the existence of the latter 
protocol has been denied by the result of [LN013]. Below we give two kinds of 
protocol compilers, which we call a reduction compiler and a wrapping compiler. 

2 Their original revision states that it holds against HBD adversaries. But it also holds 
in the HBRC model. 
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Reduction Compiler. A reduction compiler takes as inputs an MPC protocol 
with Pi,-- - , P n and two subsets I\,l 2 that is a partition of {1, • • • , n}, and 
outputs a two-party protocol with P[ and P where P[ (i G {1,2}) behaves 
in the same way as {Pj}jeii . More concretely, if Pi computes/sends/receives 
messages in 7 r, then P' (i G Ij) behaves in the same way as Pi. At the end of the 
compiled protocol, if Pi outputs f{pc) in 7 r, then P' (i G Ij) outputs f(x) in 7r'. 
The reason why we call it a “reduction” compiler is that it reduces the number 
of parties, and we use it in a reduction to prove infeasibility results. 

Lemma 1. Let f be a two-ary function, let f be an n-ary function such that 
f {x\ , X 2 , • • • , x n ) « f'(x 1 ,^ 2 ), ( G,v,f ) 6e a functionality for n parties, and 

let it be a protocol that realizes (G,v,f). Let A and I 2 be non-empty subsets of 
{1, • • • , n} smcA that 1 G I\, 2 G / 2 , h n /2 = 0 and / 1 U /2 = {1, 2, • • • , n}. T/ere 
exists a protocol tt' that realizes a functionality (G' ,v', /') as follows: 

- The party P[ has the same input x\ of Pi, and the party P’ 2 has the same 
input X 2 of P 2 . 

- The input size graph with two parties G 1 has a set of edges E(G') as follows. 
The edge (1, 2) exists in E(G') if and only if an edge (1, i) exists in E(G) such 
that i G 12- Similarly, the edge (2,1) exists in E(G') if and only if an edge 
(2 , i) exists in E(G) such that i G I\. 

- v' is an output size vector with two elements such that v'[i] = maxj G /. (v m, 
for an order _L < |f | < f. 

Proof. Based on a simulator S of the protocol 7 r, we construct a simulator S' of 
the protocol 7 r'. By the symmetry, it suffices to show the simulator when P[ is 
corrupted. Given 1 K , I' = {1}, the input x \ , the output f{x 1 ,^ 2 ) if there is an 
full-output party Pi (i G ii), and a random tape r\ produced by a randomness 
producer, S' invokes S on the same inputs except I\ instead of V . Since the 
simulator S' works correctly, the protocol 7 r' securely computes ( G',v',f ' ) . □ 


Wrapping Compiler. For a subset / C {1, • • • ,n}, we say that a protocol 
7 r is /-independent 3 if there exists a polynomial p such that for every n G N 
and every x G ({0, l}*) n , the output size and the number of bits, exchanged 
among all parties in an execution of 7 r with n and x , are upper bounded by 
p(n, \x h \, • • • , | Xj t \) except negligible probability, where {jT , • • • ,j t } D / = 0. 
A wrapping compiler takes an /-independent protocol 7 r (it is not necessary for 
7 r to be secure) that computes f(x ), and outputs a size- hiding protocol 7 r' that 
computes f(x) while hiding the inputs \xi\ (i G /) from all parties. It is used in 
the proof of Lemma 4. The following lemma is the security of a protocol that is 
compiled by the wrapping compiler. 

Lemma 2. Let I be a non-empty subset of {1, • • • ,n}, and let 1 r be an I- 
independent protocol computing f(x) with Pi,-- - ,P n . Assume that threshold 
FHE exists. There exists a protocol 7 r' that realizes a functionality (G',v f , /) as 
follows: 

3 It is an generalization of size independent protocol, see Sect. 4.3 in [LN013]. 
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- The party Pi (i G {1, • • • ,n}) has the same input Xi of Pi. 

- G' is an input size graph with n parties, where {\xi\}i e i are private sizes and 
the others are public sizes. 

- v' is any element of { |f|,f} n . 

Proof. Given an /-independent protocol 7 r that computes f(x), the compiled 
protocol 7 r' with P{, • • • ,Pf proceeds as follows. First, parties execute a threshold 
key generation protocol of threshold FHE, and each party encrypts own input 
under the public key. Second, every party P'- (j £ I ) sends \xj\ to all parties. 
On receiving | ,\xj t \ (they are not independent sizes), parties compute 
the upper bound B = p{\xj ± \^ • • • , \xj t \). Since the communication complexity 
is bounded by B , each party Pi can construct a circuit that can produce the 
next messages of Pi. More concretely, for each k round (k is also bounded by 
B ), the circuit takes as inputs previous messages that are received by Pi at 
1,2,*** , k — 1 rounds and Pf s input 27, and outputs the next messages for each 
party. Using these circuits, all parties homomorphically evaluate the protocol 
7 r. Finally, parties obtain an output ciphertext (whose message is of length B ), 
invoke a threshold decryption protocol, and obtain the output value. (It is easy 
to obtain a protocol for any v' G {|f|,f} n by specifying parties who can obtain 
the output appropriately.) 

Now we show the above protocol 7r' realizes (G',F',/) in the secure chan- 
nel model. In order to prove the security of 7 r', we construct a simulator S 
that can generate views of corrupted parties. Given \ K , / C {1, • • • ,n}, the 
inputs xi , the output f(x) (or the output size \f(x)\), all input sizes which 
are not independent sizes {\} x n I, * * . , and random tapes 77 produced 

by a randomness producer, the simulator S first computes the upper bound 
B = p(ft, | Xj x |, • • • , \xj t |). Second, S simulates a threshold key generation proto- 
col, and computes ciphertexts of Xi for alii G I . Next, S simulates messages sent 
by Pi to Pj (i G { 1 , * * * ,n} and j G I) as follows. If Pi is corrupted, S does the 
same as Pi. Otherwise, S computes a ciphertext for zero string of appropriate 
length. At the end of the protocol 7r', S simulates a threshold decryption proto- 
col. Finally, S computes message sizes, and outputs views of corrupted parties 
and message sizes generated as above. The views generated by <S are indistin- 
guishable from the views in a real execution of the protocol due to the IND-CPA 
security of FHE and the security of the threshold protocols. Thus, the protocol 
7 r' securely computes ( G',v',f ) in the secure channel model. □ 

4 Results in the Secure Channel Model 

In this section, we show that every function can be realized while hiding one 
(input or output) size in the secure channel model. On the other hand, we also 
prove that there exists a function that cannot be realized while hiding two or 
more (input or output) sizes in the secure channel model. Our result shows that, 
in the secure channel model, a general size-hiding protocol exists only in the case 
where parties wish to hide at most one of n + 1 ( n inputs and the output) sizes. 
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In Sect. 4.1, we give a formal statement of our result in Theorem 1, and show 
examples of (feasible or infeasible) classes. Then, we show the feasibility part of 
the theorem in Sect. 4.2, and the infeasibility part of the theorem in Sect. 4.3. 

4.1 Our Result 

Our result in the secure channel model is as follows. 

Theorem 1. Let (G, v) be a size-hiding class with n parties. Assume that thresh- 
old FHE exists. The class (G, v) is feasible in the secure channel model if and 
only if the number of private sizes of (G, v) is at most 1. 

Examples. Examples of feasible size-hiding classes are shown in Fig. 4. The 
number of private sizes of them is just one. On the other hand, classes shown 
in Fig. 5 are infeasible. The number of private sizes of the left and the center 
graphs is two, and of the right graph is three. 



Fig. 4. Examples of feasible classes 



Fig. 5. Examples of infeasible classes 


4.2 Protocol Hiding One Size 

We construct a general size-hiding MPC protocol that can hide one (input or 
output) size, in order to show the feasibility part of Theorem 1. The case where 
only the output size is private is an easy application of ordinary MPC. Indeed, 
since now the input sizes are public, the output size also has a public and efficient 
upper bound derived from the complexity of the function /, therefore the output 
size can be hidden from the forbidden parties by a naive padding technique. 

From now on, we consider the case where the output size is public. Let 
“server” denote the unique party who wants to hide its own input size, and 
let “clients” denote the other parties. The outline of the protocol construction, 
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which is a natural extension of the two-party results for classes l.a, l.c, and l.e 
in [LN013], is explained as follows. Each client sends an FHE ciphertext of its 
own input to the server, which can be freely performed since their input sizes 
are public. Given these ciphertexts, the server seems to be able to compute the 
encrypted output of the function using homomorphic evaluation, which is then 
decrypted for the full-output parties by the threshold decryption. However, the 
ciphertext of the output value may have a length longer than the actual output 
size since the precise inputs are not known at the homomorphic evaluation, and 
the difference from the actual output size may reveal some non-trivial informa- 
tion on the server’s input size. To avoid the problem, the server first homomor- 
phically computes the ciphertext of the actual output length i, and the parties 
know i via the threshold decryption. Then the server generates the ciphertext 
of the output value where the length is exactly set to t, which prevents the leak 
of the server’s input size mentioned above. 

The full description of the protocol appears in Protocol 1. In the following 
argument, we assume by symmetry that Pi is the server. 


Protocol 1. Suppose that parties Pi, P 2 , • • • , P n have inputs xi, X 2 , * • • ,x n , respec- 
tively, and all sizes are public except the input size \x±\ of the party P\. The protocol 
proceeds as follows. 

1. All parties invoke a ThrGen protocol with inputs 1 K , and each party Pi obtains a 
public key pk and a share of the secret key ski. 

2. Each party Pi computes c'f = Enc p k(xi), and sends c'f to Pi. 

3. Pi constructs a circuit C s \ze, which takes x as inputs and outputs \f(x)\ padded 
with zeroes up to (log n) 2 bits. Then, Pi computes c size <— Eval p fc(C S ize, cf n , • • • , cJJ) 
and sends c size to all parties. 

4 . All parties invoke a ThrDec protocol with the ciphertext c s ' ze , and obtain the 
decrypted value i. 

5. Pi computes c out Eval p fc(C 0 ut, c'i, • • • , c^) ; where the circuit C ou t computes 
f(xi, • • • , x n ) of length i, and sends c out to all parties. 

6. All parties invoke a ThrDec/ f protocol with the ciphertext c out as only full-output 
parties obtain the decrypted value z E {0, 1}T Then, all full- output parties output 
z, and the other parties output nothing. The protocol terminates. 


Lemma 3 (Security of Protocol 1). Let (G,v,f) be a functionality with n 
parties, where \x\\ is private and the other sizes are public. Assume that threshold 
FHE exists. Then, Protocol 1 realizes the functionality (G, v, f ) in the secure 
channel model. 

Proof. In order to prove the security, we construct a simulator S that, given 
inputs, outputs, and random tapes of corrupted parties, generates their view in 
the protocol. We note that it suffices to only consider the most difficult case that 
\xi\ is hidden from all other parties. Given 1 K , I = { i \ , • • • , i t }, the inputs x/, 
public sizes (l^ 2 !, • • • , l^l, llT(^)l ) , the output f(x) if / D /f 7 ^ 0 , and random 
tapes Ri = (r^, • • • , r^ t ) produced by a randomness producer, the simulator S 
works as follows. (In the following probabilistic computation, S uses a string 
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r^||000- • • as P{ s random tape.) First, S computes ( pk,sk ) <— Gen(l^), chooses 

ski {0, for all i E /, and simulates a threshold key generation pro- 

tocol under the keys. If Pi is corrupted, S computes c- n = Enc p k(xi) (i E /), 
cl n = Enc-pfe (Ol 35 * I ) (i 0 /), and evaluates c size and c out from these ciphertexts. 
Otherwise, S computes c size = Enc^O^ 08 ^ 2 ) and c out = Enc^O^ 3 ^). Next, 
<S simulates threshold decryption protocols for c size and c out . Then, <S computes 
message sizes MSIZE 7r (x). (S can compute them since all sizes of messages are 
only dependent on the public sizes \x 2 \r ' ’ A x n\ and \f(x)\.) Finally, S outputs 
views of corrupted parties and message sizes generated as above. 

Let us observe the difference between the view generated in a real execution 
and the view generated by S. The views of threshold key generation and thresh- 
old decryption protocols generated by S are indistinguishable from them in a 
real execution due to the security of these protocols. The ciphertexts generated 
by S are indistinguishable from them in a real execution due to the IND-CPA 
security of the underlying FHE scheme. Therefore, the above protocol realizes 
the functionality in the secure channel model. □ 

Fully avoiding upper bounding of input sizes. In the same way as the 

protocols in [LN013], Protocol 1 above assumes that all input sizes are bounded 
by 2('°s K ) _ K \o g K m p rom the viewpoint of security, this restriction causes no 

problems, since now the input sizes are polynomially bounded and thus the 
bound above indeed holds asymptotically. However, it may cause a problem 
from the viewpoint of correctness, since now the polynomial bounds for input 
sizes do not exist and the correctness should be satisfied at every parameter 
k rather than just asymptotically. To resolve the issue, we show the assump- 
tion la* | < 2( logK ) can be avoided by using a flag technique. A flag function 
flag^ : {0,1}^ — ► {0,1}^ takes x m x£---X 2 Xi £ {0,1}^ as an input, and out- 
puts z = CK -Z ||1% where i is an index such that i = max(jf — 1 s.t. Xj = 1). 
For example, a flag function flag 10 with an input x = 0010000001 outputs 
z = 0001111111. Next we explain how to use the flag function in Protocol 1. Let p 
be a polynomial such that |/(x / 1 , • • • ,x' n )\ < p( \x[\, • • • , \x' n \) for all x[ £ {0, 1}*. 
In step 3, the party Pi first computes B = log 2 p(|#i|, • • • , \x n \), and then 
constructs a circuit C s j ze , which takes x as inputs and outputs \f(x)\ padded 
with zeroes up to B = log 2 p(|xi|, • • • , |x n |), and a circuit Cfi ag , which takes 
x £ {0,1} B as an input and outputs a string f\ag B (x). Then, Pi computes 
c size <- Eva Ipfe ((7 size , ci n , • • • , C) and c flag <- Eval pfc (C f , ag , c size ). For i = 1, 2, 3, • • • , 
Pi sends c flag [i] to all parties, and parties decrypt it. If the decrypted value 
equals zero, then Pi sends (c size [j])i<j<i to all parties, otherwise, continue the 
loop. Now {c Size \j})i<j<i indeed involves the whole information of \f(x)\ by the 
definition of the flag function, and thus we can avoid the upper bound of input 
sizes. The flag technique can also be applied to all of our protocols and previous 
two-party protocols [LN013]. 
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4.3 Infeasibility for Hiding Two Sizes 

Unfortunately, in the secure channel model, there is no general size-hiding MPC 
protocol that can hide two or more (input or output) sizes. The rest of this 
subsection is devoted to proving the infeasibility part of Theorem 1. In particular, 
we prove the infeasibility when two input sizes are hidden (Lemma 4), and the 
infeasibility when one input and the output sizes are hidden (Lemma 5). 

We first prove the infeasibility when two input sizes are hidden. In this case, 
the infeasibility of n-party protocol can be reduced to the infeasibility of two- 
party protocol when both input sizes are hidden (class 2). First, assume by 
contradiction, there exists a protocol i r that realizes an n-ary function. Then, 
using a reduction compiler and a wrapping compiler, we compile the protocol 
7 r into a two-party protocol 7r' that realizes an impossible functionality. By the 
contradiction, we conclude that there exists a function while hiding two input 
sizes. The formal statement and the proof are as follows. 

Lemma 4 (Hiding two input sizes). Let (G, F) be a size-hiding class for n 
parties, such that two input sizes are private, and the others are public. Assuming 
the existence of threshold FHE, there exists a function f such that the function- 
ality (G, v, /) cannot be realized in the secure channel model. 

Proof. Without loss of generality, we can assume the private input sizes are \xi\ 
and \x2 1 • Let f be a two-ary function such that its range is a constant size, 
and (G2a,V2a: f') cannot be realized in the secure channel model. (The existence 
of such a function is shown by [LN013].) Let / be an n-ary function such that 
f(x i, • • • , x n ) = f'(x i, #2). Assume by contradiction that there exists an n-party 
protocol 7 r with Pi, • • • , P n that realizes (G, F, /) in the secure channel model. 

Let T(k,x) be a random variable representing the number of bits exchanged 
among all parties when running 7r with inputs x and security parameter n. In 
this case, by the argument similar to [LN013], there exists a polynomial p such 
that T(n,x) < p(n) for all large enough n. Let us consider the simulator S 
for the protocol 7 r corrupting P2, • • • , P n . For a fixed output value a , let x\ be 
the smallest string for which there exists x\ such that f'(x 1,^2) = a. At this 
time, there exists a polynomial p a such that the running time of the simulator 
S is bounded by p a ( l^l, |a|, k), and there exists a polynomial p' a such that 
Pain) = p a { |^2 1 5 M,/c) since \x^\ and \a\ are constant sizes. We claim that, for 
every (xi,X2) such that f'(x 1,^2) = <a, the length of the transcript with input 
(xi,X2) is upper bounded by p' a (ft) except negligible probability. Otherwise, it 
contradicts the security of 7 r. (For example, the simulator S , corrupting P3 only, 
cannot compute the message size since S does not know P2S input is x\ or not.) 
Since the number of possible output value is constant, there exists a polynomial 
p such that T(k,x) < p{n) for every x except negligible probability. Therefore, 
the protocol 7 r is /-independent for any / (especially, / = {1,2}). 

Now we are ready to derive the contradiction. We first construct a two-party 
7 r' with P[ = {Pi} and P’ 2 = {P2,--- ,P n } that is compiled by a reduction 
compiler from the protocol 7r. Note that the protocol n' is also /-independent 
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(/ = {1,2}) since the communication complexity and the computation complex- 
ity are the same as ir. Then, we construct a protocol i r" that is compiled by a 
wrapping compiler from the protocol 7 r'. From Lemma 2, the protocol it" realizes 
(G 2 . a5 ^ 2 .a 5 f'), in contradiction to the infeasibility of /'. Now we have that the 
functionality (G, v, f ) cannot be realized in the secure channel model. □ 

Next, we prove the infeasibility when one input and the output sizes are 
hidden. In order to prove this, we introduce a new function, a truncated obliv- 
ious multi-input pseudorandom function tomprf defined as follows. Let F be 
a pseudorandom function F : {0,1}^ x {0,1}^ — ► {0,1}*. A truncated oblivi- 
ous multi-input pseudorandom function tomprf n is an n-party functionality (but 
ignoring inputs # 4 , • • • ,x n ) that takes as inputs a vector of arbitrary length 
x\ = (&].,••• , a m ) G ({0, l}^) m from Pi, a n-bit string X2 G {0,1}^ from P 2 , 
and a key for the pseudorandom function X3 G {0, 1} K from P 3 . The functionality 
outputs to Pi (F X3 (a 1 ), • • • ,F X3 (a£)), where £ = mm(x2,m). Now we are ready 
to prove the following lemma. 

Lemma 5 (Hiding an input and the output sizes). Let (G, v) be a size- 
hiding class for n parties, such that an input and the output sizes are private, 
and the others are public. Assume that one-way functions exist. There exists a 
function f such that (G, v, /) cannot be realized in the secure channel model. 

Proof. Without loss of generality, we can assume the private input size is \xi\. 
Essentially, there are three settings regarding who must not learn \xi \ and \f(x)\: 

1. The party P 2 must not learn both of \xi\ and \f(x)\. 

2. The party P 2 must not learn \xi\, and the party Pi must not learn \f(x)\. 

3. The party P 2 must not learn \xi\, and the party P 3 must not learn \f(x)\. 

First, let us consider the case where P 2 must not learn both of \x± \ and \f(x)\. 
Let / be an n-ary function ignoring £ 3 , • • • ,x n such that f{x) = f'(x 1 ,^ 2 ), 
where the functionality (Gi.d, Fi.^, f') cannot be realized in the secure channel 
model. Assume by contradiction that there exists an n-party protocol 7 r with 
Pi, • • • , P n that securely computes (G, F, f ) in the secure channel model. We can 
construct a two-party protocol 7r' with P[ = {P 2 } and P’ 2 = {Pi,P 3 ,--- ,P n } 
that is compiled by a reduction compiler from 7 r. From Lemma 1, the protocol 
7r' realizes (Gi.d, vi.d, /0, contradiction to the infeasibility of /'. Now in this 
case we obtain a function / such that (G, v, /) cannot be realized in the secure 
channel model. 

Second, let us consider the case where P 2 must not learn \x±\, and Pi must 
not learn \f(x)\. An oblivious transfer OT is a two-party function that takes 
x\ = (so,si) f rom -Pij where so and s\ are strings of arbitrary length, and 
X2 G {0, 1 } from P 2 as inputs, and outputs a string s X2 to only the party P 2 . 
Let / be an n-ary function such that f(x 1, • • • ,x n ) = OT(xi, X 2 ). Now we show 
that the function / cannot be realized in the secure channel model by the tech- 
nique similar to [LN013]. Assume by contradiction that there exists an n-party 
protocol 7 r with Pi, • • • , P n that realizes (G, v, f) in the secure channel model. 


956 K. Shinagawa et al. 


We denote the inputs x by x = ((sq? si), ^ 2) since inputs £3, • • • ,x n are ignored. 
Let T(k,x) be a random variable representing the number of bits exchanged 
among Pi, • • • , P n when running 7 r with inputs x and security parameter ft. For 
inputs x* = ((0, 0), 0), there exists a polynomial p such that T(ft, x*) < p(k) for 
all large enough ft since tt is a polynomial-time protocol. Let s' be a random 
string whose length is cj(p(ft)), and let x' 0 = ((0,s'),0) and x[ = ((0, s'),l). It 
must hold that T(k,x q) < p(ft), otherwise P2 can distinguish the other input of 
Pi is 0 or s'. And it must hold T(ft, x[) < p(k), otherwise Pi can distinguish that 
P2 obtains 0 or s'. However, in the case of x[ = ((0, s'), 1), the party P2 must 
compute s', the random string of length uj(p(k)), from a transcript of length less 
than p(k). This contradicts to the incompressibility of a random string. Thus, 
in this case, there is a function / such that (G, v, /) cannot be realized in the 
secure channel model. 

Finally, let us consider the case where P2 must not learn \xi\, and P3 must not 
learn \f(x)\. Let / be a truncated oblivious multi-input pseudorandom function 
tomprf n with a pseudorandom function P : {0, 1}* x {0, 1}* — > {0, 1}*. Assume 
by contradiction that there exists an n-party protocol 7 r with Pi , • • • , P n that 
realizes (G, if, /) in the secure channel model. Let T(k,x) be a random variable 
representing the number of bits exchanged among Pi , • • • , P n when running 7 r 
with inputs x and security parameter ft. There exists a polynomial p such that 
T(ft, (0,0, #3)) < p(k) for all large enough ft since tt is a polynomial-time proto- 
col. For any x\ of the cardinality u. ;(p(ft)), it must hold T(ft, (x*,0, X3)) < p(k) 
for all large enough k, otherwise P2 can distinguish that Pi has 0 or x\, although 
P2 must not learn \x\\. (Note that since tomprf n (x^, 0, X 3 ) = 0, the party P2, who 
may learn the output, must not learn any partial information of the size of Pi.) 
It must also hold T(ft, (x^ 2 K — 1 , ^3)) < p(k) for all large enough ft, otherwise 
P3 can distinguish that the output size is 0 or cj(p(ft)). Now we construct an 
algorithm V that distinguishes between outputs of the pseudorandom function 
Pr 3 ( a i),'" i F x 3 ( a m) € {0,1}*, and truly random values r ir -- ,r m G {0,1}*, 
using a simulator S for a randomness producer P(l*) = 0. The distinguisher 
V invokes S with inputs (l^,a^,z, 0) where Xi is the input of P^, z is either 
(P a , 3 (ai), • • • , F X 3 (a rn )) or (ri, • • • , r m ) (here, we omit a set of indices / and the 
input sizes). If z is the pseudorandom values, the simulator S outputs a tran- 
script of length less than p(ft), otherwise S cannot output consistent transcript 
due to the incompressibility of a random string. The distinguisher V should out- 
put 1 if S outputs consistent transcript. V distinguishes pseudorandom values 
and random values 4 , in contradiction to the pseudorandomness of P. Thus, in 
this case, assuming the existence of one-way functions, there is a function / such 
that (G, F, /) cannot be realized in the secure channel model. □ 

Theorem 1 is proven by Lemmas 3, 4 and 5. 


4 The above strategy works even for any randomness producer whose output size is 
bounded. However, in the HBC model, the proof does not work since a simulator 
can generate a transcript with a long random tape. 
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5 Results in the Strong Secure Channel Model 

In previous section, we show that, in the secure channel model, a general size- 
hiding protocol cannot hide two or more (input or output) size information. In 
order to circumvent the infeasibility, we introduce a new communication model, 
a strong secure channel model such that an adversary cannot learn the number of 
bits exchanged among honest parties. We show that, in the strong secure channel 
model, a general size-hiding protocol exists even hiding all sizes of inputs and 
output from some parties, while the secure channel model only allows the size of 
at most one input to be hidden. Furthermore, we also prove that some functions 
still remain infeasible even in the strong secure channel model. More specifically, 
we give a sufficient and necessary condition under which a general size-hiding 
protocol can exist. Because the condition depends on whether the output size 
is public or private, our result is stated in Theorem 2 (when the output size is 
public) and Theorem 3 (when the output size is private). 

In Sect. 5.1, we introduce the strong secure channel model. In Sect. 5.2, we 
give our main results, Theorem 2 and Theorem 3, and some examples of (feasible 
or infeasible) classes. We show the feasibility part of Theorem 2 in Sect. 5.3, and 
the infeasibility part of the theorem in Sect. 5.4. We show the feasibility part of 
Theorem 3 in Sect. 5.5, and the infeasibility part of the theorem in Sect. 5.6. 

5.1 Strong Secure Channel Model 

One of the standard communication model is the secure channel model, which 
is an abstraction of secure communication. In the secure channel model, an 
adversary cannot learn messages exchanged among honest parties, but can learn 
the number of bits of them. The model is very powerful and used in various 
works, however, in the context of size-hiding computations, there are strong 
infeasibility results. In order to circumvent the infeasibility, we introduce a new 
communication model, a strong secure channel model such that an adversary 
can learn neither messages nor the number of bits exchanged among honest 
parties, At first glance, the existence of such a communication channel seems to 
be suspicious, but we emphasize that the strong secure channel model can be 
instantiated by using steganographic techniques. 

We provide a security definition of the strong secure channel model. The 
only difference from the secure channel model is that a simulator does not have 
to create message sizes in the strong secure channel model. Thus, the security 
in the secure channel model implies the security in the strong secure channel 
model. The security of protocols in the model is formally defined as follows. 

Definition 4 (Security in the strong secure channel model). Let 

(G, v, f ) be a functionality for n parties and let it be a protocol that correctly 
computes (G, v, /). We say that it realizes (G, T, /) in the strong secure channel 
model if for every randomness producer 1Z, there exists a PPT S such that for 
every I C {1, • • • , n}, every polynomials q\, • • • ,q n , 

{SaV.S/.OUTPUTf ■ ^ f \x),ri - K{\ K , I))} K , 3 = {view^f)^}^ 

where x\ G {0, • • • , x n G {0, . 
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5.2 Our Main Results 

In the strong secure channel model, it is possible to realize any functionality 
while hiding two or more sizes. The condition under which any functionality can 
exist is different depending on the case where the output size is public and the 
case where the output size is private. 

The main theorem for the case where the output size is public is as follows. 

Theorem 2 (Public output size). Let (G,v) be a size-hiding class with 
n parties, where the output size is public. Assume that threshold FHE exists. 
A class of size-hiding (G, v) is feasible in the strong secure channel model if and 
only if for every two distinct vertices i,j G V{G), there exists a vertex k such 
that (i, k) G E(G) and (j, k) G E(G). 

Examples. Suppose parties Pi, • • • , P5 wish to compute a function while hiding 
their input sizes, but each party thinks it is permitted to leak its own size 
information to the neighboring parties; see the right most graph in Fig. 6. In this 
case, the parties can securely compute every function, since every two distinct 
parties have a party who may learn both input sizes of them. (For example, a 
pair of parties Pi and P4 has the party P5 who may learn input sizes of Pi and 
P4.) Thus, in such a pentagon case, a general size-hiding protocol exists in the 
strong secure channel model. Similarly, the triangle and the square cases also 
have a general size-hiding protocol. On the other hand, there is no general size- 
hiding protocol in the hexagon case; see the right most graph in Fig. 7 . This is 
due to the fact that the pair of parties Pi and P4 do not have a party who may 
learn both input sizes of them. Other feasible and infeasible classes are shown 
in Figs. 6 and 7 . 




Fig. 6. Feasible classes with public output size 


The main theorem for that case where the output size is private is as follows. 

Theorem 3 (Private output size). Let (G,v) be a size-hiding class with n 
parties, where the output size is private. Assume that threshold FHE exists. A 
class of size-hiding (G, v) is feasible in the strong secure channel model if and 
only if any vertex i G V (G) such that v[i\ = _L satisfies the both conditions: 

1. For all vertices j G V(G), there exists an edge (j,i) G E{G). 

2. There exists an edge (i,j) G E(G) such that v[j] 7 ^ _L. 
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Fig. 7 . Ineasible classes with public output size 


Examples. See the center graph in Fig. 8. Suppose two clients (P3 and P4) wish 
to compute a function while hiding their input sizes, with the help of servers (Pi 
and P2, they also have input data). Furthermore, suppose clients want to hide 
the output size from servers. In this case, if servers may learn all input sizes of 
clients and each server has a client who may learn the server’s input size, every 
function can be realized while meeting the demand. Every feasible class with 
private output size is interpreted as such a client-server situation. On the other 
hand, there is no general size-hiding protocol in classes of Fig. 9. 



Fig. 8. Feasible classes with private output size 



5.3 Protocol with Public Output Size 

We show that, in the strong secure channel model, the feasibility of size-hiding 
computations is dramatically improved compared to the secure channel model. 
In this subsection, we construct a size-hiding protocol where all parties may 
learn the output size. (The case of private output size is described in Sect. 5.5.) 
In particular, we construct a general size-hiding protocol if every pair of parties 
has a party who may learn input sizes of them. The condition includes the case 
where each input size is hidden from some parties, i.e., the number of hidden 
sizes is the number of parties. The protocol idea is explained in Introduction; 
see Sect. 1.2. The full description of the protocol appears in Protocol 2. 
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Building blocks — circuits for homomorphic evaluation. Let / be a func- 
tion / : ({0, l}*) n — > {0,1}* and let t be an integer. We can construct the 
following circuit, denoted by Gj a /. On receiving a string x' x ,x' 2 ^ • • • ,x' n £ {0,1}* 
as inputs, if there is an all-zero string in inputs, then it outputs (/, otherwise, 
parse as x[ = 00 • • • 0||l||o^ (i = 1, • • • , n), and outputs f(x i,--- ,x n ) padded 
with zeroes up to L 


Protocol 2. Suppose that parties Pi, P 2 , • • • , P n have inputs xi,X 2 , • • • , x n , respec- 
tively, and each party is either a full-output party or a size-inly party. The protocol 
proceeds as follows. 

1. All parties invoke a ThrGen protocol with inputs 1 K , and each party Pi obtains a 
public key pk and a share of the secret key ski • 

2. For all edges ( i,j ) £ E(G), Pi sends the size information \xi\ to Pj. 

3. For all two vertices i,j £ V(G), the party Pi sends ciphertexts to Pj as 

follows. Let Pk be a party who may learn both of \xi\ and \xj [. The party Pi 
computes Ci — Enc p fc(l||xi), and sends to Pk . (If Pi and Pk are the same party, 
then Pi computes only.) If it holds \xj\ > \xi\, then Pk computes a ciphertext 
c'Oj) = Er\c p k(0\ Xj \-\ Xi \)Wci, and sends it to Pj. Otherwise, Pk computes a cipher- 
text of zeroes = EnCpkiO^^^ 1 ) , and sends it to Pj. 

f. Each party Pi constructs the circuit , 2 (described as above), where \ f\ — 

|/(a?i, — ,x„)\, computes d ? e <- Eval pfc (C'| 1 / J g/t)2 , c'" M) , ■ ■ • ,c' ( n nji) ), and sends cf e 
to the party Pi (or other designated party). 

5. The party Pi computes c size by homomorphic evaluation of a max function from 

ci ,ze , • • • ,cr, and sends it to all parties. Then, all parties invoke a ThrDec pro- 
tocol with the ciphertext c s ' ze , and obtain the decrypted value i. 

6. Each party Pi computes c° ut Eval p fc(C/, c'L • • • , c l P n where C( is a circuit 

described as above for the function f and the integer £, and then sends c° ut to the 
party Pi . 

1. The party Pi computes c out by homomorphic evaluation of a max function from 
c° ut , • • • , c° n ut , and sends it to all parties. Then, all parties invoke a ThrDec/ f 
protocol with the ciphertext c out , and all full-output parties obtain the decrypted 
value z. All full-output parties output z, and the other parties output nothing. 
The protocol terminates. 


Lemma 6 (Security of Protocol 2). Let (G,v) be a size-hiding class with n 
parties, which holds the conditions stated in Theorem 2 . Let f(x 1, • • • ,x n ) be any 
n-ary polynomial-time computable function. Assuming the existence of threshold 
FHE, Protocol 2 realizes (G, v, /) in the strong secure channel model. 

Proof. Given 1 K , /, inputs x/, input sizes {l^'l |(j, i) £ E(G)}i e i , the out- 
put f(x) if / fl If 7^ 0, and random tapes P/ produced by a randomness pro- 
ducer, the simulator <S works as follows. First, S computes ( pk,sk ) Gen(l^), 

chooses ski {0, for every i £ /, and simulates ThrGen protocol with 

keys (pk, ski)i e j. Next, for every i £ {1, • • • ,n} and every j £ /, S com- 
putes c‘ ( n . = Enc p fc(0l Xj 'l - l x< l 1 11| \xi) if it holds i £ I and \xj\ > \xi\, otherwise, 

c' ( n . = Enc p / C ( 0 l a ^'l +1 ). Then, S computes cf ze and c° ut for every i £ /, and 
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evaluates c size and c out . S simulates threshold decryption protocols for c size and 
c out . Finally, S outputs views of corrupted parties generated as above. The views 
generated by S are indistinguishable from the views in a real execution of the 
protocol due to the IND-CPA security of threshold FHE and the security of 
threshold key generation and decryption protocols. □ 


5.4 Infeasibility Result with Public Output Size 

We show that, when all parties may learn the output size, the condition “every 
pair has a party who may learn input sizes of the pair” is a necessary and 
sufficient condition under which a general size-hiding protocol can exist. In this 
subsection, in order to prove this, we show that the condition is not satisfied, a 
general size-hiding protocol does not exist. 

Lemma 7. Let (G, v) be a size-hiding class with n parties, where the output size 
is public. The size-hiding class (G, v) is infeasible in the strong secure channel 
model if there exists two distinct vertices i*,j* G V{G) such that there is no 
vertex k G V(G) such that (i*, k) G E{G) and (j*, k) G E(G). 

Proof Let (G, v) be a size-hiding class that satisfies the conditions as above. 
Without loss of generality, we can assume i* = 1 and j* = 2. Let P[ = {Pi | (2, i) 0 
E{G)} and let P' 2 — {Pi, • • • , P n } \ P[. The parties P[ must not learn \x 2 \ from 
the definition, and the parties P' 2 must not learn |xi|, otherwise, it contradicts 
to the condition. (Note that Pi G P[ and P 2 G P^-) Let f be a two-ary func- 
tion such that {G 2 .a 1 V 2 .a 1 f) cannot be realized in the (strong) secure channel 
model 5 , and let / be a function such that f{x 1 , X 2 , • • • , x n ) = f{x 1 , £ 2 ). Assume 
by contradiction that there exists an n-party protocol 7 r that realizes (G, v, /) 
in the strong secure channel model. We can construct a two-party protocol E 
with P[ and P' 2 , that is compiled by a reduction compiler from the protocol 7r. 
From Lemma 1, the protocol E realizes the functionality {G 2 .a 1 V 2 .a 1 f')i in con- 
tradiction to the assumption. Therefore, the size-hiding class (G, v) is infeasible 
in the strong secure channel model. □ 

Theorem 2 is proven by Lemmas 6 and 7. 


5.5 Protocol with Private Output Size 

In this subsection, we construct a size-hiding protocol where some parties must 
not learn the output size; see Protocol 3. (The case of public output size is 
described in Sect. 5.3.) Note that it is not superior to Protocol 2 since these size- 
hiding conditions are different. Interestingly, the underlying idea of the protocol 
is completely different from Protocol 2; see Sect. 1.2. 


5 Note that, in the two-party setting, the strong secure channel model and the secure 
channel model are essentially the same. 
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Building block — GMW protocol. Goldreich et al. [GMW87] constructed 
a general MPC protocol that is secure in the presence of HBRC adversaries 6 
corrupting up to n — 1 of n parties, and showed that it can be compiled to a 
protocol that is secure in the presence of malicious adversaries. Our protocol uses 
the HBRC protocol in order to compute the desired function by all servers. For 
simplicity, we use GMW protocol to denote a protocol that realizes the following 
functionality. 

- Input: Each party is given a secret share of Xj for all j = 1, • • • , n. 

- Output: All parties output f(x i, • • • , x n ). 


Protocol 3. Suppose that parties Pi, P 2 , • • • , P n have inputs xi, £ 2 , • • • , x n , respec- 
tively, and there are some forbidden parties. The function f to be computed has a 
polynomial p s.t. \f(x[, • • • , x' n )\ < p(|xx|, • • • , \x' n \) for all x'i G {0, 1}*. Let p be a 
polynomial such that p'(x) — p(x , x, • • • , x). For a ciphertext c = (ci, • • • , eg) ( each Ci 
is a ciphertext of 1-bit message), [c out ] (£' < £) denotes c — (ci,-** , q/). Without 
loss of generality, we can assume 1 G I± and 2 G / p . The protocol proceeds as follows. 

1. All permitted parties invoke a ThrGen protocol with inputs 1 K , and then each 
permitted party Pi obtains the public key pk and a share of the secret key ski. 
Then, P 2 sends the public key pk to all forbidden parties. 

2. Each party Pi computes shares of additive secret sharing {rij}jei ± , where {Ri,j G 

{ 0 , l}\ Xi \, whose secret is Xi, i.e., n ± j (&r i2 j 0 - • = Xi ({ii, • • • ,i t } = I±). 

Then, Pi computes ^ = Enc P k(rij), and sends ^ to all forbidden parties. 

3. The forbidden parties homomorphically evaluate a GMW protocol computing f(x) 
of length L — p'fmaxd^il, • • • , \x n \)) using FHE, i.e., all messages in the exe- 
cution are encrypted by FHE and all computations are done by homomorphic 
evaluation. As the output of the protocol, they obtain a ciphertext c out . 

f. The party Pi constructs a circuit C s \ze that takes x G {0, 1} L as an input, and 
outputs \x\ G {0, l}H og . Then, Pi computes c size Eva\ p k(C s \ze, c out ) , and sends 
c s,ze to all permitted parties. 

5. Let o’ i — max{|xj 1 1 (j, i) G E(G)}, and let Li = p'(ai). (It must hold Li < L for 
all i by the definition.) For every i G I p , the party Pi homomorphically evaluates 
a max function for [c 0 ^]^ and Er\c p k(0 Li ), and obtains a ciphertext c° ut . Then, 
Pi sends c° ut to Pi for every i G / p . 

6. All permitted parties invoke a ThrDec protocol with inputs W and c Size , and obtain 
the decrypted value £. 

7. Each permitted party Pi sends [c° ut ]^ to the party P 2 . (If the length of the cipher- 
text is less than £, then the party uses a padding with zero ciphertexts up to £.) 
The party P 2 computes c out by homomorphic evaluation of a max function from 
[ c i ut ]^5 • • * ? [c°n l ]£, and sends it to all permitted parties. 

8. All permitted parties invoke a ThrDec/ f protocol with inputs 1 K and c out , and all 
full-output parties obtain the decrypted value z G {0, 1 }E All full-output parties 
output z, and the other parties output nothing. The protocol terminates. 


6 It is well known that the protocol is secure against HBC adversaries. However, it is 
also secure against HBRC adversaries since the simulation algorithm does not have 
to choose random tapes by itself. 
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Lemma 8 (Security of Protocol 3). Let (G,v) be a size-hiding class with 
n parties, which satisfies the conditions stated in Theorem 3. Let f{pc i, • • • ,x n ) 
be any n-ary polynomial-time computable function. Assuming the existence of 
threshold FHE, Protocol 3 realizes (G, v, /) in the strong secure channel model. 

Proof. Given 1 K , /, inputs xj , input sizes {l^'l | (j, i) E E(G)}i e j, the out- 
put f(x) if I D If 7^ 0, and random tapes Ri produced by a randomness pro- 
ducer, the simulator S works as follows. First, S computes ( pk,sk ) <— Gen(lT), 

chooses ski {0, for every i E /, and simulates ThrGen protocol with 
keys (pk, ski)i e i. Next, for every i E {1, • • • ,n} and every j E /, S com- 
putes c' ( n . n = Er\c p k{^ x ^~^ x ^\\l\\xi) if it holds 7 E / and \xj\ > \xi \ , otherwise, 
c' ( n . = Enc p / c (0l ;Ej l +1 ). Then, S computes cf ze and c° ut for every i E I, and 

evaluates c size and c out . S simulates threshold decryption protocols for c size and 
c out . Finally, S outputs views of corrupted parties generated as above. The views 
generated by S are indistinguishable from the views in a real execution of the 
protocol due to the IND-CPA security of threshold FHE and the security of 
threshold key generation and decryption protocols. □ 

Proof. Let I\ and I 2 be a partition of / = I\ U/2 such that I\ C I± and I 2 C / p . 
We consider the following cases: (1) I\ C /j_ and I 2 = / p , (2) /1 = 0 and I 2 = / p , 
(3) A = /j_ and / 2 C / p , (4) G C / ± and / 2 C / p , (5) h = 0 and / 2 C / p , (6) 
I\ = /j_ and / 2 = 0, and (7) I\ C /j_ and / 2 = 0. We show the simulator in the 
cases of (1) and (3). It is easy to adapt the proof to the other cases. 

We construct the simulator S in the case of (1), where all clients and some 
servers are corrupted. Given IT, /, inputs x/, all input sizes {1 1^ 1 1 , - - - ,1^1}, 
the output /(x), and random tapes 77 produced by a randomness producer, 
the simulator S works as follows. First, S invokes a threshold key generation 
protocol, and obtains a public key pk and all shares of the secret key. Second, S 
computes secret shares of X{ for i E / and 0^1 for i ^ /, and encrypts them by 
threshold FHE. Next, S computes c out = Enc p k(f(%)) padded with zeroes up to 
appropriate length and simulates an encrypted GMW protocol on the input 
ciphertexts and c out . Then, S invokes threshold decryption protocols. Finally, S 
outputs views of corrupted parties generated as above. The view generated by 
S and the view in a real execution are indistinguishable due to the security of 
the GMW protocol. 

Next we construct the simulator S in the case of (3), where all servers 
and some clients are corrupted. Given 1^, I = /1 U / 2 , inputs xi , all input 
sizes {1 1^ 1 1 , • • • ,1^1}, the output f[x\ and random tapes 77 produced by 
a randomness producer, the simulator S works as follows. First, S computes 
( pk , sk ) Gen(l / ‘ c ), chooses ski <— {0> for all i E / 2 , and simulates a thresh- 
old key generation protocol with the keys. Second, S computes secret shares of 
X{ for 7 E / and 0^1 for 7 0/, and encrypts them by threshold FHE. Next, S 
homomorphically executes GMW protocol, and obtains the output ciphertext 
c out . Then, S computes c size honestly, and simulates threshold decryption proto- 
cols. Finally, S outputs views of corrupted parties generated as above. The view 
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generated by S and the view in a real execution are indistinguishable due to the 
IND-CPA security of FHE and the security of threshold protocols. □ 

5.6 Infeasibility Result with Private Output Size 

We show that, when some parties must not learn the output size, the condition 
stated in Theorem 3 is a necessary and sufficient condition under which a general 
size- hiding protocol can exist. In this subsection, in order to prove this, we show 
that if the condition is not satisfied, a general size- hiding protocol does not exist. 

Lemma 9. Let (G, v) be a size-hiding class with n parties, where the output size 
is private. The size-hiding class (G, v) is infeasible in the strong secure channel 
model if there exists a vertex i* E V(G) such that v[i*] = _L ; which satisfies one 
of the following conditions: 

1. There exists a vertex j* E V(G) such that 0 E(G). 

2. There is no edge E E(G) such that v[j] 7 ^ _L. 

Proof Let (G, v) be a size-hiding class that satisfies the former condition. With- 
out loss of generality, we can assume i* = 1 and j* = 2, i.e., v[l] = _L 
and (2,1) 0 E(G). Let f be a two-ary function such that the functionality 
(Gi.d, v\ .d, f') cannot be realized in the (strong) secure channel model, and let / 
be an n-ary function such that f{pc 1 , £ 2 , • • • , x n ) = f'(x 1 , ^ 2 ) - Assume by contra- 
diction that there exists n-party protocol 7 r that realizes (G, F, /) in the strong 
secure channel model. Now we construct a two-party protocol 7 r' with P[ = {Pi} 
and P 2 = {P 2 , • • • , P n } that is compiled by a reduction compiler from the pro- 
tocol 7 r. Since P[ must not know both the output size and the input size |o?2 1 , 
the protocol 7r' realizes (Gi.d, Fi.^, /') in the (strong) secure channel model, in 
contradiction to the infeasibility of /'. Therefore, the size-hiding class (G, v) is 
infeasible in the strong secure channel model. 

Let (G, v) be a size-hiding class that satisfies the latter condition. Let P[ be 
a subset of parties P[ = {Pi\v[i\ = _L}, and let P’ 2 = {Pi, • • • , P n } \ P{. Without 
loss of generality, we can assume i* — 1 and P 2 E P 2 . Let /' be a two-ary function 
such that (Gi.b, # 1 . 6 , /') cannot be realized in the (strong) secure channel model, 
and let / be an n-ary function such that f{pc 1 ,^ 2 , • • • , x n ) = f'(x 1 ,^ 2 ). Assume 
by contradiction that there exists n-party protocol 7r that realizes (G, v, f) in 
the strong secure channel model. Now we construct a two-party protocol 7 r' with 
P[ and P 2 , that is compiled by a reduction compiler from the protocol 7 r. Since 
P[ must not learn the output size, and P 2 must not learn the input size \x\\, 
the protocol E realizes (Gi.fr, iTi.fr, /') in the (strong) secure channel model, in 
contradiction to the infeasibility of /'. Therefore, the size-hiding class (G, v) is 
infeasible in the strong secure channel model. □ 

Theorem 3 is proven by Lemmas 8 and 9. 
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Appendix 

Honest-But-Randomness-Controlling Model 


In this section, we show that the honest-but-randomness-controlling (HBRC) 
model is truly stronger than the honest-but-curious (HBC) model. We also 
explain the relation between the HBRC model and the honest-but-deterministic 
(HBD) model proposed by [HW15] 7 * . To clarify the difference among them, we 
describe them in a standard setting (not size- hiding settings). 

The view of the party Pi during an execution of i r with inputs x is defined 
as view^(x) = where Ti is its internal coin tosses and rrii j 

is the j - th message that was received by Pi in the protocol execution. We also 
use view^ (x)\ r . = (x^ m il , • • • , rriif) to denote view^ (x) on given randomness ?y. 
Here, if the length of r* is shorter than the length of its internal randomness, its 
internal randomness is Vi\\O k for appropriate k E N. 

Definition 5 (HBC). Let f be a polynomial-time computable n-ary func- 
tion. We say that i r securely computes f in the HBC model if there exists a 
PPT S such that for every I C {1, • • * , n}, every polynomials gi,g 2 ,--- ? qn , 
{S(l K ,I,x I ,y I )} K S = {viewj(f)} K s , where x x E {0, 1} 9i(k) , • • • ,x n E 
{0,1} 9 ” (K) - 

Definition 6 (HBRC Model). Let f be a polynomial-time computable n- 
ary function. We say that a PPT P is a randomness producer if 72.(1 *,/) 
outputs a vector of strings rj = (r^ , • • • ,r* t ) E ({0, for all I = 
{ii,*** Ct} £ {1, ■ • • , n}. We say that i r securely computes f in the HBRC 
model if for every randomness producer 1 Z there exists a PPT S such that 
for every I C {1, • • • ,n}, every polynomials gi,--- , g n , {S(l K ,I,xi,yi,ri <— 

n ^a))} K ^ ^ {viewj (x)\pj where xx E {0, l}«i( K ), • • • ,x n E {0, . 

Definition 7 (HBD Model). Let f be a polynomial-time computable n-ary 
function. We say that i r securely computes f in the HBD model if there exists a 
PPT S such that for every I C {1, • • • ,n} ; every polynomials qi,q2,-' , g n , 
{S{l K ,I,x I ,y I )} K S = {viewj(x)| 0 } K -, where X! E {0, 1} 9i(k) , • • • ,x n E 
{0,1} 9 " (k) - 

It is trivial that the security in the HBRC model implies the security in 
the HBD model. Moreover, the HBRC model implies the HBC model by the 
following Theorem. 

Theorem 4. Let f be a polynomial-time computable n-ary function. If a proto- 
col 7 r securely computes f in the HBRC model then it also securely computes f 
in the HBC model. 


7 In original definition in [HW15], the model captures precomputation settings. Our 

formalization does not include a precomputation for simplicity. 
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Proof. For simplicity, we consider the case of n = 2 and that one party is cor- 
rupted. We note that the general case n > 2 can be proven in the same way. 

Assume that a protocol i r is secure in the HBRC model. We construct a PPT 
S' that produces view 7r (x) given an input (1A, x, y). S' computes T = p(ft, |x|, \y\) 
and generates an uniformly random string r G {0, 1} T . Then, S' invokes S on 
inputs (l K ,x, y,r) and outputs the same output as S. Therefore, if a protocol is 
secure in the HBRC model then it is also secure in the HBC model. □ 
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Abstract. At EUROCRYPT 2015, Zahur et al. argued that all linear, 
and thus, efficient, garbling schemes need at least two k- bit elements to 
garble an AND gate with security parameter k. We show how to circum- 
vent this lower bound, and propose an efficient garbling scheme which 
requires less than two k- bit elements per AND gate for most circuit lay- 
outs. Our construction slightly deviates from the linear garbling model, 
and constitutes no contradiction to any claims in the lower-bound proof. 
With our proof of concept construction, we hope to spur new ideas for 
more practical garbling schemes. 

Our construction can directly be applied to semi-private function eval- 
uation by garbling XOR, XNOR, NAND, OR, NOR and AND gates in 
the same way, and keeping the evaluator oblivious of the gate function. 


Keywords: Garbled circuits • Lower bound on linear garbling schemes • 
Semi-private function evaluation 


1 Introduction 

Yao’s garbled circuit technique [28], modeled as a stand-alone primitive by 
Bellare et al. [4], is one of the most important techniques to achieve secure 
two-party computation. In this technique, one of the parties, the garbler , creates 
an encrypted form of a circuit, a so-called garbled circuit , which the other party, 
the evaluator , can evaluate without being able to learn anything other than the 
output of the computed function. Malkhi et al. demonstrated practical feasibility 
of Yao’s technique with their implementation Fairplay [21]. 

Continued research on Yao’s technique has improved its efficiency in terms 
of computational as well as communication cost. After Yao’s original proposal, 
which needed four ciphertexts to garble a single gate, several techniques have 
been proposed which reduce the number of ciphertexts in a garbled circuit. The 
most important works achieve a reduction to a factor roughly between 0.25 and 
0.75. Naor et al. [22] pointed out that the number of ciphertexts needed per gate 
can be reduced from four to three, by setting one of them to the all-zero string. 
Kolesnikov and Schneider [15] showed how to garble XOR gates “for free”, by 
setting their output keys to be the XOR of their input keys. Pinkas et al. [26] 
use polynomial interpolation to garble gates with only two ciphertexts per gate. 
Their technique is not compatible with the free XOR technique. 

© International Association for Cryptologic Research 2016 
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Recently, Zahur et al. [29] observed that all of these garbling schemes men- 
tioned above share a structure which they model as linear garbling schemes. 
Basically, garbler and evaluator use only XOR operations in the field GF( 2 fc ), 
and calls to a random oracle, to process the circuit. Zahur et al. showed that gar- 
bling an AND gate in this linear structure requires at least two ciphertexts. They 
further proposed a garbling scheme, the half gate construction, which matches 
this lower bound, and is compatible with the free XOR technique. They con- 
cluded that to require less ciphetexts, one needs to employ non-linear, and thus, 
presumably inefficient techniques. This gives the impression that the optimum we 
can achieve concerning communication cost in the semi-honest case has already 
been reached. In this work, we show that this is not necessarily the case. 

Our Contribution: We propose an efficient garbling scheme which requires 
strictly less than two fc-bit ciphertexts per AND gate. Our construction is easy 
to understand and implement, its computational cost comparable to existing 
practical schemes. Evaluation looks the same for XOR, XNOR, AND, NAND, 
OR, and NOR gates, so our technique can be applied to secure function evalu- 
ation of semi-private functions (SPF-SFE) [25], where the evaluator knows the 
circuit topology, but not the gate functions. If the positions of XOR gates are 
known, the number of ciphertext can be further reduced. We prove that our gar- 
bling scheme achieves simulation-based privacy [4] in the random oracle model. 

Our construction requires only a single fc-bit ciphertext for AND gates of 
which at least one input wire is a circuit input wire. This already seems contra- 
dictory to the lower bound, which considers a single AND gate, rather than a 
whole circuit. All other (inner) AND gates need one additional fc-bit ciphertext 
for adjustment. Thus, general circuits require 1 < s < 2 fc-bit ciphertexts 1 per 
AND gate. In circuits with fan-out one, at least half of the gates are input gates, 
so we require 1 < s < 1.5 ciphertexts per gate. Even though, we do not break 
the lower bound. We circumvent it by slightly deviating from the linear garbling 
model, and we do need 5 > 2 ciphertexts for circuit input gates, and 6 > 2 
ciphertexts for inner gates. But four of them have the length of merely 2 bit. 

We demonstrate how we circumvent the lower bound, and hope that our 
observations sow new ideas for further improvement. We further show that there 
is at least one other garbling scheme which circumvents the lower bound in a 
very similar way: a secret-sharing based construction introduced by Kolesnikov 
in 2005 [13] garbles AND gates with zero ciphertexts. Kolesnikov’s technique 
produces a large blow-up of the input key size, and is impractical for large 
circuits. It is nonetheless interesting to look at in order to find directions for 
more efficient constructions. 

Idea of our Construction: The linear garbling model performs all operations 
in GF(2 k ). It allows only XOR operations (denoted by ®) and random oracle 
calls. In contrast, we also use (Z 2 fe,+), where + denotes standard addition, in 
cases where we need d + d 7^ 0 for some value d. 


The case s = 2 can only happen in circuits which have no input. 


1 
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Consider a hash function H and an AND gate with input wires A and T>, 
to which we want to assign input wire labels K A , K\ and Kg , Kg , respectively, 
as well as output wire labels Kf and K \ . We exploit a similar relation as the 
free XOR technique, but in Z 2 fc rather than GF( 2 k ): if K\ — K A + d and 
Kg = Kg + d for some d G Z 2 fc , we have 

K° a + K 1 b =K 1 a + K° b = K° A + K° B + d. 

The garbler can then set the output wire label Kf to either 

K? ■■= H(K° a + K° b ) or Kf := H(K° A + K° B + d), 

each with probability and include the single ciphertext 

G := H(K° a + K° b ) © H(K° a + Kg + d) 

in the garbled circuit. If we further set 

K\ := H(K° a + K° b + 2d) = H{K\ + K l B ), 

the evaluator simply needs to hash his input keys, and XOR the hash value with 
the ciphertext G if necessary. 

Obviously, this construction is not yet secure, since the ciphertext is never 
used if the gate’s output truth value is 1. Therefore, in the case of input (1,1), 
with probability |, we just let the evaluator use the ciphertext anyway, by setting 

Kj = H(K° a +K° b + 2d) © b\G 

for a random bit b\ G {0, 1}. This way, we need to provide only a single k- 
bit ciphertext G for security parameter k. The evaluator needs to use G with 
probability \ in any case, and learns nothing about the actual input. 

Additionally, we need four 2-bit ciphertexts 2 to communicate whether the k- 
bit ciphertext is to be used or not. Also, the difference d is not preserved for the 
output wire labels, so for inner gates, we need one additional k- bit ciphertext for 
adjustment. For the same reason, our construction is not compatible with free 
XOR. However, XOR gates of which at least one input wire does not depend 
on the output of an AND gate, can use the free XOR technique and need 0 
ciphertexts, while inner XOR gates can be garbled with only one k- bit ciphertext. 

How we bypass the lower bound: In all known linear garbling schemes, the 
operation the evaluator needs to perform, for example, which ciphertext to use, 
depends on wire-specific permute bits. Changing even one permute bit assigns a 
differrent operation to the output truth value 1. The lower-bound proof strongly 
depends on this fact, and on the assumption that all ciphertexts are elements of 
GF(2 k ). However, 2-bit values can be masked with 2-bit ciphertexts 3 . 

2 One bit in each ciphertexts contains the actual choice bit whether to use the cipher- 
text, and the other contains the color bit of the output label. 

3 More precisely, these ciphertexts need only 2 bits of entropy, and can be represented 
with a bitstring of length 2. 
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Our scheme can be divided into a k - bit part not dependent on any permute 
bits, and a 2-bit part which depends on permute bits. For the k - bit part, the same 
operation using the same ciphertext might be performed by the evaluator for two 
different inputs, which might even lead to different output truth values. Thus, 
arguments of the lower-bound proof do not apply 4 to our k - bit part. However, 
we communicate which operation to perform via several 2-bit ciphertexts, which 
depend on permute bits in the standard way, and for which all arguments in the 
lower-bound proof hold — we do need more than two of them per AND gate. 

Some Remarks: Our construction offers significant improvements for semi- 
private functions, where the gate function needs to be hidden and free XOR can- 
not be used anyway. If the gate functions are known to the evaluator, whether our 
construction actually performs better than the half gate construction strongly 
depends on the circuit layout. It might offer significant improvement for circuits 
with fan-out one consisting mostly of odd gates like AND, NAND, OR and NOR. 
However, for most interesting circuits, the actual practical improvement might 
be insignificant or non-existent in the non- semi-private case. 

One could argue that, since each circuit input is known either by the garbler 
or by the evaluator, all input gates can be garbled as half gates, which require 
only one ciphertext. This would make the half gate construction [29] strictly bet- 
ter than ours in the case of known gate functions. However, this approach has 
several problems. When used with the cut and choose technique, check circuits 
would reveal part of the garbler’s input if generator half gates on input level 
are opened. In addition, inputs need to be known at the time of garbling, which 
makes this approach incompatible with reactive garbling [24] , and prevents pro- 
ponong the garbling process to an offline phase. Compliance with simulation 
based privacy is unclear, since the simulator does not know the inputs. In addi- 
tion, this approach seems to contradict the lower bound introduced in the same 
paper. Nontheless, we introduce an optimization in Appendix A, which combines 
our scheme with this idea, such that the first two gate levels require only one 
k - bit ciphertexts per AND gate for fortunate circuit layouts. 

Other Related Work: There are at least two garbling schemes [12, 13] which 
do not need to communicate any k - bit ciphertexts at all, if the garbled circuit has 
fan-out one, by garbling the circuit backwards from output gate to input gates. 
Both schemes produce larger input keys, and when garbling general circuits, 
require additional ciphertexts. One is the information theoretically secure con- 
struction by Kolesnikov [13]. Output keys are secret-shared into the input keys, 
and no ciphertexts are required at all. However, the secret sharing produces a 
blow-up in the input key size which is quadratic in the circuit depth. The other, 
introduced by Kempka et al. [12], creates ciphertexts by hashing public data, 
sparing the need to communicate them. Fitting decryption keys are then deter- 
mined by the garbler, who uses a secret trapdoor to invert the ciphertexts with 


4 As we will see, this is also the case in Kolesnikov’s scheme [13], where permute bits 
are only assigned to one input wire per gate. 
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an inverse trapdoor one-way permutation. Due to the asymmetric primitive, the 
construction requires a larger security parameter. 

Huang et al. [8] garble AND gates as generator half gates with one ciphertext, 
to realize a permutation network. Paus et al. [25] eliminate constant inputs to 
reduce the circuit size. Both techniques might be used before applying ours. 
However, the benefits do not necessarily add up, because they reduce the number 
of input wires. Compliance with simulation-based privacy [4] is unclear since the 
simulator does not know the garbler’s input. 

Secure function evaluation is called semi-private (SPF-SFE), if the topology 
of the circuit is known to the evaluator, but the gate functions are kept secret. 
As pointed out by Paus et al. [25], Yao’s original construction [28] already hides 
the gate function, and can directly be used for SPF-SFE. The same holds for 
the three-row reduction (GRR3) [22]. Both constructions allow using free XOR 
in circuit parts which are known to the evaluator. Paus et al. implement circuits 
with privately programmable blocks by garbling several functions (sub-circuits) 
with Yao’s construction and multiplexing their output. Their construction can 
easily be combined with our technique, giving up free XOR for non-private parts, 
but reducing the garbled circuit size significantly for the private part of the cir- 
cuit. One limitation here is that we cannot realize left-or-right wire choosing 
(multiplexing), or constant gates within a single gate. Therefore, the multiplexer- 
subcircuit by Paus et al. still needs to be realized using Yao 5 circuits. The half 
gate approach [29] hides which odd gate (AND, NAND, OR, NOR) is evaluated. 
However, the positions of XOR gates need to be known to the evaluator. The 
same holds for the GRR2-techniques of Pinkas et al. [26] and Gueron et al. [7]. 
SPF-SFE is also covered by works on private function evaluation, which addi- 
tionally hide the circuit topology. Naturally, hiding the topology comes with a 
lager overhead in the circuit size. Constructions using universal circuits require 
0(1 • log(l )) [27] or 0(1 • log 2 (l)) [16] additional gates, where l is the number 
of gates of the original circuit. The LEGO-like construction of Katz and Malka 
[11] produces less overhead, but requires asymmetric primitives, in particular, 
one-time homomorphic encryption. 

Another line of research focuses on security against malicious adversaries 
[1,5,6,9,10,17,19,20,23]. This work focuses on the semi- honest case. 

2 Preliminaries 

2.1 Notation 

We use the following notations. By x X, we denote that x is randomly selected 
from the set X according to uniform distribution, x Algo denotes that x is 
the output of a probabilistic algorithm Algo, A := B denotes that A is defined 
by F>, and [S] x denotes the x-th bit of bitstring S. Our security parameter is k. 

5 It is easy to see that we can use Yao’s garbling technique, GRR3 and our technique 
in the same circuit, and even adjust the difference of output wire labels in gates 
garbled with Yao’s technique or GRR3 on the way. 
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2.2 Garbling Scheme 

In this section, we recall the definition of garbling schemes and the notion of 
simulation-based privacy of Bellare et al. [4]. 

A circuit is described as f = (n,m,l,A,B,g). Here, n > 2 is the number 
of circuit input wires, m > 1 is the number of circuit output wires, and l > 1 
is the number of gates (and their output wires). Let W = {1 , ...,n + Z} be 
the set of all wires, Wi npu t = {1, ...,n} the set of circuit input wires, W ou t pu t = 
{n+Z— m+1, ..., n+l} the set of circuit output wires, and W gate = {n+l, ..., n+l} 
the set of gates (and their output wires) . The functions A : W gate —>W\ W outpu t 
and B : W ga te —> W \ W outpu t specifiy the first input wire A{i) and the second 
input wire B(i) of each gate i, respectively. We require A(i) < B(i) < i for all 
i £= W ga te • The function g : W ga te x {0, l} 2 — ► {0, 1} specifies the gate function 
g(i, •, •) = gi( m , •) of each gate i. We leave out the parameter i if it is clear from 
context. We define the notion of garbling schemes as follows. 

Definition 1 (Garbling Scheme). A garbling scheme for a family of circuits 
T — {T n }nGN; where n is a polynomial in a security parameter k, consists 
of probabilistic polynomial-time algorithms GC = (Garble, Encode, Eval, Decode) 
defined as follows. 

- Garble takes as input security parameter l k and circuit f E T n , and outputs 
garbled circuit F, encoding information e, and decoding information d, i.e., 
(F,e,d) <— Garble(l fe , /). 

- Encode takes as input encoding information e and circuit input x E {0, l} n , 
and outputs garbled input X , i.e., X Encode(e,x). 

- Eval takes as input garbled circuit F and garbled input X , and outputs garbled 
output Y , i.e., Y <— Eval (F,X) 

- Decode takes as input decoding information d and garbled output Y , and out- 
puts circuit output y, i.e., y Decod e(d,Y). 

A garbling scheme should have the following correctness property: for all 
security parameters k, circuits f E J~ n , and input values x E {0, l} n , (F, e, d) <— 
Garble(l k ,f), X <— Encode(e,x) ; Y Eval (F,X), y Decode(d, Y), it holds 
that y = f(x). 

We then define simulation-based privacy of garbling schemes as follows. We 
adapt the notion of Bellare et al. [4] slightly to allow the adversary access 
to a random oracle H. We denote by $(/) the information about circuit / 
that is allowed to be leaked by the garbling scheme, e.g., size d> s i ze (f ) = 
(n, m, /), topology $to P o(f) = (?+ m,l,A,B ), or the entire information $ C irc(f) = 
(n, m, /, A , B , g) of circuit / = (n, m, /, A, B , g). 

Definition 2 (Simulation-based Privacy). For a garbling scheme GC = 
(Garble, Encode, Eval, Decode), function f E F n , input values x E {0, l} n , simu- 
lator Sim, and random oracle H , the advantage of the adversary A is defined as 
:= 

| Pr[s <— A H (l fe ), (F, e, d) Garble(l fc , f),X Encode(e, x) : A H (s, F, X , d) = 1] 
-Pr[s ^A H (l k ),(F,X,d) Sim(l *,<£(/),/(*)) : A H (s,F,X,d) = 1]|. 
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A garbling scheme GC = (Garble, Encode, Eval, Decode) is private, if there 
exists a probabilistic polynomial-time simulator Sim, such that for any function 
f G J~ n , input values x G {0,l} n , and probabilistic polynomial-time adversary 
A, the advantage Adv^ ^(fc) is negligible. 

3 A Garbling Scheme Which Circumvents the Lower 
Bound 

We first describe our basic garbling scheme considering only AND gates, in the 
semi-honest model. In Sect. 3.2, we describe how to garble other gate types, 
and application to semi-private functions. Our scheme is not compatible with 
free XOR, but Sect. 3.3 shows that we can garble XOR gates with 0 or 1 k - bit 
ciphertexts, and sometimes even inner AND gates can be garbled with 1 k- bit 
ciphertext. Section 3.4 briefly discusses the malicious case. We estimate efficiency 
in Sect. 4, and prove that our scheme achieves simulation-based privacy as defined 
by Bellare et al. [4] in the semi- honest setting in Sect. 5. 


3.1 Our Construction 

We use the following notation. Let k be our security parameter. With the + 
symbol, we denote addition in Z 2 k. The operation ® performs a bitwise XOR 
on bitstrings. Elements in Z 2 k are interpreted as bitstrings when used with the 
® operation. The function \sb(x) returns the least significant bit of its input x, 
and the function Isb 2 (x) returns the two least significant bits of x. 

We assign to each wire i two labels K® , K\ G Z 2 fc, where K\ represents the 
truth value b G {0, 1} on that wire. To each wire z, we assign a random permute 
bit A i known only to the garbler. Each wire label K\ has assigned a bit c\ = A $06, 
which we call the color bit or the color of a wire label, in the style of previous 
work, and to avoid confusion with other choice bits which we describe below. So 
far, this is no different from most existing garbling schemes. However, jumping 
ahead, to circumvent the lower bound, the actual operation to compute a gate’s 
output label needs to be somewhat detached from the color bits and the permute 
bits. To achieve this, we use three additional kinds of choice bits. Their exact 
role, and their relations among each other as well as to the permute and color 
bits, will become clear in the scheme description. We provide a brief overview 
here. In the garbling process, the garbler chooses two random bits bo and b\ 
for each gate. These bits define by which operation the gate’s output labels are 
computed. The bits bo and b\ are independent of all color bits c\ and permute 
bits A^. They need to remain secret, but define a single choice bit for each 

gate input (a, b) G {0, l} 2 . The appropriate y( a ’ 6 ) needs to be communicated to 
the evaluator. We use the color bits c^c\ of the gate’s input wires to point to 
the correct encryption of the corresponding choice bit 7 G {7 ( ' a,6 ^ ) }(a,6)e{o,i} 2 5 
which then points to the correct operation to compute the gate’s output label. 

Our garbling algorithm is described in Fig. 1. Encoding of inputs and evalu- 
ation are described in Figs. 2 and 3. Decoding consists of XORing the color bits 
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of the circuit output wires with the corresponding permute bits, as specified in 
Fig. 4. To prevent attacks similar to the one described by Bellare et al. [3], we 
include a second parameter in our hash function H : a unique tweak j, incre- 
mented before each (evaluator’s) call to the hash function. This is also done in 
the half gate construction for similar reasons. We denote this in the same way, 
using a stateful procedure nextindex(), which increments an internal counter and 
returns it. For the sake of readability, we leave out this tweak in the following 
informal description of our garbling scheme. 

Let i be an AND gate with input wires A and B. Similar to the free XOR 
technique, we exploit commutativity of the T operation: if K\ = K\ + d{ and 
K B = K B + di, we have 

K\ + K' b = K\ + K% = K° a + K% + di. 

We further arrange the output wire labels to be either the hash of the input 
keys, or the k - bit ciphertext included in the garbled gate XOR this hash value. 

In more detail, to garble an AND gate, the garbler chooses two random bits 
6 0 ,&i £ { 0 , 1 }, sets the output wire label K® assigned to truth value 0 to 

K* := H(K° a + K° b + Mi), 

and includes in the garbled circuit the single ciphertext 

G := H(K° a + K%) © H(K° a + K° b + di). 

The garbler further sets the output wire label K\ assigned to truth value 1 to 
K\ := H[K\ + K° b + 2di) © h G = H[K\ + K B ) © b x G. 

To evaluate an AND gate, given the input wire labels Ka and Kb , the 
evaluator needs to compute either B[Ka + Kb) or H(Ka + Kb) © G. We let 
the evaluator know whether he needs to use the ciphertext G via a choice bit 7 , 
which he can compute using his input keys as described below. The choice bit 7 
does not reveal any information about the input, since for any input combination 
(a, b ) G {0, l} 2 , the evaluator needs to use the ciphertext with probability 

Before we continue our description, let us point out that so far, we have not 
used any permute bits or color bits. In fact, whether the evaluator needs to use 
the ciphertext G, only depends on the input, and the bits bo and 61 , which are 
independent of any wire-specific permute bits. This fact plays an important role 
in circumventing the lower bound on garbling schemes [29] . Details on this can be 
found in Sect. 6 . Arguments in the lower-bound proof show us that to circumvent 
the lower bound, we need to avoid a direct dependency between permute bits 
assigned to the input wires and the choice bit 7 , which implies that 7 cannot be 
computed by the evaluator as a function of the color bits. Instead, we include in 
the garbled circuit the four 1 -bit ciphertexts 

bj ab) := \sb(H(K a A \\K b B ))®7 ia ’ b \ 


How to Circumvent the Two-Ciphertext Lower 975 


which encrypt the correct choice bit for each possible input combination 

(a, b ) G { 0 , l} 2 . The choice bits y( a ’ 6 ) only depend on bo and &i, we have 

7 (°,°) = fcoj 7 (o,i) = 7 (b0) = j _ 6 o 57 (M) = &l+ 

However, we order the four ciphertext bj a ^ according to the permute bits 
A a and A# of the input wires, so the evaluator can choose the correct ciphertext 
using his color bits c\ = A^ 0 a and c b B = A# ® b as usual. 

We still need to describe how the evaluator learns the color bits. For the 
circuit input wires, we can use the least significant bit of the input wire labels as 
usual. However, we have little freedom in choosing output wire labels, and thus 
cannot guarantee their least significant bits to be different. Instead, as for 7, we 
include in the garbled circuit four additional 1-bit ciphertexts, 

&(„,*) := \sb(H(K a A \\K b B )) © <7,(0, b) 0 V 

among which the evaluator chooses using the color bits of the input wire labels, 
so together with the four ciphertexts encrypting 7, we would have eight 1-bit 
ciphertexts in total. To reduce the number of oracle calls, we use the two least 
significant bits of the hash output, denoted by Isb2 and create the four 
2-bit ciphertexts 

b (a, b )W b U) ■■= \sb 2 (H(K%\\K b B )) © ((<7,(0, 6) © AOI^) 

instead. This way we avoid having to evaluate the hash function twice on the 
same input values but with different tweaks. 

Unfortunately, we cannot have a global difference d such that K\ = Kf + d 
for each wire i. Since the labels of circuit input wires can be chosen freely, 
they can be given the same difference. However, this difference is not preserved 
and cannot be controlled in non-input wires. In the next circuit level, gate V s 
input wires A and B will thus have wire labels (K^K\) and (K B ,K B ) with 
K\—K\ ^ K B — K B with high probability. We provide one additional ciphertext 
to adjust the difference: let A b the permute bit on wire F>, and the difference d! 
used for this gate d r := K\ — K\. Then we set K b b := K Xb , K x b ~ Xb := K Xb + d' 
and include a second fc-bit ciphertext E := K b 7 Xb -\-K b ~ Xb in the garbled circuit. 
This is why we need two ciphertexts for inner 6 AND gates. The complete garbling 
algorithm is described in Fig. 1 . For better readability, we only describe AND 
gates in the main algorithm. A discussion about arbitrary gates and semi-private 
function evaluation can be found in Sect. 3 . 2 . 

We cannot use a field with characteristic two to compute addition, since we 
require 2 d 7^ 0 for all differences d occurring in the garbled circuit. Therefore, 
we perform addition in Z 2 fc , which gives us a small error probability: there is one 
element do G Z 2 fc with order 2 . Since K + 2 do = K for all K G Z 2 fc, garbling a 


6 The situation changes when an inner AND gate has only XOR gates as predecessors. 
In this case, we can use the freedom of key choices in the XOR gates to adjust the 
difference of the AND gate’s input keys. 
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Garbling algorithm Garble(l k ,f) 

Input: Security parameter k, Circuit f m (n, m, l, A, B , g ) 

Algorithm: 1 . Initialize empty arrays F[], e[], d[] with |F| m l, \e\ — n and \d\ — m. 

2 . Garbling the gates: For i := n + 1 to I + n do: 

(a) Set A := A(i) and B := B(i) 

(b) If undefined, choose permute bits Aa, A b £ { 0 , 1 } at random. 

For all (o, 6 ) E { 0 , l} 2 , if undefined, set c A := A a © a, c b B := A b ® b. 

(c) Input keys: 

— If A’s and R’s labels are defined: 

Set di := K\-K° a , 

K X ] f := K B B , and 

K b ~ Xb := K X f + (-1 ) XB di. 

Set js ■— nextindex(), 

E := H(K 1 B - XB ,j E )®K 1 B ~ Xb . 

— If A’s labels are defined and B' s labels are undefined (vice versa ana- 
log), set di := K\— K a , choose K B at random and set K ^ := K B +di, 
•— K° K 1 ■— K 1 

— If A’s and B : s labels are undefined, 
choose K A , K b and di at random and 

set K\ I *= K° a + di , K b : = K% + K%, := K%, K\, := K B . 

(d) GarbleAND: 

Set jL := nextindex(). 

Set G := H{K° a + K%,,j L ) 0 H(K° A + K%, + di,j L ). 

Choose random bits 60,61 E { 0 , 1 }. 

Set K 9 := H(K° a + K%, + b 0 di,j L ). 

Set K\ : = H(K° a + K%, + 2 d u j L ) © b x G. 

Set 7^ 0,0 ) : = 60, 7^ 0,1 ^ : = 7( 1 ’ 0 ) :=s % — 60, 7^ 1,:L ^ := 61. 

(e) Encrypt choice bits 7 ( - a,b ) and color bits of output wire: 

Set j cn nextindex(). 

Choose random permute bit A i E { 0 , 1 }. 

For all (a, 6) E { 0 , l} 2 , 

b lc<X+c» B := ' Sb 2( H ( K A\\K b B ,,jc.y)) ® ((Si(a,ft) © Ai)||7 (a,6) ), 

(f) Set F[i\ (6q’ 7 , 6^’ 7 , b^’ 1 , 6g’ 7 , G, E), if E is defined. 

Set F[i] := (6q’ 7 , 6^’ 7 , b^ 1 , 6g’ 7 , G), otherwise. 

(g) If j E {A, B } is a circuit input wire (j E Wi nput ), 
set e[j] := (*T° | |c°, if* | \c)). 

If i E W out p U t, set d[i — (n + l) + m\ A 
Output: Garbled circuit F, encoding e, decoding d — (A . . . , A^+j) 


Fig. 1 . The proposed garbling algorithm. 


Encoding algorithm Encode(e, x) 

Inputs: Garbled input keys e, input x 
Algorithm: Parse x to x = x\ . . . x n 
For i — 1 to n do: 

Parse e[i\ — (eo, ei) 

X[i] := e x . 

Return X 


Fig. 2. The function Encode. 
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Evaluation algorithm Eval (F,X) 

Inputs: Garbled circuit F, garbled input X 
Algorithm: 1. For j = 1 to n do 

Kj 11%- := X[j] 

2. Compute wire labels: 

For i := n + 1 to I + n do 

— Set A A(i ) and B B{i). 

— Set x 2c a + cb- 

- Parse F[i\ = (6£’ 7 , 6J’ 7 , 6^’ 7 , 6^’ 7 , G, E ) 

— If -E 1 is defined: 

• Set js ■— nextindex(). 

• If cb = 0, set Kb •= E ® H(K B , jT)- 
— Set jr'x, := nextindex(), jf C)7 := nextindex(). 

- Compute Ci ||7 : = lsb 2 (H(KA||^B, j Cj7 )) © 6£’ 7 . 

- Set A, := + K B ,j L ) © 7 C- 

3. Return Y (c n +i-m+u •••, c n+ j). 


Fig. 3. The evaluation algorithm. 


Decoding algorithm Decode(d, Y) 

Inputs: Decoding d , evaluation output Y 
Algorithm: Parse Y = (ci, . . . , c m ) 

Parse d = (Ai, . . . , A m ) 

Return f(x ) := (ci © Ai , . . . , c m © A m ) 


Fig. 4. The function Decode. 


Garbling other gate types 

GarbleOR: 

Set j l nextindex(). 

Set G := H(K° a + K° b , + di, j L ) ® H(K° a + K%, + 2 d it j L ). 
Choose random bits 60,61 £ {0, 1}. 

Set K° := H(K° a + K%,,j L ) ® f>i G. 

Set K } := H(K° a + K° b , + di + b 0 di,j L ). 

Set 7 ^ 0,0 ^ : = bi, 7 ^ 0,1 ^ := : = b 0 ; 7^ 1,:l ^ : 1 bo- 

GarbleXOR: 

Set j l nextindex(). 

Set G := H(K° a + K%,,j L ) ® H(K° A + K% + 2 d it j L ). 
Choose random bits 60,61 E {0, 1}. 

Set K? := H(K° a + K%, + b 0 2di,j L ). 

Set K\ := H(K° a +K° b , +d i ,j L )®b 1 G. 

Set 7 C°.°) :=, 1 - 6 0 , 7 (0,1) := 7 (1 ’ 0) M 6 1} 7 (1 » 1> : = b 0 . 


Fig. 5. Garbling OR and XOR gates. Garbling NAND, NOR and XNOR can be done 
by swapping K® and K\ in the AND, OR and XOR description, respectively. 
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gate with input wire labels differing by do produces identical output wire labels 
for this gate, or labels differing by G. However, the error probability is negligible, 
and the garbler can detect it and start over with different randomness. We need 
to take care of this in the malicious case, as discussed in Sect. 3.4. 


3.2 Arbitrary Gates and Semi-private Function Evaluation 

We can garble other odd gates like NAND, OR and NOR, as well as the even 
gates XOR and XNOR, in a very similar way, by substituting the GarbleAND part 
(Step (d) in Fig. 1) with the appropriate one in Fig. 5. Evaluation is the same 
as for AND gates, so the evaluator only needs to know the circuit topology. 
This makes our construction directly applicable to semi-private functions [25]. 
To our knowledge, the best construction in previous work which garbles XOR 
and odd gates in the same way is Yao’s original construction with GRR3, which 
needs three ciphertexts per garbled gate, while our construction needs one k- bit 
ciphertext for each input gate and two k- bit ciphertexts for each inner gate. 

The reason we can easily garble odd and even gates in the same way is the 
shared additive difference d in (Z 2 k , +) of the gate input wires. In most garbling 
schemes, a function F(-, •) is applied to the two input wire labels to compute 
the output labels in some way. Often F is a hash function or a key derivation 
function. The mapping F(Ka,Kb)) •— > Ki has a different input/output pattern 
for odd and even gates in most garbling schemes (see Table 1): leaving out free- 
XOR, F(K\, K B )) usually has a different value for each of the four gate inputs 
(a, b ) G {0, l} 2 . In odd gates, three of them are mapped to a value v, and one is 
mapped to 1 — v, where v depends on the gate type, we call this a 3/1 pattern. In 
the even gates XOR and XNOR, the two values F(K A , K B )) and F(K A ,K B )) 
are mapped to a value f, and the other two to 1 — v , producing the even 2/2 
pattern. In our construction, F(K A , K B )) = H(K A + K h B ). We only have the 
three values H(K° A + K%), H(K° A + K B + d), and H(K° A + K B + 2d). In each 
gate, two of them are mapped to a value v, and one is mapped to 1 — v, creating 
a 2/1 pattern for both odd and even gates (see Table 2). 


Table 1 . Usual output patterns Table 2. Output patterns in our construction 


input 

odd gates 

even gates 

input 

odd gates 

even gates 


(N)AND 

(N)OR 

X(N)OR 


(N)AND 

(N)OR 

X(N)OR 

F(K° A ,K%) 

V 

1 — V 

V 

F(K° A + K° B ) 

V 

1 — V 

V 

F(K°,K^) 

V 

V 

1 — V 

F(K° a + K%+d) 

V 

V 

1 — V 

F(K\,K%) 

V 

V 

1 — V 

F(K° a +K%+ 2d) 

1 — V 

V 

V 


1 — V 

V 

V 

Pattern: 

2/1 

2/1 

2/1 

Pattern: 

3/1 

3/1 

2/2 
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3.3 More Efficient Handling of XOR Gates 

Our wire labels do not share a global difference A with K\ = K® 0 A for 
each wire i. Thus, we cannot use the free XOR technique directly. We can still 
incorporate its idea in our garbling scheme to save ciphertexts. 


Free XOR and 1-Ciphertext-XOR. Input XOR gates can be garbled with 
zero ciphertexts. An XOR gate with only circuit input wires as input can simply 
be garbled as in the free XOR technique. Now assume an XOR gate i with input 
wires A and B with labels K\, K\, Kg, Kg, where B is a circuit input wire, and 
the labels for A are already defined. We can set A := K\ 0 K\, choose Kg at 
random, set K\ := K% © A, K? := K\ 0 K%, and K\ := K* 0 A- 

Inner XOR gates can be garbled using one ciphertext to adjust the difference 
between the input wire labels in the same way as for the AND gates, but in 
GF(2 k ) rather than Z 2 fc. Alternatively, one could use the FleXOR technique 
[ 14 ] or the technique by Gueron et al. [ 7 ] for inner XOR gates. 

Backward Construction for Inner Gates with Preceding XOR Gates. 

If all paths of an input wire of an inner gate to circuit input wires consist only of 
XOR gates, we can sometimes adjust these preceding XOR gates in a backward 
manner, such that we can garble an inner XOR gate for free, or garble an inner 
AND gate with one ciphertext as if it were an input gate. 

As an example, consider the circuit wa ’•= wi 0 uq, wb := ^3 0 ^4, and 
wo •= wa A wb where w\, uq, ws, W4 are the circuit input wires, wa and wb 
are the left and right input wires of the AND gate, and wo is the circuit output 
wire. Using the following construction, we only need 0 , 0 , and 1 ciphertexts for 
the left XOR gate, right XOR gate, and AND gate, respectively. 

1. Construct the left XOR gate with 0 ciphertexts as in the usual free XOR 
technique, using some random difference Aq. This defines the labels K\,K\ 
for the left input wire wa of the AND gate. 

2. Define the additive difference d := K\ — K\. Select random Kg, set Kg := 
Kg + d for the right input wire wb of the AND gate. The AND gate can now 
be garbled with 1 ciphertext. 

3 . Define the XOR difference A := Kg 0 Kg. Select random K® and K\, set 
K\ := K 3 0 A and K\ := K 4 0 A for the input wires w% and W4 of the right 
XOR gate. No ciphertexts are needed for this gate. 

Using intelligent difference adjustment like this, we can save adjustment 
ciphertexts for inner gates. 


3.4 Security Against Malicious Adversaries 

To achieve security against malicious adversaries, we can combine our construc- 
tion with standard cut and choose [ 18 ]. Additional care needs to be taken that a 
malicious garbler cannot violate correctnes by choosing input wire labels K\, K\ 
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and Kg, Kg with a difference d with order 2 in Z 2 fc. Otherwise, he could set the 
labels of the output wire to identical values Kf = K\ := H(K\ + Kg) = 
H(K\ + Kg + 2d), or even make the circuit output the same for any input. A 
standard cut and choose check as in Lindell et al. [18] can prevent this, too. 

4 Efficiency 

In this efficiency estimation, we focus on the communication cost of our garbling 
scheme. Computational cost is comparable to existing practical constructions. A 
comparison of the number of calls to the hash function is listed in Table 3, where 
we consider plain SFE and handling of XOR gates as described in Sect. 3.3. 


Table 3. Number of oracle calls per gate in plain SFE 


Technique 

Garbler 

Evaluator 

XOR 

AND 

XOR 

AND 

classical [2] 

4 

4 

4 

4 

row reduction (GRR3) [22] 

4 

4 

1 

1 

row reduction [26] 

4 

4 

1 

1 

free XOR + GRR3 [15] 

0 

4 

1 

1 

fleXOR [14] 

{0,2,4} 

4 

{0,1,2} 

1 

half gates [29] 

0 

4 

0 

2 

this work 

{0,1} 

{4,5} 

{0,1} 

{2,3} 


We estimate efficiency in three settings: Plain secure function evaluation 
(SFE) in which the evaluator knows all gate functions, SPF-SFE in which he 
only knows the circuit topology, and SFE with semi-private sub-circuits. Garbled 
odd gates do not differ in size, so it is sufficient to consider AND and XOR gates. 


4.1 Efficiency in Plain SFE 

First, we estimate efficiency assuming the evaluator knows all gate functions. We 
call a gate with at least one circuit input wire as input wire an input gate , and an 
inner gate is a gate which is not an input gate. Let l A denote the number of AND 
gates, Z A>in the number of AND gates which are input gates, and Z A>mid = l A — l A , in 
the number of inner AND gates. Similarly, Z x denotes the number of XOR gates, 
Z Xin the number of XOR gates which are input gates, and Z x , mid = Z x — Z x ,m the 
number of inner XOR gates. We have l = l A + = Z A ,m + l a, mid + Z x ,m + Z x ,mid- 

We consider handling XOR gates as described in Sect. 3.3, without the opti- 
mization for inner gates preceded by XOR gates. We compare the size of our 
garbled circuits with several garbling schemes in Table 4. In our construction, an 
XOR gate requires 0 or 1 fc-bit elements, and an AND gate requires 1 or 2 fc-bit 
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Table 4. Size of garbled circuit in the plain SFE 


technique 

k - bit elements/gate 

total bits of garbled circuit 

XOR 

AND 

classical [2] 

4 

4 

4(fc + 1)1 

row reduction (GRR3) [22] 

3 

3 

3(fc + l)Z 

row reduction (GRR2) [26] 

2 

2 

2(fc + l)Z 

free XOR + GRR3 [15] 

0 

3 

3 {k + 1)Za 

fleXOR [14] 

{0,1,2} 

2 

x s.t. 2l A {k + 1) < x < 2 (k + 1)Z 

half gates [29] 

0 

2 

2l A (k + 1) 

this work 

{0,1} 

{1,2} 

Sl A + k(l Af i n + 2ZA,mid + Zx,mid) 


elements, depending on the gate’s position in the circuit. The other construc- 
tions use the least significant bits of wire labels to communicate color bits. This 
reduces security by one bit, so (fc + l)-bit elements are needed to achieve the 
same security parameter k. Our construction requires 8 bits per gate in addition 
to the k - bit elements, SI + k(l Aj in + 2 Z A>mid + Z x , mid) bits in total. 

Our construction generates smaller garbled circuits than the half gate con- 
struction when k(l AM —l^ mid ) —SI > 0, i.e., when there are more input AND gates 
than inner XOR gates. Although our construction circumvents the lower bound 
and generates smaller garbled circuits in some cases, the half gate construc- 
tion may still be the most efficient garbling scheme for most realistic circuits in 
plain SFE. 

4.2 Efficiency in SPF-SFE 

Second, we consider semi-private functions, where the evaluator is only allowed to 
learn the circuit topology. We assume that the garbler knows the function before 
garbling, and circuits consist of AND, NAND, OR, NOR, XOR and XNOR 
gates 7 . In the SPF-SFE setting, we garble XOR gates according to Fig. 5 to make 
them indistinguishable from other gate types. Therefore, the size of a gate does 
not depend on its type. Let Z in denote the number of input gates, Z mid the number 
of inner gates, and Z = Z in + Z mid the total number of gates. We compare our 
construction to other garbling schemes compatible with SPF-SFE in Table 5. We 
omit GRR2, free XOR + GRR3 and fleXOR in this comparison, since they are 
less efficient than the half gates approach, and require the evaluator to know the 
positions of XOR gates. The same is true for the half gates approach, so for SPF- 
SFE, the circuit has to be transformed into one without XOR gates, which can be 
done by replacing each XOR gate with two odd gates. Therefore, effectively four 
ciphertexts are required for an XOR gate in the half gate approach. Note that 


7 Circuits containing multiplexers (for example to realize programmable blocks), or 
gates with constant output, could use GRR3 only for these gates. 
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Table 5. Size of garbled circuit in SPF-SFE 


technique 

k - bit elements/gate 

total bits of garbled circuit 

classical [2] 

4 

4(fc+ 1)Z 

GRR3 [22] 

3 

3(fc+ 1)Z 

half gates [29] 

{2,4} 

( k + 1)(2Z A + 4 Zx) 

this work 

{1,2} 

81 + k{l in + 2/ mi d) 


free XOR cannot be used, because the gate types need to be indistinguishable. 
As shown in Table 5, our construction is the most efficient one in this setting. 

4.3 Efficiency in SFE with Semi-private Sub-circuits 

Finally, we consider an evaluator who knows the gate function in some parts of 
the circuit, and only the topology in the other parts. Let / (pub) be the number of 
gates of which the evaluator knows the gate function, and / (prv) be the number of 
the other, “private” gates. Let l^n\ and Zi ( n rv) denote the public/private 

part of Z A> in 5 ^x,in 5 and Z in , respectively. 

We observe that GRR3 and the half gate construction can be combined easily. 
The difference between the half gate construction and ours is k(l — Zx.mid) — 
8Z (pub) in the public part. The difference between GRR3 and our technique is 
2&(Z (prv) +/i ( n rv) ) — 5/ (prv) in the private part. Therefore, our construction generates 
smaller garbled circuits when k(l a,^ 0 + 2/ (prv) + 2 — Z^mVd) — 5/ — 3/ (pub) > 0. 
Which construction is the most efficient depends on how much of the circuit is 
private, and on the number of inner XOR gates in the public part. 

5 Proof of Security 

5.1 Correctness 

Correctness of our garbling scheme clearly holds. In the case of AND gates, 
correctness follows from the following equations: 

and 

H(K° a + K° b , j L ) © 7 (0 - 0) G = H(K° A +K° B ,j L )®boG = H(K° A + K% + Mi, j L ), 
H(K° A + K 1 B J L )(B'y (0 ’ 1) G = H(K° A +K° B +d i J L )®(l-b 0 )G = H(K 0 A +K 0 B +b 0 diJ L ), 

H{K\+K° Bl j L )®^ lfi) G = H(K° A +K° B +d i ,j L )®(l-bo)G = H(K 0 A +K 0 B +b 0 di,j L ), 


H(K\ + K'bJl) © 7 (M) G = H(K° a + K° b + 2 d u j L ) 0 biG. 
Correctness of the other gate types can be shown analogously. 
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5.2 Simulation-Based Privacy of Semi-private Functions 

By active labels we denote labels which are used in an actual evaluation. An 
inactive label is a label which is not active. For example, if the actual truth 
value on wire i is v^ is an active label and K\~ Vi is an inactive one. 

In the proof, the simulator can obtain only active labels, and cannot obtain 
inactive labels and differences di. It means that the simulator can compute 
only one of { H(K \ + K% + bdA,j)}be{ 0,1,2}) and one of {H(K\ + ad,A\\K% + 
bdA,j)} a ,be{o,i}- 

To simulate the hash values of inactive labels without knowledge of di s, the 
simulator uses the following 10 oracles for a given hash function H : {0, 1}* — > 

Z2/C , 

- Corr^(iC, b,j) = H(K + bdi,j) where K G Z 2 fc and b G {—2, —1, 1, 2}. 

- Corr^(AT, &i, fr 2 , j) = H(K 4- bidi,j) 0 H(K + fr 2 d*, j) where K G Z 2 /e and 

(^1^2) C {( 1, 2), (1, 2), ( 1, 1)}. 

- For each (iC,j), one can query Corr^(iC, 6, j) or Corr^(AT, 61, fr 2 , j) only once 
(one cannot query both). 

- Corr^(ATi, AT 2 , a, b, j) = H(Ki + adi\\K 2 +bdi,j) where K\,K 2 G Z 2 / B and 
<2, b G { — 1, 0, 1}. 

- Corr^ d . (iC, a, b,f) = H(K + adj,j') 0 ( K + bdi) where K G Z 2 fc and a, b G 

M } - 

- Corr^ d . (i, j, a, 6) = adi + bdj where (a, b) G {(1, —1), (—1, 1)}. 

- Randfi(K,b,j),Rand^(K,j),Rand^(K 1 ,K 2 ,a,b,j) and Rand { £ d .(K,a,b,j) 
output a random value in Z 2 fc . 

- Rand ^ d ^(i,j,a,b) chooses di and dj at random and outputs adi + bdj. 

We use Corr^, Corr^ and Corr® for obtaining H(K\+Kg+bdi, j), H(K\ + 
K° B + 61 dij) 0 id(AT^ +V^> + b 2 dij) and H(K\ + adi\\K% + bd u j ), which are 
used for simulating G and 6 C ’ 7 . For simulating E , we use Corr^ and Corr^ 
to obtain H(K^~ V \ j) db d^ and 0 d#, respectively. 

In the random oracle model, it is clear that Corr^\ Corr^, Corr^ and 

C orr ^did- ou fP u f a uniformly random distribution. In addition, each di is uni- 
formly random since di is either chosen uniformly at random or the difference 

( 5 ) ( 5 ) 

of two hash values. Therefore, Corr^.' d . and Rand^/ d . output an identical distri- 
bution. In our sequence of games, we replace the Corr oracles with Rand oracles 
to move from the real game to the simulation. The proposed garbling scheme is 
simulation-based private for T> = T> topo in the random oracle model. 

Theorem 1 (Simulation-based Privacy of Semi-private Functions). 

The proposed garbling scheme described in Sect. 3 satisfies simulation-based 
privacy, for $ = @ topo = ( n,m,l,A,B ) of ciruit f = (n,m,l,A,B,g), of 
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S(l k ,$ topo (/),/(*)) 

Input: Security parameter k, Circuit f — A, B , g), and output f(x). 

Algorithm: 1. Initialize empty arrays F[] , X[] and d with \F\ — l, \X\ = n and d = 

m. 

2. Garbling the gates: For i n -\- 1 to l -\- n do: 

(a) Set A := A(i) and B := B(i) 

(b) If undefined, choose permute bits Aa, Ab G {0, 1} at random. 

For all (a, b ) E {0, 1 } 2 , if undefined, set c A A a © a, c b B A b ® b. 

(c) Input keys: 

— If A’s and F’s labels are defined, set jE ■= nextindex(). If 0 = A b, 
set K° b , K B and E Rand^ (K B , 1, 1, jE)- Otherwise, set 
K%, : = if" + Rand^ jdB (A, B, 1, -1) and E := H(K° B ,j E ) © K%,. 

— If A’s labels are defined and B's labels are undefined (vice versa ana- 
log), choose K B at random and set K B , K B . 

— If A’s and B : s labels are undefined, choose K A and K B at random and 
set K° b , : = K%. 

(d) Output Keys: 

Choose random bit bo, b±, E {0, 1} and set j l : = nextindex(). 

Set 7 ( °’ 0) : = b 0 , 7 (0,1) i«- 7 (1 ’° } :=* 1 - 6o, 7 (1,1> 5= &i- 
Choose random G and K? := H(K° A + K%,,j L ) © 7 (0 ’ 0) G. 

(e) Encrypt choice bit: 

Set j cn nextindex(), choose A i E {0, 1} at random. 

- If (a, b) = (0,0), 

b°'l , 0 :=lsb 2 (H(if°||if°,,i c , T ))©(( Si (0 > 0)©A i )|| 7 (o ' o) ). 

A + B 

Exception: if i — l + n, set 

b°'l , o :=lsb 2 (H(if°||if°,,i c , T ))©(( Si (0 > 0)©A i ©/( ;E ))||7 (o ’ o) ). 

zc A' C B 
— Otherwise, 

b°'l, b :=lsb 2 (Rand^(Jf“,if°,,a,6,j 0 , 7 ))©((g i (a,6)©A i )|h(»- b )). 

zc A' c B ^ 

(f) Set F[i\ := ( b £’ 7 , b^,b^,b^,G, E ), if E is defined. 

Set F[i] : = (b^ 1 , b^’^ , b^ 1 , b^ 1 , G), otherwise. 

(g) If j E {A, B} is a circuit input wire, set X[j] Kj\\cj. 

If i E W ou tput, set d[i — (n + l) + m] A j. 

Output: Garbled circuit F, garbled input X, decoding d. 


Fig. 6. The simulator S. 


Definition 2, if we assume that H is a random oracle. More precisely , for any 
adversary A there exists an adversary B such that 


Adv%ZsZ,* topo ,A( k ) Z 


lq_ 

2 k 


where k is the length of keys, l is the number of gates, and q is the number of 
random oracle queries. 


Proof. We consider the simulator <S in the simulated experiment of 

o ,o ( d 2) , o ( d 3) ,o ( d 4) , . ,o ( d 5) d . 

Definition 2, and the games Qq, Q\, Q 2 % % 1 *’ 3 3 , 

Corr^ 1) ,Corr^ 2) ,Corr^ 3) ,Corr^ 4) , . ,CorA 5) , . 

* * 1 *’ 3 3 , and Greab We explain the simulator and the 

games in the following. For simplicity, we only consider AND, OR, and XOR gates. 
For NAND, NOR, and XNOR gates, we can swap K® and K\ in <S, Qo, Gi, 02, 03, 

and Qreal • 
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Q 0 (l k ,<Pcirc(f),f(x)) 

Input: Security parameter k , Circuit f — A, B, g), and output f(x). 

Algorithm: 1 . Initialize empty arrays .F[], X[] and d[] with \F\ = l, \X\ = n and 

\d\ — m. 

2 . Compute /( 0 ) and Vi E { 0 , 1 } that is the actual value on wire i for x — 0 . 

3 . Garbling the gates: For i := n + 1 to l + n do: 

(a) Set A A(i) and B B{i) 

(b) If undefined, choose permute bits Aa, Ab G { 0 , 1 } at random. 

For all (o, b ) E { 0 , 1 } 2 , if undefined, set c A A a ® a, c b B A B ® b. 

(c) Input keys: 

Same as S. 

(d) Output Keys: 

Choose random bit bo, 6i, E {0, 1} and set j l nextindex(). 

— AND gate case: Set 7(°’°) : = 6 0 , 7^ 0,1 ^ := 7( 1,0 ) — 1 — 6o, 7^ 1,:L ^ := b\. 

Choose random G and K V A := H(K A A + K v Jf , j L ) © 1 < < v A^b)q. 

— OR gate case: Set 7®’ 0 ) := 61, 7 ( ' 0 ’ 1 ) := yA’ 0 ) := 60, 7 ( - 1 ’ 1 ' ) := 1 — bo. 

Choose random G and K V A := H(K A A + K V J , j L ) © 7 ^A >*b) G. 

— XOR gate case: Set 7 ( ' 0,0 ' ) := 1 — 60, 7 ( ' 0,1 ' ) := 7 ( ' 1,0 ' ) »i)i,7^’^ : = bo- 
Choose random G and KA := H{K y 4 + ,j L ) 07 ( v A> v b)g. 

(e) Encrypt choice bit: 

Set j c )7 : = nextindex(), choose A i G {0, 1} at random. 

- If (o, b) = (v Aj V B ), 

Kl, b ■■= \sb 2 (H(K v A A \\K v J Jc,-,)) ® ((gi(a,b) ® \ i )\h < -°" b) ). 

zc A' c B 

Exception: if i = l A n, set 

b c ’l. b ■■=^(H(K'X\\K b B ,,j cn ))®((g i (a,b)®\ i ® f(x))\\l (a ' b) )- 

zc A' c B 
— Otherwise, 

K’1, b ~ lsb 2 (Rand^ 3) (K^ a , K v J? ,a-v A ,b-v B , j c , 7 )) © ((s;(a, 6) © 

ZC A “i -C 77 

A 0 ll 7 (a ’ b) ). 

(f) Set F[i] := (b£’ 7 , bj’ 7 , b^’ 7 , G, £), if E is defined. 

Set F[i] (6q’ 7 , bg’ 7 , G), otherwise. 

(g) If j G {A, B} is a circuit input wire, set X[j] := K®\\c®. 

If i G W ou tput , set d[i — (n + Z) + m] := A*. 

Output: Garbled circuit F, garbled input X , decoding d. 


Fig. 7. The game C/o in which the output keys are generated as in the real scheme. 


<S(l fc , @topo(f)i S given in Fig. 6 generates the garbled circuit and garbled 

input (F, X, d) without knowledge of x. S generates only labels corresponding 
to truth value 0, chooses G, E uniformly at random. S chooses b% 0 , 0 so 
that Eva I and Decode output fix). 

£/o(l fe ? @circ(f), f(x)): Go generates the garbled circuit and garbled input 
(F, X, d) as described in Fig. 7. In this game, the actual value Vi for each 
wire i for input x = 0 is computed and known to the simulator. Go chooses 
K a ,b so that Eval and Decode output fix). 

A ' C B 

Gi(l k , ^drcif)’) x ) : Go generates the garbled circuit and garbled input (F, X, d) 
as described in Fig. 8. In this game, the actual value Vi for each wire i for 
input x is computed and known to the simulator. Go generates the output 
label in one of two ways, which depends on Vi. 

/ 7 C 1 ) /n( 2 ) G)( 3 ) CD CD 

g 2 d i ’ d i ’ d i ’ d i’ d j ’ d »> d j (l fc , @ c i rc (f), x): In the game, (F, X, d) is generated as 
described in Fig. 9, with three oracles without knowledge of d^’s. The oracles 
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0 l(l k ,<Pcirc(f),x) 

Input: Security parameter k, Circuit f = (n, m, l, A, B , g ), and input x. 

Algorithm: 1. Initialize empty arrays F[], X[] and d[\ with \F\ — l, \X\ — n and 

\d\ = m. 

2 . Compute f(x ) and E {0, 1} that is the actual value on wire i. 

3. Garbling the gates: For i := n -\- 1 to l -\- n do: 

(a) Set A A{i) and B B(i ) 

(b) If undefined, choose permute bits Aa, Ab G {0, 1} at random. 

For all (o, b ) E {0, 1 } 2 , if undefined, set c a A A A ® a , c h B A B ® b. 

(c) Input keys: 

Same as S. 

(d) Output Keys: 

Choose random bit bo, b±, E {0, 1} and set j l ■— nextindex(). 

— AND gate case: Set 7^ 0,0 ^ : = bo, 7 ^ 0,1 ^ : = 7 ( 1,0 ) — 1 — bo, 7 ^ 1,:l ^ : = b\. 

Choose random G and K ^ 1 : = H(K y 4 + K v ^ ,Jl) ® A ' VB ^ G. 

— OR gate case: Set 7^°’°^ := b\, 7 ( 0,1 ^ : = 7( 1,0 ) := 7C 1 ’ 1 ) 1 _ fr 0 . 

Choose random G and K^ x := H(K A A + K v ^,j B ) ®7 
— XOR gate case: Set 7 ^ 0,0 ' ) := 1 — 60 , 7 ^ 0,1 ^ := 7 ^ 1,0 ' ) bi, bo- 
Choose random G and : = H(K A A + K v ^ ,Jl) ® ^ VA,VB ^ G. 

(e) Encrypt choice bit: 

Set j Cil nextindex(), choose A i E {0, 1} at random. 

- If (a, b) = (v A ,v B ), 

b°’l, „ := \sb 2 (H(K v A A \\K v f ® (( gi ( a ,b) ® 

Zc A' c B 
— Otherwise, 

b c,1 a b : = lsb 2 (Rand^ 3) (K A A , K°J} , a-v A , b-v B , jc, 7 )) ® ((fl'i (o, 6 )® 

^ C A 1 C B A D 

(f) Set F\i] ( 6 q’ 7 , b^’ 7 , b^’ 7 , ^ 3 ^ > G, E ), if E is defined. 

Set F[i\ := (bg’ 7 , b^’ 7 , b^’ 7 , bg’ 7 , G), otherwise. 

(g) If j G {A, B } is a circuit input wire, set X[j] AT°||c°. 

If i G VF ou tput, set d[i — (n + /) + m] := A*. 

Output: Garbled circuit F, garbled input X, decoding d. 


Fig. 8. The game Q\ in which the output keys are generated as in the real scheme. 


queried are either (Rand^\ Rand^\ Rand^\ Rand^ d , Rand^ d ) or the ora- 
cles (Corr^\ Corr^\ Corr^\ Corr^^., Corrj^^.). In Q±, the active labels K v a 
and oracle outputs H(K\ + Kg + (va +VB)d,j) are computed similar to the 
real scheme. 

For simulating the ciphertext G, H {K\ + Kg {K\ + Kg + d,ji) has 

to be computed. The simulator makes oracle query 0^ A +Kg B , b— (va + 

vb)Jl) if (va,v b ) ~f~ (1,1), and 0 ( ^(K\ A + K B B ,j L ) if (v A ,v B ) = (1,1). 
For simulating the ciphertexts +cb \\b^ c a +c b > the simulator makes ora- 

cle query ofl(K v ^,K v B ,a - v A ,b - v B ,j cn ), obtains H(K A + ad A \\K B + 
bd B ,j C}7 ), and computes &2 C *+4 H 6 2 C “ +C*/ 

The ciphertext E is computed as 


E = H(K 1 B ~ XB ,j e ) + K 1 B A b 

= ( H(K v b b + (1 - 2 v B )d B ,j e ) + K v b b + (1 - 2 v B )d A if v B = \ B 
\ H(K v B B ,j e ) + K b b + (2 v B - 1 )d B + (1 - 2 v B )d A otherwise 
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£2 




Input: Security parameter k, Circuit f = (n,m,l, A, B, g), and input x. 

Algorithm: 1. Initialize empty arrays F[], X[] and d\\ with | .Z 7, | = l, |X| = n and 

\d\ = m. 

2. Compute f(x ) and G {0, 1} that is the actual value on wire i. 

3. Garbling the gates: For i := n + 1 to l + n do: 

(a) Set A := A(i) and B := B(i) 

(b) If undefined, choose permute bits A a, A b G {0, 1} at random. 

For all (a, b ) G {0, 1 } 2 , if undefined, set c A := A a ® a, := As © 6. 

(c) Input keys: 

— If A’s and B’s labels are defined, set jpj := nextindex(). If vb = As, 
set K v Jf := K v b b and E := d b (K B B , 1 - 2u s ,l - 2 v b Je)- 

Otherwise, set K B B := K V B B + d ^(A,B,l — 2vb,2vb — 1) and 

E := H(K b b ,jE) ® • 

— If A’s labels are defined and R’s labels are undefined (vice versa ana- 
log), choose K^ B at random and set := K^ B . 

— If A ’ s and B’s labels are undefined, choose X A A and K V B B at random 
and set : = K V B B . 

(d) Output Keys: 

Choose random bit bo,b\, G {0, 1} and set jl '■= nextindex(). 

— AND gate case: Set y^ 0,0 ) := bo, y*- 0,1 ) := y( 1,0 ) 7C 1 * 1 ) j }1 

• If (V A , V B ) ^ (1, 1), 

G:=H(K V A A + K v Jf ,j L )@ off ( K VA + K v Jf ,b,j L ) where b = 0 if 
va + vb « 1, b = 1 if va + vb = 0, 

X** :=H(K v a a + K v b b ,j L )®l {vA ' VB ^G. 

• If (v A ,v B ) = (1, 1), 

G== 0fl(K v A A +K v Jf, -1,-2, j L ), 

K V A -.= H{K V A A + K V B B ,j L ) @^ VA ' VB ^G. 

— OR gate case: Set y*- 0,0 ) := b\, y^ 0,1 ^ := y^ 1,0 ) : = bo, : = l — & 0 . 

• If (v A ,v B ) ^ (0, 0), 

G := H(K a a + K VB ,j L )® (K a a + K VB , b, j L ) where b= 1 if 
VA+VB=2,b = 2ifvA+VB~Xi 
Kf := + K V J? Jl)9^ va ’ vb) G. 

• If (va,v b ) = (0, 0), 

G~ Off{K\ A + K v Jf ,1,2, j L ), 

K? H(K v a a + K v b b ,j L ) © 7 ©a>fb) G . 

— XOR gate case: Set y^ 0,0 ) := 1 — 6 0 , y^- 0,1 ^ := y^ 1,0 ^ := &i, y^ 1,1 ^ := 6 0 - 

• If (ua,Vb) 7^ (0,1), (1,0), 

G := H(K a a + K Vb , j L ) © (X^ A + K Vb , 6, jj,) where b = 0 if 
v a + t’B = 2, b = 2 if UA + Vb = 0, 

:=H(K a a +K v B B ,j L )®^ VA ’ v B)G. 

• If ( V A ,V B ) = (0, 1), (1, 0), 

G:= 0™(Kl A +Kl ?,-l,l,3L), 

K V A := H(K v a a a K v b b ,j L ) ® 7 ( Va > v b)G. 

(e) Encrypt choice bit: 

Set j C)7 := nextindex(), choose A i G {0, 1} at random. 

- If (a, b) = (v A ,v B ), 

K'l, 6 ■=\sb 2 (H(K v A A \\K vl f,j c A)(B((gi(a,b)(SX i )\\-y^ b f. 
2 c a +c b 
— Otherwise, 

, b := ' sb 2( 0 d 3 }( K A A > kV b*? > a - VA ; b — v B ,jc,~f)) © ((s»(a,6) 0 
A i )||7 (o> ' ,) ). 

(f) Set F[i] := (6 q’ 7 , &i’ 7 , -E), if E is defined. 

Set F[i] := (6 q ’ 7 , b ^ , , b ^ 1 , G), otherwise. 

(g) If j G {A, R} is a circuit input wire, set X[j] := KA \\cA . 

If i G W ou tput , set d[i — (n + l) + m] := A 

Output: Garbled circuit F, garbled input X, decoding d. 


Fig. 9. The game Q 2 in which garbling with actual values. 
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Gs 


Cord 1 ) ,Corr' 


(2) .Co<),Co^). 


,Corr 


(S) 


d i(l k ,$circ(f),x) 


Input: Security parameter k, Circuit f — (n, m, l , A, B , g ), and input x. 

Algorithm: 1. Initialize empty arrays F[], X[] and d[] with |F| t= l, \X\ = n and 

\d\ = m. 

2. Compute f(x ) and Vi E {0, 1} that is the actual value in wire i. 

3. Garbling the gates: For i n + 1 to l + n do: 

(a) Set A := A(i) and B := B{i) 

(b) If undefined, choose permute bits Aa, Ab G {0, 1} at random. 

For all (o, b ) E {0, 1 } 2 , if undefined, set c A A a © a, c b B X b ®b. 

(c) Input keys: 


X 1 ) fnJ 2 ) rnrrC?) Pod 4 ) 


CorA / ,Corr\ / ,Corr^° ; ,Corr 


Same as Q 2 
2 v A )d A + K v A A , K 1 - 1 
if undefined. 

(d) Output Keys: 

Cord 1 ) ,Cord 2 ) 
^ „ cLa a a 

Same as Q 2 
in the last step: 

— AND gate case: 

If Vi =0, set k\ 

If Vi — 1, set k\ 
— OR gate case: 

If Vi — 0, set 

If Vi = 1, set K* 
— XOR gate case: 

If Vi — 0, set k\ 
If m 1, set 

(e) Encrypt choice bit: 

A 1 ) rJ 2 ) 


. , C°rr 


(5) 


except setting K A 


( 1 - 


: (1-2 v B )d A + K v B B , K* 


(1 — 2 vs)dA + 


rrC 3 ) . 


rd 4 ) _ 


rd 5 ) . 


except adding the following 


:=H(K v a a +K v b ? +2d i ,j L )®b 1 G. 
: = H(K a a +K v J? +b 0 d i ,j L ). 

:= H(K a a +K v b ? +d i + b 0 d i ,j L ). 
■.= H(K v a a +K v B *,j L )®b 1 G. 

: = H(K a a +K v Jf +di,j L ) ®&iG. 

: = + K V J? + b 0 2di,j L ). 


Same as 


Corry/ ,CorA ; ,Corr 


< 3) ,, 

d i 


d 4 ) 


,Corr 


.(B) 


d i - . - „ 

(f) Set F[i] := (bg’ 7 , &J’ 7 , F 77 , b^’ 7 , G, F), if F is defined. 
Set F[i ] := (6g’ 7 , 6^’ 7 , b 2 ’ 7 , bg’ 7 , G), otherwise. 

(g) If j E {A, F} is a circuit input wire, set X[j] := FA 0 ||c 
If i G W outV ut , set d[i — (n + Z) + m] := A*. 

Output: Garbled circuit F, garbled input X , decoding d. 


Fig. 10. The game G 3 in which including inactive keys. 


The simulator makes oracle query dB [K V B , 1 — 2vb, 1 
of computing H(K v b b + (1 - 2 v B )d B ,j e ) + (1 - 2v B )d A , 


— ‘IvBije) instead 
and oracle query 

dB (A, B, 2v b — 1, 1— 2^#) instead of computing (2v B — 1)cJb + (1 — 2vb)<Ia- 

Cord 1 ) Cord 2 ) Cord 3 ) Cord 4 ) Cord 5 ) 7 

t /3 di ’ di ’ di ’ di,c b’ d i> d j ( 1 ^ ? <2> circ (/), x): This game, described in 

Fig. 10, is almost identical to £/i, except that inactive labels are defined. 
In this game, the simulator knows d^s. 

Greai • This is the real experiment of Definition 2. 


Now we prove the indistinguishability between the simulators and the real 
protocol. We use the following chain of simulators and hybrid games. 

1 . S = Go- The only difference between the two games is that K° is used in S but 
K v is used in Go and there are 3 cases of AND, OR, and XOR in Go- However, 
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the distributions of simulation are identical, since the inactive are 

masked by random oracle Rand. 

2. Go = Gi : The only difference between the two games is that Vi for input 
x = 0 is used and output f(x) is embedded in Go but vi for input x is used in 
Gi- However, the distributions of simulation are identical, since the inactive 
7 ^’^’s are masked by random oracle Rand and embedded f(x) is masked by 
random A^. 


3. 


4. 


6. 


Rand^V , Rand K f } ,Rand^°/ , Rand 


rl ( 2 ) 


(3) 


T 4 ) 


,Rand 


(5) 


Gi = Q 2 z 1 * 13 *’ 3 : The only difference between them 

is how G is generated. However, G is uniformly distributed in both games and 
therefore these two games are indistinguishable. 


RandT , Rand Rand ^ , Rand A 

“i d i d i d^,di 


• Rand £d,- 


CorrJ, 11 ,Corr' 2 ' ,Corr' :t) ,Corr' 4) 

di ’ d, ’ di ’ di.di 




a i a i a i a ii a j si 

y 2 = y 2 

The Rand oracles are replaced with Corr oracles. These games are indistin- 
guishable since the hash function is a random oracle except if di = 0 or 
2 di = 0 for some i. However, l di s are chosen uniformly at random and then 
the probability of the event is bounded by Pr[3i s.t. (di = 0) V (2 di = 0)] = 
1- (1-2/2 k ) l <l/2 k ~ 2 . 


Corr^ , Corr^/, Corrib Corr 


. r (2) 


5. Qn 


(3) 


. r (4) 


,Corr 


.(5) 


Corr ,Corr^ ,Corr^ ; ,Corr' 

CL A 1 & a 1 CL a 1 < 


. r (2) 


.(3) 


, r (4) 


. ,Corr 


(5) 


The 


only difference between these two games is adding the inactive labels. How- 
ever, the inactive labels are not used, so the distribution is unchanged. In 


Corr , Corr , Corr V s / ,CorrV* ; , ,Corr' . 

Gi z z 3 Ul ’ Uj , if the adversary correctly guess one of l 

di s, and ask a key unknown to the simulator for random oracle H among 
q oracle queries, the simulator fails to simulate random oracle H since the 
simulator does not know di s. The probability of this simulation failure is 
lq/2 k . 


r (2) 


(3) 


. r (4) 


. r (5) 


Corr^ ,CoiA 2) ,CoiA 3) ,CoiA 4) , 


,Corr' 


(5) 


G 3 z 1 x *’ 3 11 3 H Greal • In ^2, we first define and then 

define K\~ Vi as K\~ Vi := (1 — 2 Vi)di + if either or both input wires is 
a circuit input wire. In Greah we first define Kf and then K\ := di + Kf. In 
addition, we define K\~ Vi := H(K VA +K V * + (2 - (v A + v B ))d A , j L ) + WG or 


K\~ Vi := H(K v a + K v Jf + (bo — 2)d A ^j B ) 1 depending on Vi and bo for inner 
wires in G2 • In Greah we define Kf := H(K A + K B , + 2 d A ^ji) + b\G and 
K\ := H(K a + K B , + bod A ,jL ) + b\G. Although the steps to generate the 
labels are changed, the outputs are unchanged. Therefore, these changes do 
not affect the distribution. 


Consequently, the simulated experiment is indistinguishable from the real exper- 
iment except negligible probability l/2 k ~ 2 + lq/2 k . □ 


6 On the Lower Bound of Linear Garbling Schemes 

Zahur et al. [29] observed that many practical garbling schemes share a com- 
mon structure, which they formalize in their model of linear garbling schemes. 
They proved that in this model, garbling a single AND gate requires at least two 
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rows. They concluded that to garble an odd gate with significantly 8 less than 2 k 
bits, an inherently different, non-linear structure is needed. Our garbling scheme 
contradicts this, while maintaining a computational efficiency comparable to pre- 
vious work. In this chapter, we first provide an intuition of how our construction 
circumvents the lower bound. In Sect. 6.2, we provide an outline of the lower- 
bound proof. Then, we state our garbling scheme in the linear garbling model, 
and show how it exploits loopholes in the lower-bound proof more formally. Since 
this chapter mostly discusses a single AND gate, we denote the color bits of a 
gate’s input wires by a and /? for better readability. 


6.1 How We Circumvent the Lower Bound: An Intuition 

Intuitively, the arguments in the lower-bound proof should also hold for our 
“almost linear” garbling scheme. We now show where our construction exploits 
loopholes. The proof relies on two assumptions which hold for most linear con- 
structions, but are not needed for linearity in an algebraic sense: 

Assumption (1): The linear operations to compute a gate’s output labels 

directly depend on permute bits assigned to the gate’s input wires. 
Assumption (2): Each ciphertext /row consists of k bit. 

Let us first take a closer look at Assumption (1). The lower-bound proof 
strongly depends on the fact that changing the permute bits assigned to the 
two input wires of a gate changes the operation the evaluator needs to perform 
when processing this gate. This is true for most existing garbling schemes, but 
not for ours. In existing schemes, the evaluator usually uses two color bits a and 
/? to choose one out of four options. In Yao’s original scheme [28], when used 
with the point and permute technique [2], the four options are four ciphertexts. 
In the three-row reduction [22,26], the options are three ciphertexts and the 
zero string. In the interpolation-based two-row reduction [26], the options are 
four x-coordinates. The half gate construction [29] has the options ciphertext or 
zero string for each half gate, so four possible options per garbled AND gate. 
The common way to let the evaluator choose the correct option is letting the 
options depend on permute bits, and communicating corresponding color bits to 
the evaluator, which keeps him oblivious of the actual input. All of the above 
mentioned schemes use this technique. As a side-effect, in all these constructions, 
changing even one permute bit inevitably changes the assignment of options to 
input values, in particular, which option is assigned to the input leading to 
output truth value 1. In our scheme, the evaluator has only two options: to use 
the given fc-bit ciphertext or not. Neither this ciphertext itself nor its usage 
depends on any permute bit. In fact, it might happen that the same operation 
using this same ciphertext might be performed by the evaluator for two possible 
inputs (x a ,Xb) 7^ (x' a ,x f b ), with g(x a ,xi)) ^ g(x' a ,x b ). Since we have only two 
options, we need only one choice bit, which does not depend on permute bits. 

8 As they point out, one can only prove a lower-bound of at least 2k minus some bits, 
as one can always take away a few bits and maintain asymptotic security. 
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To communicate this choice bit, we include four 2-bit ciphertexts in the 
garbled circuit, which do depend on permute bits. And this is where we exploit 
the second loophole in the lower-bound proof: Assumption (2), which says that 
each row has the length of k bit, is neither used nor needed 9 in any arguments in 
the proof. Since M < k bit of information can perfectly be masked with a M-bit 
ciphertext, we can instead “fill the necessary rows” with our 2-bit ciphertexts. 


6.2 How We Circumvent the Lower Bound: Formal Discussion 

Let us first briefly summarize the linear garbling model. All elements considered 
in the model are in GF( 2 fc ), and the only operations allowed are XOR operations 
and calls to a random oracle, which outputs elements in GF(2 k ). The model con- 
siders garbling a single AND gate. Let r and h be constants, and let (•, •) denote 
the scalar product of two vectors. The garbler chooses G GF(2 k ) 

at random. Using linear combinations of these as inputs to a random oracle, 
he obtains oracle responses Q i, . . . , Qh . Let S := (Ri, • • • , R r , Q i, . . . , Qh)- The 
garbler applies linear functions on S to obtain input wire labels Ao, Ai, Bo, Bi, 
output wire labels Co, C\ and ciphertexts G \, . . . , G m . The function to obtain 
the ciphertexts can be written as a matrix GA a ,A b with S-G\ aj \ b = (Gi, . . . , G m ), 
and can depend on the permute bits A a and A& of the input wires. 

The evaluator obtains as input the wire labels Ka G {Ao,Ai} and Kb G 
{ Bo,Bi }, and color bits a and /3. He makes several oracle queries using this 
input to obtain a vector T, which consists of his input, the oracle responses and 
the ciphertexts G \, . . . , G m . He computes a linear function on T, denoted by a 
vector V at 0 , to compute the output wire label C(A„©a)A(A,,©/3) = (V at p,T). 

The Lower-Bound Proof. We recap the parts of the lower-bound proof [29] 
which are important for a more formal discussion. The proof argues that the 
matrix GA a ,A 6 must have at least two rows, and thus creates at least two 
ciphertexts. This is based on a chain of claims, of which we circumvent the 
first one: it says that the G\ a: \ b are all distinct. The claim is argued for as 
follows. The output wire label G(A a © a )A(A b ©/3b computed by the evaluator as 
c (\ a <B<*)A,(\ b ®/ 3 ) = {V a ,p,T), can be written as 

G A a ©a)A(A*®/5) = (vff, Ma .0 X S T } + (vj™ , G Ao , A , X S T ), ( 1 ) 

for an appropriate matrix M a?/ 3 , where V a ^p is divided into a public part , 
independent of permute bits, and a private part , which depends on A a and 
A*,. For only one input ((A a ®a), (A 60/3)), it holds that (A a ®a) A(A^®/^) = 1, and 
thus G(A a ©a)A(A { ,©/3) = Gi, the label assigned to truth value 1. When changing a 
permute bit, a different combination of (a,/?) is assigned to C\. However, since 
all other values in Eq. 1 do not depend on permute bits, only GA a ,A b can change 


9 More precisely, elements in GF( 2 k ) or Z 2 k do not necessarily have k bits of entropy, 
and those with less entropy can be represented using shorter strings. 
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when changing A a or A Thus, all G\ a ^\ b must be distinct. Basic algebra then 
implies that all G\ a ,\ b must have at least two rows. If all rows have fc bit, this 
implies the lower bound of 2 k bits per gate. In our garbing scheme, we divide 
Gr\ a ,\ b into a fc-bit (-entropy) part and a 2-bit (-entropy) part. Our fc-bit part 
does not depend on permute bits and has only one row. The 2-bit part has four 
rows and thus does not contradict the arguments in the lower-bound proof. 


Our Construction and the Model of Linear Garbling Schemes. We now 

compare our scheme to the linear garbling model, and explain how it bypasses 
the lower bound more formally. Since the lower-bound proof only considers a 
single AND gate, the labels of both input wires can be chosen freely, and we can 
leave out the ciphertext for difference adjustment in the following discussion. 

Our construction does not perfectly fit into the model in two points. The first 
point is that we use 7L 2 k rather than F 2 /c, simply because we need + and 0 to be 
different operations. The second point is that the linear garbling model considers 
only fc-bit values. In contrast, we use oracles with fc-bit output and with 2-bit 
output. The 2-bit oracle is implemented by using the Isb 2 function on the fc-bit 
oracle output. Similarly, we have fc-bit ciphertexts and 2 -bit ciphertexts. 

A garbling algorithm in the linear garbling model consists of five steps. We 
describe our scheme in these steps, using the same enumeration as in [29]. We 
omit the tweaks implemented by nextindex() in the calls to the random oracle H. 

1. The garbler chooses several random fc-bit values. The only 1-bit randomness 
considered in the model are the permute bits. In our scheme, the garbler 
chooses the random fc-bit values K\, Kg, and d, and the random bits bo and 
bi . So we allow 1 -bit randomness here, which is only a technical issue. 

2 . The garbler makes several oracle queries, using the random values from Step 1 
as input. The random values and oracle responses form a vector S, on which 
all following linear operations are performed. In our construction, we have fc- 
bit queries and 2 -bit queries. We divide S into the two vectors Sk, containing 
fc-bit values, and S 2 , containing 2 -bit values. We have: 

fc-bit queries: 

Qi ~ H(K° a + K%), Q 2 := H(K° a +K° b + d ), Q 3 := H(K° A + K% + 2d), 
^S k = (K° A ,K° B ,d,Q 1 ,Q 2 ,Q 3 ). 

2 -bit queries Q 4 - 7 : 

Q 2 (A 0 ©a)+(A B © 6 )+i = Isb 2 (H(K° a + ad\\K% + bd)) for all (a, b) G {0, l} 2 . 

3. The random permute bits A^, A# and Ac are chosen. 

4. Linear operations are performed on S to compute the input wire labels 
Aq, Ai, Bo, Bi and the output wire labels Co, C\. The latter can be writ- 
ten as Ci = (C\ a: \ b j, S), i G {0,1}, for appropriate vectors C\ a: \ b ^, which 
can depend on permute bits. In our case, we have: 
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(An B 0 , Ai,Bi,Co, Ci) 


l 1 
0 
1 
0 
0 

V o 


0 

1 

0 

1 

0 

0 


0 0 0 0 \ 

0 0 0 0 

10 0 0 

10 0 0 

0 1 — fro 0 

0 b\ b\ 1 ) 


The rowsC Aa ,A 6 ,o = (0, 0, 0, l-b 0 , b 0 , 0) andC Aa ,A b ,i = (0, 0, 0, &i, &i, 1) define 
the output labels. They depend on bo and b\, but not on A a and A*>. 

5. Ciphertexts are computed: for i G [m], Gj = (*T\a A b A) for appropriate 

G« Afc , where m is the number of ciphertexts included in the garbled circuit. 
In our scheme, we have k - bit and 2-bit ciphertexts: 


Qk—bit 


G 


(i) 

Aa,Ai 


,S k ),G: 


~i2 —bit 




,5. 


Let G Aa , Ab be the matrix consisting of the rows G x ^ Xb for i E [m\. We divide 
G Aa , Ab into a k - bit part and a 2 -bit part. The k - bit part has only one row: 


Gk x:T b = G xI,x b = ( 0, 0,0,!, 1,0) 

for all (A a , A 5 ) E {0, l} 2 . So our k- bit ciphertext is 

G k i~ hit := ((0, 0, 0, 1, 1, 0), S k ) = ( H(K° a + K° B ) ® H(K° A + K% + d)). 

As we can see, G A “ A * does not depend on A a and A&, so changing the permute 
bits cannot change G a ~ a A This seems like a contradiction to the lower-bound 
proof, which argues that changing the permute bits must change G Aa?Ab in 
order to assign a different pair (a,/?) to the label C\. However, in our con- 
struction, the labels Go and C\ only depend on the random bits bo and bi 
chosen by the garbler. Thus, the assignment of color bits to output truth 
values is irrelevant for the computation of the labels on the garbler’s side. 
However, to allow the evaluator to compute the correct output label, a choice 
bit 7 needs to be communicated using ciphertexts which do depend on a and 
/?. These are computed by the rows of the 2-bit part G A “ A *, which takes care 
of the dependence on permute bits this way. Thus, the k- bit part G A “ A * can 
stay unchanged for changing permute bits (and thus consist of only one row), 
without causing a contradiction to the lower-bound proof. 

To enable the evaluator to compute the color bit (a ® A a)(P ® Xb) ® Ac of 
the output wire, we define the four rows G^ of the 2 -bit part such that 


b C 2 a+0 m a+p = (G^ a B +P \S 2 ) 

= lsb 2 (H{K«® Xa + K 0 ® Xb )) © {{{a © \ A )(J3® X B ) © A c )|| 7 (a,/3) ) 
for all (a, /3) E {0, l} 2 , where 

^(AaAb) _ ^ 0 ^(1®Aa,A b ) _ ^(Aa, 1©A b ) _ i _ ^ q ^(1©Aa,1©Ab) _ ^ 
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The order of the rows in G \ b \ depends on A a and A*,. Thus, in compliance 
with the lower-bound proof, G^” 6 ^ is different for each choice of (A a , A &). 

6.3 Further Analyzing the Lower Bound 

In 2005, Kolesnikov [13] introduced an information-theoretically secure secret 
sharing based garbling scheme which requires zero ciphertexts, using only XOR 
operations. Kolesnikov’s construction produces an exponential blow-up of the 
input key size, so the comparison is slightly unfair. It does not fit into the 
model for the simple reason that the wire labels of one input wire are not ele- 
ments in GF(2 k ), but have the form Bl\\Br for Bl,Br G GF{2 k ). Regardless, 
Kolesnikov’s construction seems like a contradiction to the lower bound. We 
analyze how this “almost linear” construction circumvents the lower bound. 

Kolesnikov also introduces an optimization which reduces the blow-up to 
approximately d 2 , where dj is the depth of the j th leaf of the circuit. However, 
the optimization is irrelevant for our analysis. 


Outline of Kolesnikov’s Construction. Kolesnikov’s construction works by 
garbling circuits backwards from output gates to input gates. Consider garbling 
an AND gate i with yet undefined input wire labels K\, K\, Kg, Kg, and given 
output wire labels Kf and K\. The labels K® and K\ are secret-shared in the 
following way: Assign a single random permute bit A^ to input wire A, no 
permute bit is assigned to the second input wire B. Choose the input labels 
K\ and K\ at random, append A^ to K\, and 1 — A^ to K\. The labels 
Kg and Kg each consist of two entries, which are permuted according to A^: 
K° b := K? © K\ A || if?© K\~ Xa , and Kg := K Xa 0 K Xa \ \ K]~ Xa 0 K\~ Xa . To 
evaluate gate i, the evaluator XORs his label Ka with the entry of his label Kr 
which is indicated by the color bit appended to Ka . 


Kolesnikov’s Construction and the Lower Bound. Kolesnikov’s construc- 
tion is linear in an algebraic sense. It circumvents the lower bound in a way 
similar to our scheme: the operations performed by the evaluator do not depend 
on two permute bits. Kolesnikov’s construction only assigns permute bits to 
“A-wires” to indicate which part of the “B-wire” to use. “B-wires” are not 
assigned any permute or color bit. Thus we have only one bit assigned to four 
possible input combinations, making claim one in the lower-bound proof mean- 
ingless. And in fact, similar to the k - bit part of our construction, the same linear 
operation is performed for different truth values on the output wire. 


6.4 Conclusion 

If less than two rows imply less than two possible operations, only one or no 
choice bit is needed, making claim one in the lower-bound proof meaningless. It 
is left for future work whether our observations can be used to break the lower 
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bound and omit even the small ciphertexts altogether without input key blow- 
up. It would be interesting whether garbling schemes with less than two fc-bit 
rows can be constructed without sacrifising free XOR. 

Acknowledgements. We thank the reviewers for their helpful and constructive 
comments. 


A Combining our Construction with Half Gates 

By combining our technique with the half gate construction [29], we can garble 
the first two gate levels in a circuit with only one ciphertext per AND gate and 
0 ciphertexts per XOR gate, if the circuit layout is fortunate. Each circuit input 
is known either by the garbler or the evaluator, so one could argue that all input 
gates can be garbled as half gates. A similar technique is used by Huang et al. 
[8], who use generator half gates as input gates. We need to modify the half gate 
technique such that output wires i which are used as inputs for AND gates get an 
additive global difference d such that K\ = K® + d, and output wires j which are 
used as input to an XOR gate get a global difference A such that Kj = K® 0 A. 
We cannot do both at the same time, so this only saves ciphertexts when most 
output wires of input gates go to either an AND gate or an XOR gate, but not 
both. If this is the case, the next level can be garbled with our construction 
using one ciphertext for most AND gates, and zero ciphertexts for most XOR 
gates. A half gate can produce an additive difference in its output wire using 
the following modification: A generator half gate with input a known to the 
garbler produces the ciphertexts H(Kb) 0 Kf and H(Kb 0 A) 0 (Kf + ad), of 
which one is set to the zero string as in the original scheme. It is evaluated as in 
the original half gate construction. An evaluator half gate, where the evaluator 
knows input a, and gets input labels K\ and Kb , consists of the ciphertexts 
Gi = H(K\) 0 A^, which is set to the zero string by setting K ^ = A(A^), 
and G 2 = H(K\) 0 (Kq — B). In the evaluator half gate, we require an additive 
difference Kg — Kg = d for the labels of input wire B. If a = 0, it is evaluated by 
computing A(A^) 0Gp If a = 1, the evaluator computes (G 2 ®H(K\)) + Kb- 
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Abstract. Secure multi-party computation (MPC) allows several mutu- 
ally distrustful parties to securely compute a joint function of their inputs 
and exists in two main variants: In synchronous MPC parties are con- 
nected by a synchronous network with a global clock, and protocols pro- 
ceed in rounds with strong delivery guarantees, whereas asynchronous 
MPC protocols can be deployed even in networks that deliver messages 
in an arbitrary order and impose arbitrary delays on them. 

The two models — synchronous and asynchronous — have to a large 
extent developed in parallel with results on both feasibility and asymp- 
totic efficiency improvements in either track. The most notable gap in 
this parallel development is with respect to round complexity. In particu- 
lar, although under standard assumptions on a synchronous communica- 
tion network (availability of secure channels and broadcast) , synchronous 
MPC protocols with (exact) constant rounds have been constructed, to 
the best of our knowledge, thus far no constant-round asynchronous MPC 
protocols based on standard assumptions are known, with the best pro- 
tocols requiring a number of rounds that is linear in the multiplicative 
depth of the arithmetic circuit computing the desired function. 

In this work we close this gap by providing the first constant-round 
asynchronous MPC protocol that is optimally resilient (i.e., it tolerates 
up to t < n / 3 corrupted parties), adaptively secure, and makes black-box 
use of a pseudo-random function. It works under the standard network 
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assumptions for protocols in the asynchronous MPC setting, namely, a 
complete network of point-to-point (secure) asynchronous channels with 
eventual delivery and asynchronous Byzantine agreement (aka consen- 
sus). We provide formal definitions of these primitives and a proof of 
security in the Universal Composability framework. 

1 Introduction 

In secure multi-party computation (MPC), a set of n parties pi,...,p n , each 
holding some private input, wish to jointly compute a function on these inputs 
in a fashion such that even up to t colluding adversarial parties are unable to 
obtain any information beyond what they can extract from their inputs and 
outputs or to affect the computation in any way other than contributing their 
desired inputs. The problem of MPC has been studied in the two important 
settings of synchronous and asynchronous networks, respectively. 

MPC protocols for the synchronous setting assume a network in which parties 
proceed in rounds, with the guarantee that messages sent by any party in any 
given round are delivered to all recipients in the same round. Consequently, in 
all such protocols the parties are assumed to be (at least partially) synchronized, 
i.e., to be in the same round at all times. 

In real-world networks, such as the Internet, this synchrony assumption cor- 
responds to assuming that the parties have (partially) synchronized clocks and 
communicate over channels with a known upper-bounded latency. The synchro- 
nous structure is then imposed by “timeouts,” i.e., in each round the parties 
wait for an amount T of time defined by their estimate of when other parties 
send their messages and the bound on the network latency. If their estimate is 
accurate and their clocks are indeed synchronized, this will ensure that parties 
receive all messages sent to them from honest senders before the end of the 
round (timeout). Thus, after time T has passed, they can safely assume that if a 
message was expected for the current round but has not been received, then the 
sender must be adversarial. The security of synchronous protocols heavily relies 
on this assumption. In fact, many of them would become completely insecure 
if there is even a single delayed message. As a result, the round length T must 
typically be set much higher than the average transmission time. 

A natural question is therefore to study the security one can obtain if no 
synchrony assumption is made but merely under the assumption that messages 
sent by honest parties are eventually delivered. 1 In particular, messages sent 
by parties can be reordered arbitrarily and delayed by arbitrary (albeit finite) 
amounts of time in such an asynchronous network. Note that one could consider 
even more pessimistic networks where the adversary can block messages sent 
by honest parties; this is for example the case in the base network assumed in 
Canetti’s UC framework [13]. In such networks, however, protocols cannot be 


1 The eventual-delivery assumption is supported by the fact that whenever a message 
is dropped or delayed for too long, Internet protocols typically resend that message. 
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guaranteed to (eventually) terminate as the adversary can delay the computation 
indefinitely. 

In asynchronous MPC protocols parties do not wait until a round times out. 
Rather, as soon as a party has received enough messages to compute its next 
message 2 , it computes that message, sends it, and moves on. In that sense, asyn- 
chronous MPC protocols are “opportunistic” and terminate essentially as quickly 
as the network allows. Hence, they can be much faster than their synchronous 
counterparts depending on the network latency. 3 

In this work, unless explicitly stated otherwise, whenever we refer to the 
asynchronous (communication) model , we mean the above asynchronous model 
with eventual delivery. 

On the importance of round complexity. The inherent need for waiting until each 
round times out clearly makes round complexity an important consideration 
for the performance of synchronous MPC protocols. Indicatively, Schneider and 
Zohner [34] have shown that as the latency between machines increases, the cost 
of each round becomes more and more significant. 

Despite their opportunistic nature, round complexity is just as important a 
consideration for asynchronous protocols, since a protocol’s round complexity 
can be a more relevant efficiency metric than, for example, its bit complex- 
ity. Indeed, at the conceptual/theoretical level, having constant-round protocols 
allows us to use them as sub-routines in a higher level protocol without blowing 
up (asymptotically) the round complexity of the calling protocol, while at the 
practical level, communication time is often dominated by the round-trip times 
in the network and not by the size of the messages. For example, it takes about 
the same amount of time to transmit a byte and a megabyte, while sending a 
message from A to B over many intermediate nodes, computing something at 
F>, and sending an answer back to A may take a (comparatively) long time. 

Our contributions. In this paper, we first formalize the asynchronous model with 
eventual delivery in the universal composability (UC) framework [13], introduce 
a suitable formal notion of asynchronous round complexity, and formulate the 
basic communication resources (such as asynchronous secure channel and asyn- 
chronous Byzantine agreement [A-BA]) as ideal functionalities in that model. 4 
(See Sect. 3.) We then present the — to the best of our knowledge — first constant- 
round MPC protocol for this asynchronous setting (i.e., a protocol whose round 
complexity is independent of the multiplicative depth of the evaluated circuit and 
the number n of parties) based on standard assumptions, namely, the existence 

2 What “enough” means is concretely specified by the party’s protocol. 

3 This speed up, however, does not come for free, as it inevitably allows the adver- 
sary to exclude some of the honest parties’ inputs from being considered in the 
computation. 

4 Note that while the UC framework already is asynchronous, asynchronous commu- 
nication with eventual delivery has not been modeled in it so far; moreover, standard 
(asynchronous) UC protocols do not achieve achieve eventual termination/delivery 
(cf. Sect. 3). 
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of pseudo-random functions (PRFs). 5 The protocol is UC-secure in the secure- 
channels model with A-BA, and makes black-box use of the underlying PRF, 
tolerating a computationally bounded, adaptive adversary actively corrupting 
up to t < n/3 parties, which is optimal for this setting. 6 

At a high level, here is how we construct our constant round protocol. First, 
we devise a constant-depth circuit for computing the keys, masked values, and 
(shares of the) garbled gates needed for a distributed evaluation of a Yao gar- 
bled circuit that encodes the function the parties wish to compute. This circuit 
is then evaluated by means of a linear-round (in the depth of the circuit and 
in n) asynchronous protocol. However, this circuit is Boolean whereas all existing 
asynchronous protocols evaluate arithmetic circuits. To deal with this mismatch 
we devise an asynchronous protocol for computing Boolean circuits by appropri- 
ately adapting the protocol by Ben-Or, Kelmer, and Rabin [8]. Any party who 
receives the output from the evaluation of the Boolean circuit uses it to encrypt 
shares of each garbled gate, which it sends to all other parties. Finally, each 
party locally evaluates the (distributed) garbled circuit by decrypting incoming 
encrypted shares of each gate and reconstructing the function table of the gate 
as soon as sufficiently many consistent shares have arrived until all gates are 
evaluated. Once all gates are evaluated in this fashion, the party is in possession 
of the output. The protocol and its analysis are presented in Sect. 4. 

Related work. Beaver, Micali, and Rogaway [2] were the first to provide a 
constant-round MPC protocol in the synchronous stand-alone model. (Refer to 
Appendix A for a more detailed and historical account of the development of 
MPC protocols in both the synchronous and asynchronous settings, together 
with the tools that are used in each setting.) Their protocol is secure in the 
computational setting and tolerates an adaptive adversary who actively cor- 
rupts up to t < n/2 parties. The complexity of [2] was improved by Damgard 
and Ishai [19], who provided the first constant-round protocol making black- 
box use of the underlying cryptographic primitive (a pseudo-random genera- 
tor). Importantly, both [2] and [19] assume a broadcast channel, an assumption 
essential for obtaining constant-round MPC. Indeed, as proved in [20,22], it is 
impossible to implement such a broadcast channel from point-to-point commu- 
nication in a constant number of rounds, and although expected constant-round 
broadcast protocols exist in the literature (e.g., [21,30]), using them to instan- 
tiate calls within the constructions of [2] or [19] would not yield an expected 
constant-round protocol [6]. The intuitive reason — formally argued by Ben-Or 
and El-Yaniv [6] — is that the process of running n such broadcast protocols (even 
in parallel) does not terminate in an expected constant number of rounds. 

The model of asynchronous communication with eventual delivery was 
considered early on in seminal works on fault-tolerant distributed computing 


5 An approach based on threshold fully homomorphic encryption was recently pro- 
posed by Cohen [17]; see the discussion in the related work section below. 

6 The necessity of this bound in the asynchronous setting is also discussed in related 
work below. 
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(e.g., [23]), although to our knowledge this paper is the first to formalize this 
capability in the UC framework. The study of optimally resilient MPC in this 
type of asynchronous networks was initiated by Ben-Or, Canetti, and Goldre- 
ich [5], who proved that any function can be computed by a perfectly secure 
asynchronous protocol if and only if at most t < n/ 4 parties are corrupted. 
Following that result, Ben-Or, Kelmer, and Rabin [8] showed that if a negligi- 
ble error probability is allowed, the bound t < n/3 is necessary and sufficient 
for asynchronous MPC. 7 More recently, Hirt et al. [27,28] provided computa- 
tionally secure solutions (i.e., protocols tolerating a computationally bounded 
adversary) and Beerliova and Hirt [3] perfectly secure solutions with improved 
communication complexity. 

The above asynchronous protocols are secure — according to simpler, stand- 
alone security definitions — if one assumes point-to-point communication and 
an A-BA protocol. Similarly to their synchronous counterparts, all the above 
protocols — even assuming an A-BA primitive — have round complexity linear in 
the multiplicative depth of the arithmetic circuit that computes the function, as 
they follow the standard gate-by-gate evaluation paradigm. 

Concurrently and independently, Cohen [17] recently put forth an asynchro- 
nous MPC protocol that is secure against a computationally bounded attacker 
statically corrupting up to t < n/3 parties and in which all parties run in constant 
time. Notably, the protocol from [17] relies on fully homomorphic encryption, 
thus leaving the question of constant-round MPC from standard assumptions 
open, which is answered in this work. 

We note in passing that although in the synchronous setting BA implies 
broadcast, this is not the case in the asynchronous setting. Indeed, Canetti 
and Rabin [15] provide an asynchronous BA protocol tolerating t < n/3 mali- 
cious parties, which if every honest party terminates at the latest after a poly- 
logarithmic number of rounds, securely implements asynchronous BA except 
with negligible probability. A broadcast protocol with similar guarantees is prov- 
ably impossible [23], and existence of an asynchronous BA protocol which ter- 
minates in a strict constant number of rounds would contradict the impossibility 
from [20,22]. Similarly to the synchronous case, although solutions for asynchro- 
nous BA with expected constant number of rounds exist [11,15], using them 
in the above asynchronous protocol to replace invocations to asynchronous BA 
would not yield an expected constant-round MPC protocol [6]. 8 

7 The necessity of the t < n/3 bound follows from the result by Canetti et al. [5,12], 
who argue that this bound is necessary for fail-stop adversaries; it also applies to 
computational security and assuming A-BA. Moreover, note that in the asynchro- 
nous setting, all feasibility bounds are worse by an additive term of t compared to the 
synchronous setting. Intuitively, this stems from the fact that honest parties cannot 
distinguish between messages by other honest parties being delayed and messages by 
corrupted parties not being sent. Thus, in particular, perfectly secure asynchronous 
MPC is possible only if t < n/ 4. 

8 Nonetheless, [6] does describe an alternative way of obtaining several asynchronous 
BA protocols that are guaranteed to all terminate in expected constant number of 
rounds. 
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2 Model and Building Blocks 

We denote the player set by V = {pi, . . . ,p n } and consider a computationally 
bounded adaptive t-adversary , i.e. , the adversary gets to corrupt up to t parties 
dynamically during the protocol execution and depending on its protocol view. 
The most common network model for the execution of asynchronous protocols is 
secure channels with eventual delivery, where the adversary is allowed to delay 
the delivery of any message by an arbitrary but finite amount of time, i.e., he 
is not able to block messages sent among honest parties. Moreover, as argued in 
the introduction, existing asynchronous protocols rely on an additional resource, 
namely, an asynchronous version of Byzantine agreement (A-BA) instead of a 
broadcast channel, and such a resource is even necessary to obtain an (exact) 
constant number of rounds. We formalize this model and formulate the ideal 
functionalities corresponding to these communication resources separately in 
Sect. 3. 

We now present some basic tools we use in our protocol. 

Secret sharing. Our construction makes use of Shamir’s secret sharing scheme 
[35], which allows to encode a secret into n shares such that any subset of t 
shares gives no information about the secret and such that from any subset of 
t + 1 shares the secret can be reconstructed. 

For a sharing of a secret 8, let [s]i denote the i th share. A set of shares 
are called t- consistent if they lie on a polynomial of degree at most t. For a 
tuple of secrets s = (si, . . . , s^), denote — in slight abuse of notation — by [s]i := 
([si]i, . . . , [s^]*) the tuple of the i th shares of the values and refer to it as the i th 
share of s. A set of such tuples is called t- consistent if the property holds for all 
components. 

A linear-round asynchronous MFC protocol. In [8], Ben-Or, Kelmer, and Rabin 
constructed a protocol, call it 7r BKR , that computes an arbitrary n-party func- 
tion / in an asynchronous environment assuming asynchronous point-to-point 
(secure) channels and asynchronous BA. 9 The protocol follows the gate-by-gate 
evaluation paradigm [7, 16,26], where the function to be evaluated is represented 
as an arithmetic circuit over a sufficiently large finite field, and the computation 
proceeds by evaluating sequentially the gates of depth one, then the gates of 
depth two, and so on. The evaluation of each gate requires a constant number 
of (asynchronous) rounds, 10 thus making the round complexity of the overall 
protocol linear in the depth of the circuit. 

7t B kr was designed for a simpler, stand-alone security definition, which only 
ensures sequential composition. In the next section we show how it can be cast 
in our eventual-delivery model to give UC-security guarantees. 


9 [8] also assumes A-Cast to get a more efficient solution, but as argued in the intro- 
duction, A- Cast can be easily reduced to asynchronous BA in two rounds. 

10 Note that in each such round the parties might invoke the asynchronous BA resource. 
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3 A UC Model for Asynchronous Computation with 
Eventual Message Delivery 

In this section we formalize the asynchronous network model with eventual mes- 
sage delivery in the UC framework. We start with the basic task of point-to- 
point communication and proceed with asynchronous SFE and BA. Note that 
the asynchronous model with evenutal delivery has previously been informally 
treated only in the stand-alone model without composition. Thus, although at 
first read one might consider our treatment pedantic, providing a UC proof 
of asynchronous MPC protocol with eventual termination/delivery requires the 
design of appropriate UC functionalities that can be used as hybrids. Indeed, 
while the plain UC framework is inherently asynchronous, the adversary has 
full control over message delivery and may even choose to delete messages sent 
between uncorrupted parties (by delaying them indefinitely). Hence, without the 
extensions in this section, the UC model does not capture eventual delivery. 11 

Asynchronous communication with eventual delivery. Our formulation of com- 
munication with eventual delivery within the UC framework builds on ideas 
from [31]. In particular, we capture such communication by allowing the parties 
access to multi-use bilateral secure channels, where a sender pi E V can input 
a messages to be delivered to some recipient pj G?; messages are buffered and 
delivered in an order specified by the adversary. 

To ensure that when p s and p r are honest, the adversary cannot delay the 
delivery of submitted messages arbitrarily, we make the following modifications: 
We first turn the UC secure channels functionality to work in a “fetch mes- 
sage” mode, where the channel delivers the message to its intended recipient pj 
if and only if pj asks to receive it by issuing a special “fetch” command. If 
the adversary wishes to delay the delivery of some message, he needs to submit 
to the channel functionality an integer value T — the delay. This will have the 
effect of the channel ignoring the first T fetch attempts following the reception 
of the sender’s message. Importantly, we require the adversary send the delay 
T in unary notation; this will ensure that the delay will be bounded by the 
adversary’s running time, 12 and thus a polynomial environment will be able to 
observe the transmission through its completion. To allow the adversary freedom 
in scheduling delivery of messages, we allow him to input delays more than once, 
which are added to the current delay amount. (If the adversary wants to deliver 
the message in the next activation, all he needs to do is submit a negative delay.) 


11 Standard UC constant-round protocols in the plain (fully asynchronous) UC frame- 
work do not work in this setting as, in these protocols, a party waits for all his 
r-round messages before proceeding to round r + 1, which would allow the adver- 
sary to make honest parties wait indefinitely (for messages from corrupted parties), 
thereby preventing them from terminating. Instead, in asynchronous protocols with 
eventual delivery, parties need to proceed to the next round as soon as they have 
sufficiently many (but not necessarily all) their messages for the current round. 

12 We refer to [13] for a formal definition of running time in the UC framework. 
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The detailed specification of secure channels with eventual delivery, denoted 
J^a-smt, is given in Fig. 1. In the description, we denote by M a vector of 
strings. We also use || to denote the operation which adds a string to M ; con- 
cretely, if M = then M\\m := and m\\M = 

(m, rai, . . .,m e ). 


Functionality Ta-sut ( p s ,Pr) 

Initialize D := 0 and M := (eom), where eom is a special “end-of-messages” 

symbol. 

— Upon receiving a message (send, m) from p s set D := D + 1 and M := 
(m,mid)\\M , where mid is a unique message ID, and send (D,mid) to the 
adversary. 

— Upon receiving a message (fetch) from p r : 

1. Set D := D — 1. 

2. If D = 0 and M = ((mi, midi), • . . , (me, midi), eom) then set M := 
((m 2 , micU), . . . , (me, mide ), eom), and send the message mi to p r (oth- 
erwise, no message is sent and the activation is given back to the envi- 
ronment, as defined in the UC framework). 

— Upon receiving a message (delay, T ) from the adversary, if T is a valid delay 
(i.e., it encodes an integer in unary notation), set D := max{l ,D + T}; 
otherwise, ignore the message. 

— Upon receiving a message (permute, tt ) from the adversary, if 7 r : [|IVf| — 

1] — ► [\M\ — 1] is a permutation over [\M\ — 1], then set M := M' = 

((m 7r (i),mzd 7r (i ) ), . . . , (m^e),mid^e)), eom). 

— ( Adaptive message replacement) Upon receiving a message 

(p 8 , ((mi, midi), •••, (m ^ , midp)), T') from A, if p s is corrupted and 

D > 0 and T' is a valid delay, then set D = max{l,T x } and set 
M := ((mi, midi ), . • . , (m^/, mide'), eom). 


Fig. 1 . Asynchronous secure channel with eventual delivery 


We refer to the model in which every two parties pi and pj in V have access 
to an independent instance of ^a-smt (Pi , Pj ) as the *F A -smt -hybrid model An asyn- 
chronous protocol in such a model proceeds as follows: Whenever a party pj gets 
activated, if its current protocol instructions include sending some message m 
to some other party pj , then the party inputs (send, m) to JF a _ SM t (Pi iPj)\ oth- 
erwise, pi sends a fetch message to every channel ^ A -smt(Pj j G [n\ in a 
round-robin fashion, i.e., if in the previous activation it sent a (fetch) message 
to J^a-sm T(pj,Pi), then it sends a (fetch) message to ^ A -smt(pd mod n)+i,Pi)- 

Remark 1 (On permuting messages). Our formulation of an asynchronous chan- 
nel captures the somewhat pessimistic view of asynchronous communication, 
implicit in many works on asynchronous distributed protocols, where the adver- 
sary has full scheduling power and can, in particular, reorder the messages sent 
by any party as he wishes. One could attempt to emulate a network which 
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does not allow for reordering of the messages — the so-called first-in- first- out 
(FIFO) channel — by adding appropriate (publicly known) message identifiers 
and instructing the parties to wait until a specific identifier is delivered before 
outputting messages with other identifiers. However, we note that such an emu- 
lating protocol would be distinguished from the original when, for example, we 
consider an adversary that introduces no delay and an environment that inputs 
two messages in a row and corrupts the receiver as soon as the first message is 
supposed to have been delivered. 


Functionality ^/-sfeCP) 

•^a-sfe proceeds as follows, given a function / : ({0, 1}* U {_L}) n x R — * ({0, l}*) n 
and a player set V. For each i G V, initialize variables Xi and yi to a default value 
_L and a current delay Di 0. Additionally, set X XL. (Recall that XL denotes 
the set of honest parties) 

— Upon receiving message (no - input, V') from the adversary, if \V'\ < \V\TL\ 
and no party has received an output (output,?/) yet, then set X — XC\ V 
otherwise ignore this message. 

— Upon receiving input (input, v) from party pi G V (or from the adversary in 
case pi is corrupted) , do the following: 

— If some party (or the adversary) has received an output (output, y), then 
ignore this message; otherwise, set Xi := v. 

- If xi for every pi G X, then compute (?/i, . . . , y n ) ^ i, . . . , x' n ),r) 
for a uniformly random r, where x\ — Xi for pi G X U (V \ XL ) and x\ —X 
for all other parties. 

— Send (input, i) to the adversary. 

— Upon receiving (delay, pi, T), from the adversary, set Di := Di + T. 

— Upon receiving message (fetch) from party pi G V, if yi has not yet been set 
(i.e., yi =_L) then ignore this message, else do: 

— Set Di := Di — 1 
— If Di = 0, send (output, yi) to pi. 


Fig. 2. Asynchronous SFE with eventual delivery 


Asynchronous secure function evaluation (SFE). In an asynchronous environ- 
ment, it is impossible to get guaranteed (eventual) termination and input com- 
pleteness, i.e., take into account all inputs in the computation of the function 
(cf. [31] and early work on fault-tolerant distributed computing). The reason is 
that if honest parties wait until the inputs of all parties are delivered, then the 
adversary can make them wait indefinitely for corrupted parties to give their 
inputs (honest parties have no way of distinguishing between an honest sender 
whose message is delayed and a corrupt sender who did not send a message). 
Thus, to ensure eventual termination, the parties cannot afford to wait for input 
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from more than n — t parties, as the t remaining parties might be the corrupted 
ones. Therefore, protocols for asynchronous computation of a multi-party func- 
tion / on inputs X \ , . . . , x n from parties pi , . . . , p n end up computing the function 
f\'P / (x\ , . . . ,x n ) = f(x' 1: . . . ,x' n ) for some V' C V with \P'\ = £, where x\ = Xi 
if Pi , and otherwise a default value (denoted _L). 

Moreover, by being able to schedule the delivery of messages from honest 
parties, the adversary can (in worst-case scenarios) choose exactly the set V' . 
Therefore, the ideal functionality corresponding to asynchronous SFE with even- 
tual termination needs to allow the simulator to choose this set depending on 
the adversary’s strategy. Moreover, the simulator should be allowed to schedule 
delivery of the outputs depending on the adversary’s strategy, but not allowed 
to delay them arbitrarily. This last requirement can be achieved, as in the case 
of *F A -smt 5 by turning the SFE functionality into a “fetch message” -mode func- 
tionality and allowing the simulator to specify a delay on the delivery to every 
party. 

The SFE functionality with the above properties is described in Fig. 2. In the 
description, we use Ti C V to denote the set of honest parties; note that Ti is 
dynamically updated as the adversary corrupts new parties. Moreover, we use 
X to denote the set of honest parties whose input is allowed to be considered in 
the computation, and require that \1\ > n — 2 t. We provide a generic description 
of the functionality for an arbitrary number t of corruptions; however, and as 
implied by classical impossibility results, we are only able to realize it for t < 
nj 3 [5]. 

Asynchronous BA with eventual delivery. The last primitive we describe is (UC) 
asynchronous BA with eventual message delivery. In such a BA primitive, every 
party has an input, and we want to ensure the following properties: All honest 
parties (eventually) output the same value y (consistency) , and if all honest par- 
ties have the same input x, then this output is y = x. Intuitively, asynchronous 
BA can be cast as a version of asynchronous SFE for the function that looks 
at the set of received inputs and, if all inputs contributed by honest parties are 
identical 13 and equal to some x, sets the output to x for every party; otherwise, 
it sets the output to the input of some corrupted party (for example, the first 
in any ordering, e.g., lexicographic). The formal definition of T A _ BA is given in 
Fig. 3. 

We will refer to the setting where every two parties pi and pj in V have 
access to an independent instance of *F A -smt {Pi , Pj ) and, additionally, the parties 
have access to independent instances of as the {*F A - S mt> Fa-ba} - hybrid 

model The execution in the {*F a _ S mt, ^A-BAj-hybrid model is analogous to the 
execution in the jF A _ SMT -hybrid model: Whenever a party pi gets activated, if 
its current protocol instructions include sending some message m to some other 
party pj or inputing a message m! to T A - BP J(P\ then the party inputs (send, m) 
tO J ~ \-SMT ipuPj) or m' to JF a _ ba (P), respectively; otherwise, pi keeps sending 

13 Similarly to the SFE case, the adversary might prevent some of the honest parties 
from providing an input. 
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Functionality X'a-ba(X) 

For each i G ?, initialize variables xi and yi to a default value _L and a current 
delay Di := 0. Additionally, set X := TL. (Recall that TL denotes the set of honest 
parties) 

— Upon receiving message (no - input, V') from the adversary, if \V'\ < \V\TL\ 
and no party has received an output (output, y) yet, then set X = 7i\ V 
otherwise ignore this message. 

— Upon receiving input (input, v) from party pi E V (or from the adversary in 
case pi is corrupted) , do the following: 

— If some party (or the adversary) has received an output (output, y), then 
ignore this message; otherwise, set Xi := v. 

— If Xi for every pi E X, then set (yi , ... , y n ) := (y , . . . , y), where if 
there exists x ^ A such that Xi = x for every pi E X, then y = x\ otherwise 
y = Xj, where pj is the party in V \ hi with the smallest index. 

— Send (input, i) to the adversary. 

— Upon receiving (delay, pi, T), from the adversary, set Di := Di + T. 

— Upon receiving message (fetch) from party pi E X, if yi has not yet been set 
(i.e., yi «=_L) then ignore this message, else do: 

— Set Di := Di — 1 
— If Di — 0, send (output, yi) to pi. 


Fig. 3. Asynchronous BA with eventual delivery 


(with each activation) a fetch to every channel X’a-smt {Pi , Pj ) , j E [n\ and then 
to X’a-ba(^) in a round-robin fashion. 

Asynchronous rounds. We now briefly elaborate on the notion of rounds in 
an asynchronous environment. Unlike the situation in the synchronous case, 
where rounds are well specified by the protocol, the definition of rounds in an 
asynchronous setting requires a bit more care. Intuitively, two messages and 
mj sent by some party pi in an asynchronous protocol are considered to be sent 
in rounds i and j, j > i, if mj is generated by computation which takes as input 
a message received after pi sent mi. Following the above intuition, we define 
for each pi and for each point in the protocol execution, the current round in 
which pi is to be the number of times pi alternated between sending (send, m) 
to some channel XUsmt (Pi,Pj), Pj E V (or to the asynchronous BA functionality 
^a-ba(P)) and sending (fetch) to some ^A-sMT^Pi), Pk £ V or to X'a-ba(^ > )- 
That is, every round (except for the first one ) 14 starts by sending a (send, m) 
to some X’a-smt {Pi , Pj ) or to X’ A -ba(^ > ) after some (fetch) was sent by Pi and 
finishes with the first (fetch) command that Pi sends. The round complexity of 
the protocol is the maximum (over all honest parties) number of rounds that an 
honest party uses in the protocol execution. 


14 The first round starts as soon as the party receives its protocol input from the 
environment. 
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We note in passing that, similarly to [31], the above formulation allows for 
any party to send several messages in each round: the party buffers the messages 
and while the buffer is not empty, in each activation the party pops the next 
message and sends it to its intended recipient. 

A UC-secure linear-round MFC protocol with eventual delivery. Finally, we 
argue the security of protocol tt bkr mentioned in Sect. 2 in our model. n BKR is 
information-theoretic and proved simulation-based secure, where the simulation 
is in fact black-box (i.e., the simulator uses the corresponding adversary in a 
black-box manner) and straight-line (the simulator does not rewind the adver- 
sary). Moreover, the protocol tolerates any adaptive ^-adversary where t < n/ 3, 
a bound which is also tight [5]. Thus, by casting 7r BK R in our UC {*F A -smt, *7"a-ba}- 
hybrid model — where every bilateral message exchange is implemented by the 
sender pi and the receiver pj using (an instance of the) channel *F A -smt (Pi , Pj ) 
and every call to asynchronous BA done by invocation of J~ A - BA (V ) — we obtain 
a protocol for UC securely evaluating tF[_ SEE (V), which is linear in the depth of 
the circuit computing /. More formally: 

Theorem 1 ([8]). Let f be an n-ary function and C be an arithmetic circuit 
for computing f by parties in V . Then there exists a protocol , tt bkr , which UC- 
securely realizes J-[. SFE in the {JF A -smt? d~ A - BA } -hybrid model tolerating an adaptive 
t-adversary in a linear (in the depth of the circuit) number of rounds, provided 
t < n/ 3. 

4 Constant-Round Asynchronous SFE 

In this section we present our asynchronous SFE protocol and prove its security 
and round complexity. 


4.1 Description of the Protocol 

Let Circ be a Boolean circuit that is to be evaluated in a multi-party computation. 
In our protocol for securely evaluating the function that Circ computes, denoted 
7TA-sFE(Circ, V), the parties first jointly compute a garbled version of Circ (along 
the lines of [2,4,37]); every party then evaluates this garbled circuit locally to 
obtain the output of the computation. Computing the garbled circuit takes place 
in two phases: First, the parties evaluate a function f FREP (described below) which 
is represented by a constant- depth arithmetic circuit over a finite field using a 
(non-constant-round) asynchronous MPC protocol. Given the outputs of this 
function, the parties can then complete the computation of the garbled circuit 
within one additional asynchronous round. 15 Since the evaluation of the garbled 
circuit takes place locally and f FREP is computed via a constant-depth circuit, 
the entire protocol is a constant-round protocol. 


15 


Refer to Sect. 2 for a definition of asynchronous round complexity. 
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Function / P C j! r E c p((Uii , ■ • • , b UlLl ), (b Unl b „ nLn )) 

The preparation function is parameterized by a Boolean circuit Circ describing the 
function to be computed. The wires of Circ are labeled by values uj G N. We use 
Greek letters a , /?, 7 , uj for referring to the wire labels. 

Input. For every input wire uj, b w denotes the corresponding input bit. 

Create Random Values. For each wire cj do: 

1. For each i G [n] choose a random sub- key G F n . 

Set kuj,o '■= • • • 5 & 2 ,o)- 

2. For each z G [n] choose a random sub-key G F n . 

Set fc w , 1 := (Ad, fc”,i). 

3. Choose random mask G {0, 1}. 

Input Wires. For every input wire u j do: 

1 . Compute masked value := 0 m^. 

2. Choose corresponding key k w := k u , Zu) . 

Compute Masked Function Tables. For every gate g with wires a,/3 , 7 do: 

1. For every x, y G {0, 1} do: 

(a) Compute masked value z* y := ((x ® m a ) NAND ( y ® mp)) ® m 1 . 

(b) Choose corresponding key k* y := k l z xy. 

(c) Set t x g y := and T g := (i°°, t“). 

2. Compute a Shamir sharing of T g (i.e., of every entry). 

Output. Proceed as follows: 

(Public outputs) Output the following values to all players: 

1. For every input wire uj: the masked value z„ and the corresponding key k u . 

(Private outputs) Output the following values to every pi G?: 

1. For every wire uj: the subkeys and &L,i* 

2. For every gate g: the i th share [T g \ i of T g . 

3. For every output wire uj: the mask m w if pi is to learn that output. 


Fig. 4. The description of function fp^p corresponding to the distributed version of 
circuit garbling. 


f Circ 

We define and analyze our protocol in the {^a-sfe? ^A- sMi-l-hybrid model. 
Furthermore we provide a protocol for UC securely realizing the functionality 

rCirc 

*^a- p sfe from asynchronous secure channels and BA with eventual delivery based 
on 7r BK R [8] (cf. Lemma 1). 
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Circuit garbling. Before elaborating on the protocol, we describe what the gar- 
bled version of Circ looks like. 16 Boolean circuit Circ consists of wires and NAND 
gates. 1 In the garbled version, every wire u of Circ has a corresponding (secret) 
random mask m^, which is used to hide the real value on that wire. Conse- 
quently, every gate g , with input wires a and f3 and output wire 7, has a special 
function table T g that works on masked values. It contains four entries z * y , 
corresponding to the masked value on the outgoing wire 7 under the four pos- 
sible combinations of masked inputs x,y G {0, 1} on wires a and /3. Each entry 
is obtained by unmasking the inputs, applying the gate function (NAND), and 
re-masking the result with the mask of the outgoing wire. That is, 

z* y = ((x 0 m a ) NAND (y © mg)) 0 ra 7 , 


for x,y e {0, 1}. 

The entries of each function table need to be protected so that only the one 
entry necessary to evaluate the circuit can be accessed. To that end, for each 
wire u there are two (secret) keys k^^ and k u ^. In the function tables T gi each 
entry z* y is now augmented by the corresponding key k^^v of the outgoing 
wire 7. The pair t xy := (z xy ,k 1 , z *y) is encrypted with k a ^ x and kg, y under the 
“tweak” (g,x,y). The resulting ciphertexts 


: = E <!:V 


(t x g y ) = Enc 


9,x,y 
ka,x 1^(3, ■ 




make up the garbled function table 




•= (c°° c 01 c 10 c 11 ) 


where (Encj^ k (•) , Dec^ k2 (•)) is a tweakable dual- key cipher. A suitable such 
cipher can be realized using a PRF [4]. 18 

In order to be compatible with the garbled function tables, inputs to the 
circuit must be garbled as well. That is, for the input bit b ^ on input wire a;, 
the garbled input is := b ^ 0 m ^ and the corresponding key is k u := k^^. 

With the garbled inputs and function tables, any party can (locally) evaluate 
the circuit as follows: Given the masked values and the corresponding keys of 
the incoming wires of some gate, the party can decrypt the corresponding row, 
obtaining the masked value on the outgoing wire and the corresponding key. In 
the end, the values on the output wires can be unblinded if the corresponding 
masks are known. 


16 Note that /Sep actually computes a “distributed” version of the garbled circuit 
(described below). 

17 Any (arithmetic or Boolean) circuit can be efficiently transformed into such a circuit. 

18 The security required from such a cipher is roughly semantic security even if one 
of the keys is known (see [4] for more details). Moreover, we assume a canonical 
injective mapping of triples (g,x,y) to the tweak space of the cipher. 
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Distributed encryption. Given the input bits b u for all input wires cv, computing 
the garbled circuit could be described by a constant-depth circuit, since the 
garbled function tables can be computed in parallel after choosing the wire masks 
and keys. This circuit, however, would be rather large since it entails evaluating 
the cipher. Therefore, to avoid evaluating the cipher within the asynchronous 
MPC, the parties use the distributed-encryption technique by Damgard and 
Ishai [19]: Instead of computing Enc^ l k2 ( m ) for a message m, two keys k\ and 
& 2 , and a tweak T, the parties first jointly choose 2 n sub keys k \ , . . . , k ™ and 
& 2 , • • • , ? compute a Shamir sharing of m = ([m]i, . . . , [m] n ), open [m\i as well 

as k\ and k\ to pi for every z, and then each party encrypts its share [m\i of m 
using its two subkeys k\ and k\ and sends the resulting ciphertext Enc^i k i ([m\i) 
to all parties. 

In order to decrypt, a party in possession of all keys recovers the shares by 
decrypting the ciphertexts received from other players and waits until it has 
2t + 1 t-consistent shares, which it uses to reconstruct m. 19 

Asynchronously evaluating Boolean circuits. Protocol 7t bkr [8], which we wish to 

pCirc 

use to realize , evaluates arithmetic circuits over fields with more than two 

elements; the circuit representing f PRPP , however, is Boolean. Thus, in order to 
evaluate it via 7r BKR we transform it into an (arithmetic) circuit over an extension 
field F of GF(2), denoted C% rc , by having every NAND gate with inputs x,y £ 
{0, 1} replaced by the computation 1 — xy , which can be implemented using 
addition and multiplication over the extension field F. The above transformation, 
however, works only if all the inputs to the circuit corresponding to bits in the 
Boolean circuit are either 0 or 1 in the corresponding field F. For the honest 
parties this is easy to enforce: they encode a 0 (resp., 1) input bit into the 0 
(resp., 1) element of F. The adversary, however, might try to cheat by giving 
“bad” inputs, namely, inputs in F\{ 0, 1}. We now show an explicit construction 
to ensure that the adversary cannot give any value other than 0 or 1, resulting 
in a simple adaptation of protocol 7r BK R. 20 

Before describing the solution we recall the reader how 7r BKR evaluates a given 
circuit. We omit several low-level details and keep the description at the level 
which is appropriate for a formal description of our adaptation; the interested 
reader is referred to [8] for further details. 7r BKR follows the gate-by-gate evaluation 
paradigm [7,26]: The circuit is evaluated in a gate- by-gate fashion, where the 
invariant is that after the evaluation of each gate (in fact, of each bulk of gates 
that are at the same multiplicative depth), the output of the gates is verifiably 
shared among all the parties. In fact, [8] defines the notion of Ultimate Secret 

19 Our protocol ensures that each party eventually receives these many encrypted shares 
(see below). 

20 In principle, the arithmetic circuit “re-compiler” technique by Genkin et al. [24] 
could also be used for this purpose, although it is not shown to work for 7t bkr nor 
be constant-depth. In addition, the functionality of the re-compiler is richer, as it 
allows to restrict possible malicious strategies during the evaluation of the circuit, 
which is not needed here. 
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Protocol 7r A -sFE(Circ, V): Code for pi 

First, mark all gates as unevaluated. Initialize empty variables and k u for 
every wire uj and m u for every output wire uj accessible to pi. Initialize (j) := 0 
(phase indicator). Then, proceed as follows: 

^ Circ 

— Upon first activation with input b , input b to ^Usfe- 

— Upon later activations: 

r Circ 

• If = 0, check if output from Fi-sm received. If not, output (output) 

f Circ 

to jU_ p sfe p and become inactive. Otherwise, encrypt every gate g , with 
wires a, /?, 7 , as follows: 

1. Output by functionality includes: 

(a) Subkeys and K*,i as well as hp 0 and kp 

(b) Function table share [T g ]i = ([t° 0 ]*, [tj 0 ]*, [t] 1 ]*). 

2. For x,y e {0, 1}, compute := ^ {[tg y ]i)- 

3. Send C x g m (c° 0,z , c° 1,z , cj 0,z , cj 1,z ) to all parties by invocation of 
T a-smt (pi , Pi), j E [n]. 

Further, for all input wires c j, set z u and to the values output by 

^•Circ 

jU_ p sfe • Similarly, set the masks m u for the (accessible) output wires to 

^ Circ 

the values output by ^Usfe- Set (j> := 1. 

• If (\> — 1, upon reception of any encryption, proceed as follows for every 
unevaluated gate g , with incoming wires a and /3 and outgoing wire 7 : 

1. Let z a ,zpi and z 7 be the masked bits and k a ,kp, and fc 7 the keys 
of the incoming wires a and /3 and of the outgoing wire 7 . If z a and 
Zp, are not defined yet, skip this gate; else: 

(a) For each ciphertext C 1 — (c® 0 ’- 7 , c° 1,J , c* 0 ’- 7 , cj 1 ’- 7 ) from a party 
Pj, decrypt t xy ’ 3 := Dec®f’^ (c xy ' 3 ) for x = z a and y = z p , 

thereby recovering j th shares of « 7 and of every entry of = 

(A 4. •••.*?)• 

(b) Check if z 1 and the entries of fc 7 can be safely computed by 
interpolation, i.e., if there are at least 2 t + 1 t-consistent shares 
for each value. If not, skip this gate. Otherwise, interpolate and 
mark g as evaluated. 

If all gates have been evaluated, output ® m u for all (accessible) 
output wires uj. 


^Circ 

Fig. 5. Our constant-round asynchronous SFE protocol in the {^a- p sfe , ^a-smt}- hybrid 
model 


Sharing (USS) which is a version of VSS that is appropriate for asynchronous 
computation with t < n/ 3; 21 More concretely, the first step is to process all 

21 USS is an adaptation of the bivariate-polynomial sharing technique [7,33] to the 
asynchronous setting. 
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input gates in parallel (i.e., receive inputs from all parties); this step finishes with 
every party holding a share of the input of each party pi. As already mentioned, 
due to asynchrony, the inputs of some, up to £, (honest) parties might not be 
considered. The set Core of these parties whose inputs are considered (the so- 
called core set [5,8]) is decided by 7r BKR (and agreed upon by all parties) during 
the evaluation of the input gates, while the input of the parties not in the core 
set is set to a default value, in our case to 0 (i.e., a default US S of 0 is adopted 
as a sharing of these parties’ inputs [8]). Once any party has agreed on the core 
set parties giving input, it goes on to the evaluation of the next gate (in fact, of 
all gates which are one level deeper in the circuit in parallel). 

Our modification to 7r BKR is as follows. For any party pj, as soon as pj has 
processed all input gates (i.e., holds shares of inputs of all parties in the core set 
and default shares for the remaining parties), and before any other gate of the 
arithmetic circuit is computed, pj does the following: For each party we denote 
by x\ the value that is (eventually) shared as pf s input when all parties have 
evaluated the corresponding input gate, and denote by [x'^j p^ s share of this 
value. 22 

Now, instead of continuing to process the original circuit Cf c w c , we use the 

J PREP 

following trick from [9], which will allow us to enforce zero/one inputs. Each 
party uses the shared values x[ to compute the circuit evaluating the following 
function: output c = (ci, . . . , c n ), where a = x\— x' 2 for each p im Each party 
that received the output c does the following: 23 For each p^ if c* 7 ^ 0, then the 
parties replace the sharing of x[ with a default sharing of 0. (That is, as soon as 
Pj receives the vector c, for each i with c* 7^ 0 pi replaces his share [xi\j of x[ 
with a default sharing of 0.) Once a party has completed this step (and replaced 
his local shares), he continues the execution of 7r BKR with the modified shares to 
compute the remainder of the circuit C% rc . 

J PREP 

We denote the above modification of protocol 7r BKR (in the F A _ BA (F)-hybrid 
world where calls to A-BA are replaced by invocations of F A _ BA ( F)) with the 
above mechanism for enforcing inputs in {0, 1} by 7t B k R . In order to evaluate the 
(Boolean) circuit for f^p , the parties execute 7 t B k R encoding their inputs and 
outputs with the following trivial encoding: An input-bit 0 (resp., 1) is encoded 
as the 0 (resp., 1) element in F, and output 0 (resp., 1) in F is decoded back to 
the bit 0 (resp., 1). The following lemma states the achieved security. 

Lemma 1. Protocol 7t B k R for evaluating the circuit C% rc with the above trivial 

J PREP 

/•Circ 

encoding UC-securely realizes F a _ p sfe- 

Proof. ( sketch). First note that if the inputs of all (honest and corrupted) parties 
are 0 or 1 (in the arithmetic field F), then the (decoded) output of C% rc is the 

J PREP 


22 By the USS property, at this point pi is committed to x\ but the adversary has no 
information on it, i.e., the adversary holds random shares of a USS of 

23 Observe that the eventual delivery property ensures that every party will eventually 
receive the output. 
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same as the output of the (Boolean) circuit for fp££ p since all NAND gates with 
inputs x, y G {0, 1} are computed by 1 — xy. Next, we argue that 7 t B kr forces the 
inputs of the adversary to be 0 or 1 and does not modify the inputs of honest 
parties. Indeed, an honest party pi in the core set will share inputs x[ G {0, 1} 
and therefore Q = 0, which means that his input sharing is not modified by 7t B kr- 
The same holds for any corrupted party that shares x[ = 0 or x[ = 1. On the 
other hand, any corrupted party sharing a value other than 0 or 1 will result 
into an output c* / 0 (since the non-zero elements in F form a multiplicative 
group of order \F\ — 1) and its input will be set to 0. 

Note that the eventual termination of 7r BK R ensures that all parties will even- 
tually receive the output vector c and will therefore resume the computation of 
the original circuit C% rc , which (also due to the eventual termination of 7t B kr) 

J PREP 

will terminate. The simulation of 7t B kr is easily reduced to the simulation of 
7 t BK r: The evaluation of the extra component that computes the q’s can be eas- 
ily simulated as they are random sharings of 0 for all honest parties in the core 
set, and for corrupted parties they are functions of the sharing of x[ that the 
adversary creates in the input-processing phase, which for corrupted parties is 
fully simulatable. For the rest of the simulation, the simulator simply uses the 
7t BK r simulator. Thus the indistinguishability of the simulation follows from the 
security of 7r BK R- □ 

Putting things together. The detailed description of protocol 7r A - S FE(Circ, V) is 

/•Circ 

presented in Fig. 5. As already said, we describe the protocol in the ^_ P sFE-hybrid 

fCirc q M 

model, where ^a- p sfe can be replaced with 7t B kr using Lemma 1 and the universal 
composition theorem. At a high-level, the protocol proceeds as follows: In the first 

f Circ 

phase, the parties send their inputs to the functionality Fa-sfe- The (randomized) 
function / pp r E C p chooses the random masks, the subkeys, and computes Shamir 
sharings of the masked function tables (which are the values that need to be 
encrypted). Moreover, based on the inputs, it computes the masked value and 
the corresponding key of every input wire. The formal specification of / PPEP can 

/•Circ 

be found in Fig. 4. The fact that ^a- p sfe can be evaluated by a constant-depth 
circuit is illustrated in Fig. 6, which provides a diagram describing the structure 
of such a circuit. Each of the rectangles corresponds to a collection of independent 
constant-depth circuits that are evaluated in parallel. 

In the second phase of the protocol, as soon as a party receives output from 

/•Circ 

^a- p sfe 5 T encrypts all the shares obtained using the appropriate subkeys and 
sends the resulting ciphertexts to all parties, as shown in Fig. 5. Then, it proceeds 
to locally evaluate the gates. For each gate, the party waits for ciphertexts from 
other parties and decrypts them. For a specific entry in the function table, the 
party has to wait until it has 2t + 1 t-consistent shares of that entry (see again 
Fig. 5). 24 Note that since all of the at least 2t+l honest parties are guaranteed to 

/•Circ 

obtain an output from JF(_ p | PE , they will all properly encrypt their function tables 


24 


Note that using the Berlekamp- Welch algorithm, this can be achieved efficiently. 
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Outputs 


Fig. 6. Bird’s-eye view of the arithmetic circuit Prep computing function ffff P • Each 
box represents a const ant- depth circuit. 


and send out the resulting ciphertexts. Therefore, the wait for 2t + 1 t-consistent 
shares is finite. 


4.2 Analysis of the Protocol 

Theorem 2. Let Circ be a given boolean circuit and fcwc be the n-party func- 
tion computed by Circ. Protocol 7r A _ SFE (Circ, V) securely realizes P[^fe in the 

f Circ 

{^a-sfL Pa-smt} -hybrid model tolerating an adaptive adversary who corrupts up to 
t < n/3 of the parties and making black-box use of a PRF. 

A full proof of Theorem 2 can be found in the full version of this paper [18]. 
Here we only provide a high-level sketch. 

/•Circ 

Proof (sketch). The output of each party from the evaluation of Pa-sfe contains 
(among other things) a t-out-of-n sharing of the garbled circuit for computing 

/•Circ 

function fare- After receiving the output from FI-sfe and encrypting as described 
in Fig. 5, the only time the parties have to wait is for the encryptions of 2t + 1 t- 
consistent shares of garbled function-table entries from other parties. Since all of 

/•Circ 

the at least 2t + 1 honest parties are guaranteed to obtain an output from ^ A _ p g EE , 
they will all properly encrypt their function tables and send out the resulting 
ciphertexts at some point. Therefore, the wait for 2t + 1 ^-consistent shares is 
finite. 

Moreover, the adversary cannot make an honest party accept a wrong value 
for any entry of the garbled gate: Observe that in any set of 2t + 1 shares 
that a party receives, at least t + 1 are from honest parties. These t + 1 shares 
uniquely define the degree-t sharing polynomial F and, therefore, they can only 

/• Circ 

be combined with correct shares (as output by ^a-sfe)* This implies that wrong 
shares sent by the adversary cannot make any honest party choose any other 
polynomial than F. 

The simulator S for an adversary A roughly proceeds as follows: It emu- 

f Circ 

lates towards A the behavior of J^-sfe and the channels *F A -smt- The security of 
the circuit-garbling technique and that of Shamir sharings allows S to perfectly 


Constant-Round Asynchronous Multi-Party Computation 1017 


simulate the entries of the garbled function tables that one would decrypt dur- 
ing a local evaluation of the garbled circuit, even without knowing the actual 
inputs. Moreover, the security of the double-key cipher ensures that the remain- 
ing entries are hidden, and can thus be replaced by dummy values (which can 
again be done without knowing the inputs) without causing a noticeable differ- 
ence in the view of A. □ 

We now turn to the analysis of the protocol’s round complexity. It is straight- 

/•Circ 

forward to verify that our protocol (assuming hybrid *F(- p sfe) needs only two 
communication rounds for each party pi : one round in which pi sends its inputs 
to the functionality and receives its outputs, and one round in which pi sends 
all its corresponding encryptions and receives the encryptions of other parties. 
Moreover, the function fp^p can be represented by an arithmetic circuit Prep 
over a finite field F with constant (multiplicative) depth: The players first jointly 
generate the subkeys and the masks. A straightforward method for generating 
a random field element (such as the subkeys) is to take a random input from 
every party and computing the sum. Generating a random bit b G {0, 1} C F can 
be reduced to generating random field elements as shown by Genkin et al [24]. 
Given the masks and the subkeys, computing the function table and a Shamir 
sharing thereof can clearly be done in constant depth and, most importantly, in 
parallel for every gate. 

Combining the above and Theorem 2 with Theorem 1 yields the following 
corollary: 

Corollary 1. Let Circ be a given boolean circuit and fc\ rc be the n-party function 
computed by Circ. There exists a constant-round protocol which securely realizes 
in the {JF A _ BA , J- A -smt} - hybrid model tolerating an adaptive adversary who 
corrupts up to t < n / 3 of the parties and making black-box use of a PRF. 

A A History and Related Work (cont’d) 

Here we provide a fuller account of related work and put our results in perspec- 
tive. To give a more complete picture, we start by discussing the development of 
MPC protocols in the synchronous setting, and then contrast it with the devel- 
opment in the asynchronous setting. Along the way we also discuss the tools 
(e.g., setup assumptions and communication resources) that are used in each 
setting. 

Starting with Yao’s seminal paper [36] , which introduced the problem of MPC 
and provided the first solution, a long line of interesting results proved feasibil- 
ity bounds for synchronous networks in various adversarial settings. Goldreich, 
Micali, and Wigderson [25,26] proved that under computational assumptions 
(the existence of enhanced trapdoor permutations), any n-party function can be 
securely computed if and only if up to t < n parties are corrupted passively or 
up to t < n/2 actively. Corresponding bounds for information-theoretic secu- 
rity were shown by Ben-Or, Goldwasser, and Wigderson [7], who proved that 
perfect security is possible if and only if the adversary corrupts up to t < n/2 
parties passively or up to t < n/3 actively. Similar bounds where concurrently 
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proved by Chaum, Crepeau, and Damgard [16] for the case where a negligible 
error-probability is allowed and were later improved by Rabin and Ben- Or [33] 
to achieve optimal resiliency t < n/2. 

The above works assume point-to-point secure communication and a broad- 
cast channel and, under these assumptions, are secure even against an adaptive 
adversary [14]. However, in [25,26] both these resources can be implemented with 
adaptive security assuming a public-key infrastructure and non-committing encr- 
pytion [14,29]. Similarly, the broadcast channel in [7,16,33] can be emulated by 
an adaptively secure broadcast protocol [29]. 25 The round complexity of all the 
above protocols in the malicious multi-party setting — even with the assumption 
of a broadcast channel — is linear in the multiplicative depth of the arithmetic 
circuit corresponding to the function the parties aim to compute. 

Beaver, Micali, and Rogaway [2] were the first to provide a constant-round 
MPC protocol in the synchronous stand-alone model. Their protocol is secure in 
the computational setting and tolerates an adaptive adversary who actively cor- 
rupts up to t < n/2 parties. The complexity of [2] was improved by Damgard and 
Ishai [19], who provided the first constant-round protocol making black-box use 
of the underlying cryptographic primitive (a pseudo-random generator) . Impor- 
tantly, both [2] and [19] assume a broadcast channel, an assumption essential 
for obtaining constant-round MPC. Indeed, as proved in [20,22], it is impossible 
to implement such a broadcast channel from point-to-point communication in 
a constant number of rounds, and although expected constant-round broadcast 
protocols exist in the literature (e.g., [21,30]), using them to instantiate calls 
within the constructions of [2] or [19] would not yield an expected constant- 
round protocol [6]. The intuitive reason — formally argued by Ben-Or and 
El-Yaniv [6] — is that the process of running n such broadcast protocols (even in 
parallel) does not terminate in an expected constant number of rounds. 

The model of asynchronous communication with eventual delivery was 
considered early on in seminal works on fault-tolerant distributed computing 
(e.g., [23]). The study of optimally resilient MPC in such an asynchronous net- 
work was initiated by Ben-Or, Canetti, and Goldreich [5], who proved that 
any function can be computed by a perfectly secure asynchronous protocol 
if and only if at most t < n/ 4 parties are corrupted. Following that result, 
Ben-Or, Kelmer, and Rabin [8] showed that if a negligible error probability is 
allowed, the bound t < n/ 3 is necessary and sufficient for asynchronous MPC. 26 
More recently, Hirt et al. [27,28] provided computationally secure solutions 

25 Because [33] tolerates even n/ 3 < t < n/2 corrupted parties, the emulation 
of broadcast would require an additional setup of information-theoretic pseudo- 
signatures [32]. 

26 The necessity of the t < n/ 3 bound follows from the result by Canetti et al [5,12], 
who argue that this bound is necessary for fail-stop adversaries; it also applies to 
computational security and assuming A-BA. Moreover, note that in the asynchro- 
nous setting, all feasibility bounds are worse by an additive term of t compared to the 
synchronous setting. Intuitively, this stems from the fact that honest parties cannot 
distinguish between messages by other honest parties being delayed and messages by 
corrupted parties not being sent. Thus, in particular, perfectly secure asynchronous 
MPC is possible only if t < n/ 4. 
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(i.e., protocols tolerating a computationally bounded adversary) and Beerliova 
and Hirt [3] perfectly secure solutions with improved communication complexity. 

The above asynchronous protocols are secure if one assumes point-to-point 
communication and an A-BA protocol. Similarly to their synchronous counter- 
parts, all the above protocols — even assuming an A-BA primitive — have round 
complexity linear in the multiplicative depth of the arithmetic circuit that com- 
putes the function, as they follow the standard gate- by-gate evaluation paradigm. 

We note in passing that although in the synchronous setting BA implies 
broadcast, this is not the case in the asynchronous setting. Indeed, Canetti 
and Rabin [15] provide an asynchronous BA protocol tolerating t < n/3 mali- 
cious parties, which if every honest party terminates at the latest after a poly- 
logarithmic number of rounds, securely implements asynchronous BA except 
with negligible probability. A broadcast protocol with similar guarantees is prov- 
ably impossible [23], and existence of an asynchronous BA protocol which ter- 
minates in a strict constant number of rounds would contradict the impossibility 
from [20,22]. Similarly to the synchronous case, although solutions for asynchro- 
nous BA with expected constant number of rounds exist [11,15], using them 
in the above asynchronous protocol to replace invocations to asynchronous BA 
would not yield an expected constant-round MPC protocol [6]. 27 

Finally, if one gives up the requirement that the broadcast protocol (eventu- 
ally) terminates when the sender is corrupted (this results in a primitive known 
as A-Cast [10]), then one can implement it even in a constant number of rounds. 
(In fact, A-Cast can be easily reduced to asynchronous BA by having the sender 
send his input to all parties, who then forward this input as soon as it is received 
to the asynchronous BA primitive). 
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Abstract. Garbled circuits is a cryptographic technique, which has 
been used among other things for the construction of two and three- 
party secure computation, private function evaluation and secure out- 
sourcing. Garbling schemes is a primitive which formalizes the syntax 
and security properties of garbled circuits. We define a generalization 
of garbling schemes called reactive garbling schemes. We consider func- 
tions and garbled functions taking multiple inputs and giving multiple 
outputs. Two garbled functions can be linked together: an encoded out- 
put of one garbled function can be transformed into an encoded input 
of the other garbled function without communication between the par- 
ties. Reactive garbling schemes also allow partial evaluation of garbled 
functions even when only some of the encoded inputs are provided. It 
is possible to further evaluate the linked garbled functions when more 
garbled inputs become available. It is also possible to later garble more 
functions and link them to the ongoing garbled evaluation. We provide 
rigorous definitions for reactive garbling schemes. We define a new notion 
of security for reactive garbling schemes called confidentiality. We provide 
both simulation based and indistinguishability based notions of security. 
We also show that the simulation based notion of security implies the 
indistinguishability based notion of security. We present an instantiation 
of reactive garbling schemes. We finally present an application of reac- 
tive garbling schemes to reactive two-party computation secure against 
a malicious, static adversary. 


1 Introduction 

Garbled circuits is a technique originating in the work of Yao and later for- 
malised by Bellare, Hoang and Rogaway [2], who introduced the notion of a 
garbling scheme along with an instantiation. Garbling schemes have found a 
wide range of applications. However, many of these applications are using spe- 
cific constructions of garbled circuits instead of the abstract notion of a garbling 
scheme. One possible explanation is that the notion of a garbling scheme falls 
short of capturing many of the current uses. In the notion of a garbling scheme, 
the constructed garbled function can only be used for a single evaluation and the 
garbled function has no further use. In contrast, many of the most interesting 
current applications of garbled circuits have a more granular look at garbling, 
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where several components are garbled, dynamically glued together and possibly 
evaluated at different points in time. We now give a few examples of this. 

In the standard cut-and-choose paradigm for two-party computation, Alice 
sends s copies of a garbled function to Bob. Half of the garblings (chosen by Bob) 
are opened to check that they were correctly constructed. This guarantees that 
the majority of the remaining instances were correctly constructed. Alice and 
Bob then use the remaining garblings for evaluation. Bob takes the majority 
output of these evaluations as his output. Although conceptually simple, this 
introduces a number of problems: Bob must ensure that Alice uses consistent 
inputs. It is also required that the probability that Bob aborts does not depend 
on his choice of input. Previous protocols solve these problems by doing white- 
box modifications of the underlying garbling scheme. We will show how to solve 
these problems by using reactive garbling schemes in a black-box manner. 

In [18], Lindell presents a very efficient protocol for achieving active secure 
two-party computation from garbled circuits. In the scheme of Lindell, first s 
circuits are sent. Then a random subset of them are opened up to test that they 
were correctly constructed and the rest, the so-called evaluation circuits, are then 
evaluated in parallel. If the evaluations don’t all give the same output, then the 
evaluator can construct a certificate of cheating which can be fed into a small 
corrective garbled circuit. Another example is a technique introduced simultane- 
ously by Krater, shelat and Shen [16] and Frederiksen, Jakobsen and Nielsen [6], 
where a part of the circuit which checks the so-called input consistency of one 
of the parties is constructed after the main garbled circuit has been constructed 
and after Alice has given her input. We use a similar technique in our example 
application, showing that this trick can be applied to (reactive) garbling schemes 
in general. Another example is the work of Huang, Katz, Kolesnikov, Kumaresan 
and Malozemoff [14] on amortising garbled circuits, where one of the analytic 
challenges is a setting where many circuits are garbled prior to inputs being 
given. Our security notion allows this behaviour and this part of their protocol 
could therefore be cast as using a general (reactive) garbling scheme. Another 
example is the work of Huang, Evans, Katz and Malka [13] on fast secure two- 
party computation using garbled circuits, where they use pipelining: the circuit 
is garbled and evaluated in blocks for efficiency. Finally, we remark that some- 
times the issue of garbling many circuits and gluing them together and having 
them interact with other security components can also lead to subtle insecurity 
problems, as demonstrated by the notion of a garbled RAM as introduced by Lu 
and Ostrovsky in [19], where the construction was later proven to be insecure by 
Gentry, Halevi, Lu, Ostrovsky, Raykova and Wichs [10]. We believe that having 
well founded abstract notions of partial garbling and gluing will make it harder 
to overlook security problems. 

Our goal is to introduce a notion of reactive garbling schemes, which is general 
enough to capture the use of garbled circuits in most of the existing applications 
and which will hopefully form a foundation for many future applications of gar- 
bling schemes. Reactive garbling schemes generalize garbling schemes in several 
ways. First of all, we allow a garbled evaluation to save a state and use it in 
further computations. Specifically, when garbling a function / one can link it to 
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a previous garbling of some function g and as a result get a garbling of fog. 
Even more, given two independent garblings of / and g , it is possible to do a 
linking which will produce a garbling of / o g or g o f. The linking depends only 
on the output encoding and input encoding of the linked garblings. We also allow 
garbling of a single function which allows partial evaluation and which allows 
dynamic input selection based on partial outputs. This can be mixed with link- 
ing, so that the choice of which functions to garble and link can be based on 
partial outputs. This can be important in reactive secure computation which 
allows inputs to arrive gradually and allows branching based on public partial 
outputs. We introduce the syntax and security definitions for this notion. We give 
an instantiation of reactive garbling schemes in the random oracle model. We 
also construct a reactive, maliciously UC secure two-party computation protocol 
based on reactive garbling schemes in a black-box manner. 


1.1 Discussion and Motivation 

In this section, we describe the purpose of our framework and why certain design 
choices were made for the framework in this paper. 

One of the main goals of garbling schemes was to define a primitive that 
would be used in constructions without relying on the underlying instantiation. 
Unfortunately, most secure two-party computation protocols still rely on garbled 
circuits to provide security. In some sense, the notion of garbling schemes is not 
able to achieve this goal for the given task. One way of thinking of our result is 
to note that many techniques that previously only worked for garbled circuits, 
now work for reactive garbling schemes. 

More precisely, to achieve reactive secure computation, the protocol for reac- 
tive computation shows how three issues which typically are solved using the 
underlying instantiation of garbled circuits in cut-and-choose protocols can be 
solved using reactive garbling schemes. These issues are Alice’s input consistency, 
selective failure attacks and how to run the simulator against a corrupted Bob. 
We solve these three issues by using the notion of reactive garbling schemes. This 
means that many protocols in the literature can easily be modified to achieve 
security by only relying on the properties of reactive garbling schemes. 

We now discuss why certain design choices were made. In particular, why we 
included notions such as linking multiple output wires to a single input wire, par- 
tial evaluation and output encoding. The reason that we allow multiple output 
wires to link to a single input wire is that otherwise we would exclude important 
constructions such as Minilego [7] and Lindell’s reduced circuit optimization [18]. 

Output encodings are important for many reasons. First, it provides a method 
for defining linking. Roughly because of this notion, it is easy to define a linking 
as information which allows an encoded output to be converted into an encoded 
input. Secondly, in certain cases, constructions based on garbling schemes require 
a special property of the encoded output which otherwise cannot be described. 
This is the case of [11] where the encoded input has to be the same size as 
the encoded output. It is also useful for output reuse, covers pipelining and has 
applications to protocols where the receiver can use a proof of cheating to extract 
the sender’s input. 
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We included partial evaluation for two main reasons, first we consider that 
it can be an important feature for reactive computation, secure outsourcing and 
secure computation where a partial output would be valuable. A partial output 
could be used to determine what future computation to run on data. In addition, 
we could garble blocks of functions and decide to link certain blocks together 
based on partial outputs. 

In addition, many schemes in the literature inherently allow partial evalu- 
ation and not allowing partial evaluation imposes artificial restrictions on the 
constructions. For example, fine-grained privacy in [1] cannot be realized by 
standard schemes precisely because those schemes give out partial outputs. 


1.2 Recasting Previous Constructions 

The concept of using output encoding and linking has been implicitly used in 
many previous works. In particular, in cut-and-choose protocols, it has been used 
in [5,6, 17, 23] to enforce sender input consistency (ensure that the sender uses the 
same input in each instance) and to prevent selective failure attacks (an attack 
that works by having the probability that the receiver aborts depend on his 
choice of input). These concepts have also been used for different optimizations. 
Pipelining [13,16] and output reuse [11,20] are examples of direct optimizations. 
Linking has also been employed to reduce the number of circuits that need 
to be sent in protocols that apply cut-and-choose at the circuit level [4,18]. 
This is done by adding a phase where a receiver can extract the input of a 
cheating sender. Another example is gate soldering [7,21]. This technique works 
by employing cut-and-choose at the gate level. The gates are then randomly 
split among different buckets and soldered together. This optimization reduces 
the replication factor for a security ©(s) to 0( log ( n ) ) where n is the number of 
non-xor gates. There are many applications that benefit from output encoding 
and linking in garbling schemes. In addition, if we allow sequences where the 
input is chosen as a function of the garbling, reactive garbling schemes are also 
adaptive. The constructions of [9,12] require adaptive garbling. 


1.3 Structure of the Paper 

In Sect. 2, we give the preliminaries. In Sect. 3, we define the syntax and secu- 
rity of reactive garbling schemes. In Sect. 4, we describe an instantiation of a 
reactive garbling scheme. In Sect. 4.1, we give a full description of the reactive 
garbling scheme. In Sect. 5, we give an intuitive description of the reactive two- 
party computation protocol based on reactive garbling schemes. In Sect. 5.1, we 
provide a full description of the reactive two-party computation protocol. We 
note that the techniques that we introduce in Sect. 5 can be applied to previous 
secure two-party computation protocol to convert them into constructions that 
only use reactive garbling schemes in a black-box manner. There is a full version 
of the paper with more details. [22] In the full version there is a detailed simula- 
tion proof that our reactive computation protocol is secure, a proof of security 
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of our reactive garbling scheme using the indistinguishability based notion of 
security, we recast Lindell’s construction using reactive garbling schemes, we 
describe Minilego’s garbling and soldering as a reactive garbling scheme, and we 
prove security of our garbling scheme using the simulation based definition of 
confidentiality. We also show that simulation based definition implies the indis- 
tinguishability based definition of security. 


2 Preliminaries 


Let N be the set of natural numbers. For n G N, let {0, l} n be the set of n-bit 
strings. Let {0, 1}* = U {0, l} n . We use T and _L as the syntax for true and false 

nG N 

and we assume that T, _L 0 {0,1}*. We use () to denote the empty sequence. 
For a sequence cr, we use x E a to denote that x is in the sequence. When we 
iterate over x G cr in a for-loop, we do it from left to right. For a sequence a and 
an element x we use a || x to denote that we append x to a. We use || to denote 
concatenation of sequences. When unambiguous, we also use juxtaposition for 
concatenating and appending. We use x X to denote sampling a uniformly 
random x from a finite set X. We use [A] to denote the possible legal outputs 
of an algorithm A. This is just the set of possible outputs, with _L removed. 

We prove security of protocols in the UC 
framework and we assume that the reader is 
familiar with the framework. When we spec- 
ify entities for the UC framework, ideal func- 
tionalities, parties in protocol, adversaries 
and simulators we give them by a set of rules 
of the form Example (which sends (aq,^) 
to the adversary in its last line). In Fig. 1, we 
give an example of a rule. A line of the form 
“send m to P.R”, where T is another entity 
and R the name of a rule, the entity will send 
(R, id, m ) to P, where id is a unique identifier 
of the rule that is sending, including the ses- 
sion and sub- session identifier, in case many 
copies of the same rule are currently in execution. We then give (R,id, ?) to the 
adversary and let the adversary decide when to deliver the message. Here ? is 
just a special reserved string indicating that the real input has been removed. 
When a message of the form (R, id, m) arrives from an entity A, the receiver 
stores (R, A, id, m) in a pool of pending messages and turns the activation over 
to the adversary. A line of the form “onP from A” executed in a rule named 
R running with identifier id and where P is a pattern, is executed as follows. 
The entity executing the rule stores (R, A, id, P ) in a pool of pending receives 
and turns over the activation to the adversary. We say that a pending mes- 
sage (R, A, id, m) matches pending receive (R, A, id, P) if m can be parsed on 
the form P. Whenever an entity turns over the activation to the adversary it 
sends along (R, A, id, ?) for all matched (R, A, id, P), where ? is just a special 


rule Example 

on (7, xi) from A 

on X 2 from B 

x *— 0 


x <— x\\ 

Xi X 2 

z^0 


for y G 

(1,2,4) do 

if z 

> y then abort 

z <— 

z + y 

send x 

to A 


Fig. 1 . A rule 
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reserved bit-string. There is a special procedure Initialize which is executed 
once, when the entity is created. All other rules begin with an on-command. 
The rule is considered ready for id if the first line is of the form “on P from A” 
and (R, A, id, P) is matched and the rule was never executed with identifier 
id. In that case (R, A, id, P) is considered to be in the set of pending receives. 
If the adversary sends (R, A, id, ?) to an entity that has some pending receive 
(R, A, id, P) matched by some pending message (R, A, id, m), then the entity 
parses m using P and starts executing right after the line “on P from A” which 
added (R, A, id, P) to the list of pending receives. A line of the form “await P” 
where P is a predicate on the state of the entity works like the on-command. 
The line turns activation over to the adversary along with an identifier, and 
the entity will report to the adversary which predicates have become true. The 
adversary can instruct the entity to resume execution right after any “await P” 
where P is true on the state of the entity. If an entity executes a rule which ter- 
minates, it turns the activation over to the adversary. The keyword abort makes 
an entity terminate and ignore all future inputs. A line of the form “verify P” 
makes the entity abort if P is not true on the state of the entity. We use A 
to denote the adversary and Z to denote the environment. A line of the form 
“onP” is equivalent to “onP fromiT’. When specifying ideal functionalities 
we use Corrupt to denote the set of corrupted parties. 

We define security of cryptographic schemes via code-based games [3]. The 
game is given by a set of procedures. There is a special procedure Initialize 
which is called once, as the first call. There is another special procedure Finalize 
which may be called by the adversary. The output is true or false, T or 1, 
where T indicates that the adversary won the game. In between Initialize 
and Finalize, the adversary might call the other procedures at will. The other 
procedures might also output 1 or T at which point the game ends with that 
output. Other outputs go back to the adversary. 

3 Syntax and Security of Reactive Garbling Schemes 

Section overview. We will start by defining the notion of gradual function, this 
will allow us to describe the type of functions that can be garbled. The functions 
that we define, in contrast to standard garbling schemes allow multiple inputs 
and outputs as well as partial evaluation. 

Next, we will define the syntax of a reactive garbling scheme in the same 
way that a garbling scheme was described before. We will describe tags, a way 
of assigning identities to garbled functions, so that we can refer to them later. We 
will then describe different algorithms: how to encode inputs, decode outputs, 
link garblings together and other algorithms. Next, we will define correctness. 
The work of [2] defined the notion of correctness by comparing it to a plaintext 
evaluation. We define the notion of garbling sequences which is the equivalent 
of plaintext evaluation but for reactive garbling. Some garbling sequences don’t 
make sense, for example producing an encoded input for a function that has not 
been defined. As a result, we will define the concept of legal garbling sequences 
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to avoid sequences that are nonsensical. Finally, we can define correctness by 
comparing the plaintext evaluation of a garbling sequence with the evaluation 
of a garbling sequence by applying the algorithms define before. We then use 
the notion of garbling sequence to define the side-information function for reac- 
tive garbling. This is necessary to describe our notion of security which we call 
confidentiality. 

Gradual Functions. We first define the notion of a gradual function. A gradual 
function is an extension of the usual notion of a function / : A\ x • • • x A n — > 
Bi x • • • x F> m , where we allow to partially evaluate the function on a subset of 
the input components. Some output components might become available before 
all input components have arrived. We require that when an output component 
has become available, it cannot become unavailable or change as more input 
components arrive. We also require that the set of available outputs depends only 
on which inputs are ready, not on the exact value of the inputs. In our framework, 
we only allow garblings of gradual functions. This allows us to define partial 
evaluation and to avoid issues such as circular evaluation and determining when 
outputs are defined. These issues would make our framework more complex. The 
access function will be the function describing which outputs are available when 
a given set of inputs is ready. We will use _L to denote that an input is not yet 
specified and that an output is not yet available. We therefore require that _L 
is not a usual input or output of the function. We now formalize these notions. 
For a function / : A\ x • • • x An — Bi x • • • x B m we use the following notation. 

f.n := n and f.m := m, f.A A% x • • • x A n , f.B := B\ X • • • x B m , and 

f.Ai := Ai and f.Bi := Bi. 

Definition 1. We use component to denote a set C — {0, 1} £ U {T} for some 
£ G N, where _L ^ {0, 1}*. We call £ the length of C and we write len(C) = £. 
Let Ci, . . . , C n be components and let x' , x G Ci x • • • x C n . 

- We say that x' is an extension of x, written x □ x' if Xi _L implies that 

Xi = x[ for i = 1, . . . , n. 

- We say that x and x' are equivalently undefined, written x tx x' , if for all 
i = 1, . . . , n it holds that Xi = _L iff x\ = _L. 

Definition 2 (Gradual Function). Let A ±, . . . , A n , B \, . . . , B m be compo- 
nents and let f : A\ x • • • x A n B\ x • • • x B m . We say that f is a gradual 
function if it is monotone and variable defined. 

- It is monotone if for all x, x' G A\ x • • • x A m it holds that x IZ x' implies that 
f(x) C fix'). 

- It is variable defined if x xr' then f(x) I x\ f(x'). 

We say that an algorithm computes a gradual function f : Ai x • • • x A n — > 
B i x • • • x B m if on all inputs x E A\ x • • • x A m it accepts with output f(x) 
and on all other inputs it rejects. We define a notion of access function which 
specifies which outputs components will be available given that a given subset 
of input components are available. 
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Definition 3 (Access Function). The access function of a gradual function 
f : Ai x • • • x A n — > Bi x • • • x F m is a function access (/) : {A, T} n — > {A, T } m 
defined as follows. For j = 1 , ...,ra ; to gj : 5j — >• {A,T} 6e function 
where qj( A) = A and qj(y) = T otherwise. Let q : B i x • • • x - {A, T } m 
6e die function (y^ ...,y m ) ^ (qi(y l), • • • tom(dm))* For i = 1, . . . ,rc, to p* : 
{A,T} — ► 6e £de function with pi( A) = A and Pi(T) = 0 len ^^. ito p : 

{A,T} n -> Ai x • • • x A n be the function {x 1 ,...,x n ) i-> (pi(xi), . . . ,p n (x n )). 
Then access (/) = q o / o p. 

Definition 4 (Gradual functional similarity). Let f,g be gradual functions. 
We say that f is similar to g (f 9) if f-n = g.n, f.m = g.m, f.A = g.A, 
f.B = g.B and access (/) = access(g). 

In the following, if we use a function at a place where a gradual function is 
expected and nothing else is explicitly mentioned, we extend it to be a gradual 
function by adding A to all input and output components and letting all outputs 
be undefined until all inputs are defined. 

Syntax of Algorithms. A reactive garbling scheme consists of seven algorithms 
Q = (St, Gb, En, li, Ev, ev, De). The algorithms St, Gb and Li are randomized 
and the other algorithms are deterministic. Gradual functions are described by 
strings /. We call / the original gradual function. For each such description, we 
require that ev(/, •) computes some gradual function ev(/, •) : A\ x • • • x A n — > 
B\ x • • • x B m . This is the function that / describes. We often use / also to 
denote the gradual function ev(/, •). 

- On input of a security parameter k G N, the setup algorithm outputs a pair 
of parameters (sps, pps) <— St(l fc ), where sps G {0, 1}* is the secret parameters 
and pps G {0, 1}* is the public parameters. All other algorithms will also receive 
l k as their first input, but we will stop writing that explicitly. 

- On input /, a tag 1 t G {0, 1}* and the secret parameters sps the garbling 
algorithm Gb produces as output a quadruple of strings (F, e, o, d), where F is 
the garbled function , e is the input encoding function , d is the output decoding 
function , which is of the form d = (di, . . . , d m ), and o is the output encoding 
function. When (F, e, o, d) <— Gb(sps, /, t) we use F t to denote F, we use d tr i to 
denote the i th entry of d, and similarly for the other components. This naming 
is unique by the function-tag uniqueness and garble-tag uniqueness conditions 
described later. 

- The encoding algorithm En takes input (e, t,i,x) and produces encoded input 
X tA . 

- The linking algorithm li takes input of the form (F, F, £ 2 , ^ 2 , 0 , e) and produces 

an output Ft l5 q 5 t 2 ,i 2 called the encoded linking information. Think of this as 
information which allows to take an encoded output for F tl and turn it 

into an encoded input Xt 2i i 2 for Ft 2 . In other words, we link the output wire 


1 Some of the algorithms will take as input values output by other algorithms. To 
identify where these inputs originate from we use tags. 
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with index i\ of the garbling with tag t\ to the input wire with index 12 of the 
garbling with tag £2. 

- The garbled evaluation algorithm Ev takes as input a set T of pairs (t,F t ) 

where £ is a tag and F t a garbled function (let T be the set of tags £ occurring 
in T\ a set X of triples (£, i,X t ^) where £ G T, i G [ F t .n\ and Xij 7^ _L is an 
encoded input, and a set C of tuples (£1, £1, £2, £2, with £i,£2 €= T 

and i\ G [F^.ra] and £2 €= [Ft 2 .n] an d 7^ -L an encoded linking 

information. It outputs a set y = {(£,£, Yt,i)}teT,ie[F t .m\i where each Y t ^ is an 
encoded output. It might be that Y t ^ = _L if the corresponding output is not 
ready. 

- The decoding algorithm takes input (£,£, 6 ^, 1 ^), and produces & final output 
Ut,i- We require that De(-,-,-,_L) = _L. The reason for this is that Y t ^ = _L 
is used to signal that the encoded output cannot be computed yet, and we 
want this to decode to y t ^ = _L. We extend the decoding algorithm to work 
on sets of decoding functions and sets of encoded outputs, by simply decoding 
each encoded output for which the corresponding output decoding function is 
given, as follows. For a set £), called the overall decoding function , consisting 
of triples of the form (£, i, , and a set y of triples of the form (£, £,1^), 
we let De(S,y) output the set of (£,£, De(£, £, d ty i y Y t ^)) for which (£,£,d^) G S 
and (t,i,Y ti i) G y. 


Basic requirements. We require that f.n and f.m can be computed in linear 
time from a function description /. We require that len (f.Ai) and \en(f.Bj) can 
be computed in linear time for i = 1 , . . . , n and j = 1 , . . . , m. We require that 
the same numbers can be computed in linear time from any garbling F of /. 
We finally require that one can compute access (/) in polynomial time given a 
garbling F of /. We do not impose the length condition and the non-degeneracy 
condition from [ 2 ], i.e., e and d might depend on /. Our security definitions 
ensure that the dependency does not leak unwarranted information (Fig. 2 ). 

Projective Schemes. Following [ 2 ], we call a scheme projective (on input com- 
ponent i) if all X G { En(e,t,i,x) | x G { 0 , l} n } are of the form W,i} x 


et,i — ^ 


d t ,i — > 





En 

* W,£ 

De 

— y yt,i 

Li 

%t ,£ ^ 


Y t ,i — > 


e t2,i2 — ^ 





Gb 


Ft 

et — fit, 1 5 • • • 7 et,n 
dt — dt , 1 , . • • , dt ,m 
Ot — Ot, 1 , • • • , Ot,m 


T ■ 

x ■ 
c ■ 


Ev 


y 


Fig. 2. Input-output behaviour of the central algorithms of a reactive garbling scheme. 
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... x {X Cj0 ,X c? i}, where c = len (f.Xi), and En(e,t,i,x) = ,..., X c , x[c] ). 

This should hold for all fc, /, £, £, x G { 0 , 1 } C and (sps, pps) G [St(l fe )] and 
(F, e, o, d) G [Gb(sps, /, £, £?)]. As in [ 2 ] being projective is defined only relative 
to the input encodings. One can define a similar notion for output decodings. 
Having projective output decodings is needed for capturing some applications 
using reactive garbling scheme, for instance [ 18 ]. 

Correctness. To define correctness, we need a notion of calling the algorithms 
of a garbling scheme in a meaningful order. For this purpose, we define a notion 
of garbling sequence a. A garbling sequence is a sequence of garbling commands , 
each command has one of the following forms: (Func ,/,£), (Link, £i 5 ii, £2, ^2)5 
(input, t, i, x), (output, t, i), (Garble, t). In the rest of the paper, we will use a to 
refer to a garbling sequence. A garbling sequence is called legal if the following 
conditions hold. 

Function uniqueness: a does not contain distinct commands (Func, /i,£) and 

(Func, /2, t). 

Garble uniqueness: Each command (Garble, t) occurs at most once in cr. 
Garble legality: If (Garble, t) occurs in <7, it is preceded by (Func, •,£). 

Linkage legality: If the command (Link, £1, £2, ^2) occurs in <7, then the 
command is preceded by commands of the forms (Func, /1, £1), (Garble, £1), 
(Func, / 2 , £ 2 ) an d (Garble, £ 2 ), and 1 < i\ < /i.77l, 1 < i^ < aa d 

fi.B h = f 2 -Ai 2 . 

Input legality: If (input, £,£, x) occurs in a it is preceded by (Func,/, £) and 
(Garble, /) and X G f.Ai \ {T}. 

Output legality: If (output, £, i) occurs in a sequence it is preceded by (Func, /, £) 
and (Garble, t) and 1 < i < f.m. 

Note that if a sequence is 
legal, then so is any prefix of 
the sequence. We call a gar- 
bling sequence illegal if it is 
not legal. Since we allow to link 
several output components onto 
the same input component we 
have to deal with the case where 
they carry different values. We 
consider this an error, and to 
catch it, we use the following safe 
assignment operator. 


proc eval(cr G L) 

for ( Func, £, /) £ a, do 
/*<-/ 

for i = 1, . . . , ft.n do x t ,i <— -L 
for j = 1, . . . , ft.m do y t j *- _L 
for ( Input, £, Z, X ) G cr do x t ,i x 

T^0 

repeat 

U 

for (Func, £, /) G cr do 

(yt, 1 5 • • • 5 yt,ft-m) 4 !•> • • • •)Xt,f t .n) 

for (Link, £, Zi, £2, £2) G cr do xt 2 ,i 2 yt,n 
T <- {(£,z,z/ m ) I £ G Tags(cr), z = 1, . . . ,/t.ra} 
Until T — U V (•, •, Error) G T 
return T 


Fig. 3. Plaintext evaluation 
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U < — Error 

if V = Error 

u < — U 

— 1 

II 

7-1 

u V 

if u = ±\/ u = v 

U < — Error 

otherwise 


We now define an algorithm eval, which takes as input a legal garbling 
sequence a and outputs a set of tuples (£, one for each command 

(output, i), where possibly y t ,i = _L. The values are computed by taking the 
least fix point of the evaluation of all the gradual functions, see Fig. 3 . We call 
this the plain evaluation of a. We extend the definition of a legal sequence to 
include the requirement that 

Input uniqueness Error) 0 eval (a). 


Therefore the use of the safe assignment in eva I is only to conveniently define 
the notion of legal sequence. In the rest of the paper we assume that all inputs 
to eval are legal. The values y t: i 7^ JL are by definition the values that are ready 
in cr, i.e., ready(cr) = {(£, z)|3(£, i, y tj f) E eval (cr)(yt,i 7 ^ -L)}. Note that since the 
gradual functions are variable defined, which outputs are ready does not depend 
on the values of the inputs, except via whether they are _L or not. 


The procedure Eval in Fig. 4 
demonstrates how a legal garbling 
sequence is intended to be translated 
into calls to the algorithms of the gar- 
bling scheme. We call the procedure 
executed by Eval garbled evaluation 
of a. 

Lemma 1 . For a function description 
f , let T(f ) be the worst case running 
time of ev(/, •). The algorithm eval 
will terminate in time poly(T|cr|(n + 
m)), where n = max (Fmc>tj/)e<T f.n, 
to = ma X( FmC)tj/)e<T /. to, and T = 
m ax (FunCjt j) £(T T(J). 


proc Eva I (cr E L) 
for cE a do 

if c = (Func, £, f ) then f t <- /; 

if C = (Garble, t) then 

(Ft,e t ,o t ,dt) <— Gb(sps, /*, t) 
F^F\\ (t,F t ) 

if c = (input, £, z, x) then 

X t ,i <— En (e t ,£,z,x) 

X+-X\\ (t,i,X t ,i) 

if c= (unk, £1, zi, £2, Z2) then 

Tt\ ,ii ,t 2 3*2 * I i (£1 5 i\ 1 £2 ■> £2 5 Of 1 , e± 2 ) 
F * £ || (£1 , i \ , £2 1 £2 5 Tt ll t 1 ,t 2 5*2 ) 

if c = (output, £,£) then 
b <— 6 ||(£, £, d tj i) 
return De(< 5 , Ev(jT, T, £)) 


Proof. By monotonicity, if the loop in Fig. 4. Garbled evaluation 

eval does not terminate, another vari- 
able y t j has changed from 1 to 7^ 1 and can never change value again. This 
bounds the number of iterations as needed. 


Side-Information Functions. We use the same notion of side-information func- 
tions as in [ 2 ]. A side information function <P maps function descriptions / into 
the side information = <£(/) E { 0 , 1 }*. Intuitively, a garbling of / should not 
leak more than <£(/). The exact meaning of the side information functions are 
given by our security definition. We extend a side information function to the 
set of garbling sequences. For the empty sequence a = () we let $(cr) = (). 
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For a sequence a, we define the side-information as <£(a) := ^ a (a) 

where for a sequence a and a command c: <P a (a\\c) = $ a (a) \\$ a (c), 

where 0 a (Func,t,/) = (Func ,£,#(/)), ^ a (Link,ti,ii,t 2 ,i 2 ) = (Link,ti,ii,t 2 ,i 2 ), 

(input, £, i, x) = (input, £, Z, |x|), <P a (Garble, t) = (Garble, t) and & G (output , t, l) = 

(output, t, i, yt, i)? where y t ^ is defined by eval(a). 

Tega/ Sequence Classes. We define the notion of a legal sequence class L (rela- 
tive to a given side-information function <£). It is a subset of the legal garbling 
sequences which additionally has these five properties: 

Monotone: If a' || a" G L, then cr' G L. 

Input independent: If a’ || (input, £, z, x) || a " G L, then a’ || (input, t, i, x') Her" G 
L for all x' G { 0 , 1 }^ . 

Function independent: If a' ||(Func, t, /) || a" G L, then a' ||(fuhc, t, /') || a" G L 
for all / with $(/') = ^(/). 

Name invariant: If a G L and a' is a with all tags t replaced by t' = 7 x(t) for 
an injection 7 r, then a' G L. 

Efficient: Finally, the language L should be in P, i.e., in polynomial time. 

It is easy to see that the set of all legal garbling sequences is a legal sequence 
class. 

Definition 5 (Correctness). For a legal sequence class L and a reactive gar- 
bling scheme Q we say that Q is L-correct if for all a G L, it holds that 
De(Eval(a)) C eval(a) for all choices of randomness by the randomized algo- 
rithms. 


Function Individual Garbled Evaluation. The garbled evaluation function Ev just 
takes as input sets of garbled functions, inputs and linking information and then 
somehow produces a set of garbled outputs. It is often convenient to have more 
structure to the garbled evaluation than this. 


We say that garbled 
evaluation is function indi- 
vidual if each garbled func- 
tion F is evaluated on 
its own. Specifically there 
exist deterministic poly- 
time algorithms Evl and Li 
called the individual gar- 
bled evaluation algorithm 
and the garbled linking 
algorithm. The input to 
Evl is a garbled function 
and some garbled inputs. 
For each fixed garbled 
function F with n = F.n 
and m = F.m the algo- 
rithm computes a gradual 


proc Ev(F, T, C) 
for (£, F) G F do 
F t ^F 

for i — 1, . . . , F t .n do X t ,i T 
for (t,i,X) G X do <- A 
T^0 

repeat 

U <-T 

for (t, F t ) G F do 

• • • , Yt,F t .m) <- Evl (Ft, (Xt,l, . . . , Xt,F t .n)) 
for (£, ii,t 2 ,72,T) G C do X t2 ,i 2 <— Li(L,Yt,u) 
T <— {(£, i, Y t ,i) | t G Tags (a) A i = 1, ... , F t .m} 

until T — U 
return T 

Fig. 5. Function individual evaluation 
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function Evl(F) : A\ x • • • x A n — > B\ x • • • x B m and {X\,...,X n ) i— > 
Evl(F, Xi, . . . , X n ), with access(Evl(F)) = access (/), where / is the function 
garbled by F. We denote the output by (Yi, . . . , Y m ) = Evl(F, X lf , . . , X n ). The 
intention is that the Yj are garbled outputs (or _L). To say that Ev has individual 
garbling we then require that it is defined from Evl and Li as in Fig. 5. 

Security of Reactive Garbling. We define a notion of security that we call con- 
fidentiality, which unifies privacy and obliviousness as defined in [2]. Oblivious- 
ness says that if the evaluator is given a garbled function and garbled inputs 
but no output decoding function it can learn a garbled output of the function 
but learns no information on the plaintext value of the output. Privacy says 
that if the evaluator is given a garbled function, garbled inputs and the out- 
put decoding function it can learn the plaintext value of the function, but no 
other information, like intermediary values from the evaluation. It is necessary 
to synthesise these properties as we envision protocols where the receiver of the 
garbled functions might receive the output decoding function for some of the 
output components but not all of them. Obliviousness does not cover this case, 
since the adversary has some of the decoding keys. It is not covered by privacy 
either, as the receiver should not gain any information about outputs for which 
he does not have a decoding function. 

In the confidentiality (indistinguishability) game, the adversary feeds two 
sequences <to and o\ to the game, which produces a garbling of one of the two 
sequences, for a uniform bit b. The adversary wins if it can guess which 
sequence was garbled. It is required that the two sequences are not trivially dis- 
tinguishable. For instance, the two commands at position i in the two sequences 
should have the same type, the side information of functions at the same positions 
in the sequences should be the same, and all outputs produced by the sequences 
should be the same. This is formalized by requiring that the side information 
of the sequences are the same. This is done by checking that F(cr o) = F (cr i) in 
the rule Finalize. If one considers garbling sequences with only one function 
command, one garbling command, one input command per input component, 
no linking and where no output command is given, then confidentiality implies 
obliviousness. If in addition an output command is given for each output com- 
ponent, then confidentiality implies privacy. 

In the confidentiality (simulation) game, the adversary feeds a sequence a 
to the game. The game samples a uniform bit b. If b = 0, then the game uses 
the reactive garbling scheme to produce values for the sequence. Otherwise, 
if the bit b = 1, the game feeds the output of the side-information function 
to the simulator and forwards any response to the adversary. The simulation- 
based notion of confidentiality implies the indistinguishability-based notion of 
indistinguishability [22]. 

Definition 6 (Confidentiality). For a legal sequence class L relative to side- 
inf ormation function F and a reactive garbling scheme Q , we say that Q is (L, F)- 
confidential if for all PPT A it holds that Advg d ] ^; 1 ^ d ^ on (l /c ) is negligible, where 
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adp.ind.con k 
v,h ',&,A V 1 


(l fc ) = T] - § and Game^/f” is 


Notice that this security definition is indistinguishability based, which is 
known to be very weak in some cases for garbling (cf. [2]). Consider for instance 
garbling a function / where the input x is secret and y = f{pc) is made a public 
output. The security definition then only makes a requirement on the garbling 
scheme in the case where the adversary inputs two sequences where in sequence 
one the input is x\ and in sequence two the input is X2 and where f{x\) = f(x 2). 
Consider then what happens if / is collision resistant. Since no adversary can 
compute such x\ and x 2 where x\ ^ x<i, it follows that x\ — x 2 in all pairs 
of sequences that the adversary can submit to the game. It can then be seen 
that it would be secure to “garble” collision resistant functions / by simply 
sending / in plaintext. Despite this weak definition, we later manage to prove 
that it is sufficient for building secure two-party computation. Looking ahead, 
when we need to securely compute /, we will garble a function /' which takes 
an additional input p which is the same length as the output of / and where 
f'(x,p) = p(&f(x) and ask the party that supplies p to always let p be the all-zero 
string. Our techniques for ensuring active security in general is used to enforce 
that even a corrupted party does this. Correctness is thus preserved. Clearly f 
is not collision resistant even if / is collision resistant. This prevents a secure 
garbling scheme from making insecure garblings of /'. In fact, note that this 
trick ensures that /' has the efficient invertibility property defined by [2] , which 
means that the indistinguishability and simulation based security coincide. 

4 Instantiating a Confidential Reactive Garbling Scheme 

We show that the instantiation of garbling schemes in [2] can be extended to 
a reactive garbling scheme in the random-oracle (RO) model. We essentially 
implement the dual- key cipher construction from [2] using the RO. To link a 
wire with 0 -token Tq and 1 -token T\ to an input wire with tokens Jo and ii, 
we provide the linking information Lo = RO(Tq ) ® Iq and L\ = RO(T\) ® I\ 
in a random order with each value tagged by the permutation bits of their 
corresponding input wires and output wires. Evaluation is done using function 
individual evaluation. Evaluation of a single garbled circuit is done as in [ 2 ]. 
Evaluation of a linking is: given T ^ and a permutation bit, the bit is used to 
retrieve L 5 from which R = ® RO(T^) is computed. We provide the details 

in Sect. 4 . 1 . We use the RO because reactive garbling schemes run into many of 
the same subtle security problems as adaptive garbling schemes [1], which are 
conveniently handled by being able to program the RO. We leave as an open 
problem the construction of (efficient) reactive garbling schemes in the standard 
model. 

4.1 A Reactive Garbling Scheme 

We will now give the details of the construction of a confidential reactive garbling 
scheme based on a random oracle. The protocol is inspired by the construction 
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proc Initialize() 

^{ 0 , 1 } 


proc FuNC(/ 0 ,/i,t) 
for c G {0, 1} do 

&C CT c || (Func, /c, t ) 

if /o 9 ^ fi then return _L 


cr o 

o-i 


0 

^0 


proc Output(£, z) 

for c G {0, 1} do 

cr c « — a c || (output, t, z) 

return d t ,i 


proc INPUT0, Z, Xo, X\) 

for c G {0, 1} do 

a c < — CF c || (input, £, Z, X c ) 

return En(et, £, z, x&) 


proc LlNK(ti, zi, £ 2 , Z 2 ) 
for c G {0, 1} do 

<7 C <7 c || (Link, ti, Zl, ^ 2 , ^ 2 ) 

return li(ti, zi, t 2 , * 2 , Ot ls n , e t2ji2 ) 


proc Finalize^') 

if b = b' A ^(cr 0 ) = ^(<Ji) A ctq G L 


then return T 
else return _L 


proc GARBLE0) 

for c G {0, 1} do (7 C <7 C ||( Garble, t) 

(■ F t ,e t ,ot,dt ) Gb(sps, f t ,t) 

return 


Fig. 6. The game Game^' ^ d ' con (l fc ) defining adaptive indistinguishability confiden- 
tiality. In Finalize we check that ao G L and the adversary loses if this is not the case. 
It is easy to see that when L is a legal sequence class and @(cro) — ^(oq), then ao G L iff 
a 1 G L. We can therefore by monotonicity assume that the game returns _L as soon as 
it happens that a c 0 L. We use a number of notational conventions from above. Tags 
are used to name objects relative to cr c , which is assumed to be legal. As an example, in 
Garble (t), the function ft refers to the function f c occurring in the command (Func, f c ,t) 
which was added to a c in Func by Garble Legality. For another example, the dt,i in 
OuTPUT(t, z) refers to the z th component of the dt component output by Gb(sps, ft , t) in 
the execution of Garble ( t, 7 r) which must have been executed by Output Legality. 

of garbling schemes from dual- key ciphers presented in [2]. The pseudocode for 
our reactive garbling scheme is shown in Figs. 7 and 8. 

To simplify notation, we define Isb as the least significant bit, slsb as the 
second least significant bit. The operation Root removes the last two bits of a 
string. The symbol H denotes the random oracle. 

We use the notation of [2] to represent a circuit. A circuit is a 6-tuple / = 
(n, m, q. A, B, G). Here n > 2 is the number of inputs, m > 1 is the number 
of outputs and q > 1 is the number of gates. We let r = n + q be the number 
of wires. We let Inputs = {1, . . . ,n}, Wire = {1, . . . , n + q}, OutputWires = 
{n + q — m + 1, . . . , n + q} and Gates = {n, . . . , n + q}. Then A : Gates — > 
Wires \ OutputWires is a function to identify each gate’s first incoming wire and 
B : Gates — ► Wires \ OutputWires is a function to identify each gate’s second 
incoming wire. Finally, G : Gates x{0, l} 2 — > {0, 1} is a function that determines 
the functionality of each gate. We require that A(g) < B(g) < g for all g G Gates. 

Our protocol will also follow the approach of [2]. To garble a circuit, two 
tokens are selected for each wire, one denoted by X t ^o which shall encode the 
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proc Gb 

( n , m, q, A, B, G ) <- ft 

for i E {1, . . . , n + q — m} do 

c-4-{0, 1} // Type of the zero-encoding 

X t ,i , 0 «- {0, l} fc_1 || C 
Xt,i,i <— {0, l} fc_1 || 1 — c 

for i G {1, . . . , m} do 

c^-{0, 1}, Ti ^-{0, 1} // Type and mask of zero-encoding 

Y t ,i, o «- {0, l} fc “ 2 1| n || c 
Yt,i,i * — {0, l} fc— 2 || 1 — r* || 1 — c 

^t,n-\-q — m-\-i,0 * 0 

A"t 5 n-|-g — m+i,l * 

for (i,u,v) e {n + 1, . . . , n + q} x {0, 1} x {0, 1} do 

a A(z), b B(i) // Left wire, right wire 

// Left-wire encoding of u and its type. 

A root (X t , a ,u), a <— lsb(X t , a ,u) 

// Right-wire encoding of v and its type. 

B <— root(X t ,b, v ), b <— lsb(X t ,b, v ) 

// Unique tag 
T ^ 1 1| z || a || b 

// Row of Garbled table associated to gate i and input (u,v) 

P[h a, b] <- H(T || A || B) © Y tiiMitU , v ) 

F t <— (n,m,q,A,B,P) 
et ((Ai,o, Xi ; i), . . . , (X n ,o, X n ,i)) 

d t <— {ri, . . . ,r m } 
return (F t ,e t ,o t ,dt) 

proc En(t, z, sc) 

Xf,i < Gt,i,x 

return 

proc De(f,z,lt,i,dt,0 
yt,i <— slsb(y t ,<) © d t ,i 

return y t ,i 


Fig. 7. Reactive garbling scheme 


value 0 and the other denoted by Xt^i which will encode the value 1, we refer 
to this mapping as the semantic of a token. 

The encoding of an input for a value x is simply the token of the given 
wire with semantic x. The decoding of an output is the mask for that wire. 
We decouple the decoding from the linking to simplify the proof of security. 
The simulator will be able to produce linking without having to worry about the 
semantics of the output encoding. 

For each wire, the two associated tokens will be chosen such that the least 
significant bit (the type of a token) will differ. It is important to note that the 
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proc li(o tl ,i 1 ,e t2 ,i 2 ) 

// Type of zero-encoding 

c <- lsb(o tl ,i 1 , 0 ) 

K 0 <- root(ot ljil ,o) 

K x <- root(o tljil ,i) 

T (fl, Zl, f 2 j *2) 

// Encryption of encoded input whose 
associated output encoding has 
type 0 

% 4 — H(T || fc c ) ® et 2j i 2>c 

// Encryption of input encoding whose 
associated output encoding has 
type 1 

Ei H(T || fci© c ) © et 2 ,i 2 ,i© c 
Ltx ,ii ,t2 ,i2 4 (Uo^Ul) 
return L tl ,i 1 ,t 2 ,i 2 

proc Li(L tl ,i 1 ,t 2 ,i 2 ,lt 1 ,i 1 ) 
r <— lsb(y tl ,n) 

K <- root(y tl ,n) 

T <— (tl, Zl, £2, Z2) 

Xt,i H(T || &) ® Lt 1 ,i 1 ,t 2 ,i2,r 
return Xt,i 

proc Evl(F t ,Xi, . . .,X n ) 

(n, m, q, A, B, P) <— F t 
for i <— n + 1 to n + q do 
a A(z), b B(i) 

A Xt,a, B <— Xt,b 

if A/1A5/1 then 
a <— lsb(A),b <- Isb(B) 

T <— £ || z || a || b 

W, <-P[0,a, b]©H(T||A||B) 

(y,45 • • • 5 y,m) 4 (^"n+q — m+l? • • • 5 -^n+q) 

return . . . , Y* . m ) 


Fig. 8. Reactive garbling scheme (continued) 


semantics and type of a token are independent. The second least significant bit 
is called the mask and will have a special meaning later when the tokens are 
output tokens. We use root(X) to denote the part of a token that is not the type 
bit or the mask bit. 

Each gate g will be garbled by producing a garbled table. A garbled table will 
consist of four ciphertexts p[g , a, b] where a, b G {0, 1}, The ciphertext P[g , a, b] 
will be produced in the following way: first find the token associated to the left 
input wire (A) with type a, denote the semantic of this token as x. Secondly, 
find the token associated to the right input wire fa) with type 6, denote the 
semantic of this token as y. The ciphertext will be an encryption of the token of 
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z G(g,x,y). We will denote T £||g||a||6. The encryption will be 
P\g, a, b } <- H(T || root(V MliX ) || root(V M2i!/ )) © (X M)Z ) 

For each non-output wire, the token with semantic 0 will be chosen randomly 
and the token with semantic 1 will be chosen uniformly at random except for 
the last bit which will be chosen to be the negation of the least significant bit of 
the token with semantic 0 for the same wire. 

For each output wire, the first token will also be chosen uniformly at random. 
The token with semantic 0 will be chosen randomly and the token with semantic 
1 will be chosen uniformly at random except for the least significant bit and the 
second least significant bit. For both of these positions, the second token will be 
chosen so that they differ from the value in the 0-token for the same position. 
We refer to the second least significant bit of the 0-token of an output token as 
the mask of an output wire. 

A linking between output i) and input (£ 2 ,^ 2 ) consists of two ciphertexts: 
let c be the type of the 0-token for the output wire. In this case, we set T = 
ti \\h || £2 || ^ 2 - The linking is simply 

L C^root (yt 1 > < 1 ,c)(^ t 2»*2,c)j^ro 0 t (Yi ll 4 ll i_ c )(^t 2 ,i 2 ,l-c)) 

where E^(z) = H(T\\k) ® z. Converting an encoded output into an encoded 
input follows naturally. 

In [22] we prove the following theorem. 

Theorem 1. Let L be the set of all legal garbling sequence , let <L> denote the 
circuit topology of a function. Then RGS is (L, <£) -confidential in the random 
oracle model. 

5 Application to Secure Reactive Two-Party 
Computation 

We now show how to implement reactive two-party computation secure against 
a malicious, static adversary using a projective reactive garbling scheme. For 
simplicity we assume that L is the set of all legal sequences. It can, however, in 
general consist of a set of sequences closed under the few augmentations we do 
of the sequence in the protocol. The implementation could be optimized using 
contemporary tricks for garbling based protocols, but we have chosen to not do 
this, as the purpose of this section is to demonstrate the use of our security 
definition, not efficiency. 

We implement the ideal functionality in Fig. 9. The inputs to the parties will 
be a garbling sequence. The commands are received one-by-one, to have a well 
defined sequence, but can be executed in parallel. We assume that at any point 
in time the input sequence received by a party is a prefix or suffix of the input 
sequence of the other parties, except that when a party receives a secret input by 
receiving input (input, £, i, x), then the other party receives (input, £, i, ?), to not 
leak the secret x, where we use ? to denote a special reserved input indicating 
that the real input has been removed. We also assume that the sequence of 
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rule Func 

rule Initialize 

on (Func, t, /) from A 

<7 <- {} 

on (Func, t, /) from B 

(7 <— (7 (Func, t, /) 

rule Inputa 

rule Inputb 

on (input, t, i , x) from A 

on (input, t, i, ?) from A 

on (input, t, i, ?) from B 

on (input, t, i , x) from B 

await (Garble, t) E <J 

await (Garble, t) E <j) 

on (input, t , i, x') from S 

on (input, t, i , x 7 ) from <S 

if A E Corrupt then x x' 

if B E Corrupt then x ^ x' 

Send (input, t, 2, done) to A 

Send (input, t, i, done) to A 

Send (input, t, 2, done) to B 

Send (input, t, i, done) to B 

<7 < — <7 || (input, t, 2, x) 

<7 < — (7 1 1 (input, £, Z, 3?) 

rule Link 

await (Garble, t) E <j) 

on (Link, t±, A, L 2 A 2 ) from A 
on (Link, t±, A, L 2 A 2 ) from B 

await (Garble, t) E <j) 

Send (Link, tl , Zl , ^2 A 2 : done) to A 

Send (Link, tl , Zl , ^2 A 2 : done) to B 
cr <— (7 (Link, ti, ii, t 2 , 12 ) 

rule Garble 
on (Garble, t) from A 
on (Garble, t) from B 
await (Func, t, /) E cr 

Send (Garble, t, done) to A 

Send (Garble, t, done) to B 

7 <— a (Garble, t ) 

rule Output 


on (output, t, 2) from A 
on (output, £, 2) from B 
await 3(t,i,yt,i ^ T) E eval(cr) 

Send (output, t, Z, done) to A 
send (output, t, i, yt,% ) to B 

< 7 < — (7 || (output, t, i) 



Fig. 9. Ideal Functionality (only suitable for static security). For each line of the 
form, “on c from P” for a command c and a party P, when the activation is given to 
the adversary the ideal functionality sends along (<£(c), P). 


inputs given to any party is in L. If not, the ideal functionality will simply stop 
operating. We only specify an ideal functionality for static security. To correctly 
handle adaptive security a party should sometimes be allowed to replace its 
input when becoming adaptively corrupted. Since we only prove static security, 
we chose to not add these complication to the specification. 

The implementation will be based on the idea of a watchlist [15]. Alice and 
Bob will run many instances of a base protocol where Alice is the garbler and Bob 
is the evaluator. Alice will in each instance provide Bob with garbled functions, 
linking information, encoded inputs for Alice’s inputs and encoded inputs for 
Bob’s inputs, and decoding information. For all Bob’s input bits, Alice computes 
encodings of both 0 and 1, and Bob uses an oblivious transfer to pick the encoding 
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he wants. For a given input bit, the same oblivious transfer instance is used to 
choose the appropriate encodings in all the instances. This forces Bob to use the 
same input in all instances. Bob then does a garbled evaluation and decodes to 
get a plaintext output. Bob therefore gets one possible value of the output from 
each instance. If Alice cheats by sending incorrect garblings or using different 
inputs in different instances, the outputs might be different. We combat this 
by using a watchlist. For a random subset of the instances, Bob will learn all 
the randomness used by Alice to run the algorithms of the garbling scheme and 
Bob can therefore check whether Alice is sending the expected values in these 
instances. The instances inspected by Bob are called the watchlist instances. 
The other instances are called the evaluation instances. The watchlist is random 
and unknown to Alice. The number of instances and the size of the watchlist 
is set up such that except with negligible probability, either a majority of the 
evaluation instances are correct or Bob will detect that Alice cheated without 
leaking information about his input. Bob can therefore take the output value that 
appears the most often among the evaluation instances as his output. There are 
several issues with this general approach that must be handled. 

1. We cannot allow Bob to learn the encoded inputs of Alice in watchlist 
instances, as Bob also knows the input encoding functions for the watch- 
list instances. This is handled by letting Alice send her random tape r* for 
each instance i to Bob in an oblivious transfer, where the other message is a 
key that will be used by Alice to encrypt the encodings of her input. That way 
Bob can choose to either make instance i a watchlist instance, by choosing 
7y, or learn the encoded inputs of Alice, but not both. 

2. Alice might not send correct input encodings of her own inputs, in which case 
correctness is not guaranteed. This is not caught by the watchlist mechanism 
as Bob does not learn Alice’s input encodings for the watchlist instances. To 
combat this attack, Alice must for all input bits of Alice, in all instances, 
commit to both the encoding of 0 and 1, in a random order, and send along 
with her input encodings an opening of one of the commitments. The ran- 
domness used to commit is picked from the random tape that Bob knows in 
the watchlist instances. That way Bob can check in the watchlist instances 
that the commitments were computed correctly, and hence the check in the 
evaluation position that the encoding sent by Alice opens one of the commit- 
ments will ensure that most evaluation instances were run with correct input 
encodings, except with negligible probability. 

3. We have to ensure that Alice uses the same input for herself in all instances. 
For the same reason as item 2, this cannot be caught by the watchlist mech- 
anism. Instead, it is done by revealing in all instances a privacy-preserving 
message digest of Alice’s input. Bob can then check that this digest is the same 
in all instances. For efficiency, the digest is computed using a two-universal 
hash function. This is a common trick by now, see [6,8,23]. However, all pre- 
vious work used garbled circuits in a white box manner to make this trick 
work. We can do it by a black box use of reactive garbling, as follows. First 
Alice garbles the function / to be evaluated producing the garbling F where 
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Alice is to provide some input component x. Then Alice garbles the function 
g which takes as input a mask ra, an index c for a family h of two- universal 
hash functions and an input x for the hash function and which outputs x 
and y = h c (x) 0 m. Alice then randomly samples a mask m and then sends 
encodings of m and x to Bob as well as the output decoding function for 
y. Bob then samples an index c at random and makes it public. Then Alice 
sends the encoding of c to Bob. Alice then links the output component x of G 
into the input component x of F. This lets Bob compute y and an encoding 
X of the input x of/. 

4. As usual Alice can mount a selective attack by for example offering Bob a 
correct encoding of 0 and an incorrect encoding of 1 in one of the OTs used 
for picking Bob’s input. This will not be caught by the watchlist mechanism 
if Bob’s input is 0. As usual this is combated by encoding Bob’s input and 
instead using the encoding as input. The encoding is such that any s positions 
are uniformly random and independent of the input of Bob. Hence if Alice 
learns up to s bits of the encoding, it gives her no information on the input 
of Bob, and if she mounts more than s selective attacks, she will get caught 
except with probability 2~ s . This is again a known trick used in a white 
box manner in previous works, and again we use linking to generalize this 
technique to (reactive) garbling schemes. First, Alice will garble an identity 
function for which Bob will get an encoding of a randomly chosen input x' 
via OT. Then Bob selects a random hash function h from a two- universal 
family of hash functions such that h(x') = x where x is Bob’s real input. Bob 
sends h to Alice. Alice then garbles the hash function and links the output 
of the identity function to the input of the hash function and she links the 
output of the hash function to the encoded function which Bob is providing 
an input for. 

With the above augmentations which solves obvious security problems, along 
with an augmentation described below, addressing a problem with simulation, 
the protocol is UC secure against a static adversary. We briefly sketch how to 
achieve simulation security. 

Simulating corrupted Alice is easy. The simulator can cheat in the OTs used 
to set up the watchlist and learn both the randomness and the input encodings 
of Alice in all the evaluation instances. The mechanisms described above ensure 
that in a majority of evaluation instances Alice correctly garbled and also used 
the same correct input encoding. Since the input encoding is projective, the 
input x of Alice can be computed from the input encoding function and her 
garbled input. By correctness of the garbling scheme, it follows that all correct 
evaluation instances would give the same output 2 consistent with x. Hence the 
simulator can use x as the input of Alice in the simulation. 

As usual simulating corrupted Bob is more challenging. To get a feeling for 
the problem, assume that Alice has to send a garbled circuit F of the function 
/ to be computed before Bob gives inputs. When Bob then gives input, the 
input y of Bob can be extracted in the simulation by cheating in the OTs and 
inspecting the choice bits used by Bob. The simulator then inputs y to the 
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ideal functionality and gets back the output 2 = f(x,y) that Bob is to learn. 
However, the simulator then in addition has to make F output 2 in the simulated 
execution of the protocol. This in general would require finding an input x' of 
Alice such that £ = f(x',y), which could be computationally hard. Previous 
papers have used white-box modifications of the garbled circuit or the output 
decoding function to facilitate enough cheating to make F hit 2 without having 
to compute x' . We show how to do it in a very simple and elegant way in a black- 
box manner from any reactive garbling scheme which can garble the exclusive-or 
function. In our protocol Alice will not send to Bob the decoding key for the 
encoded output Z. Instead, she garbles a masking function m z 0 m) 

and links the output of the function / to the first argument of the masking 
function. Then she produces an encoding M of the all-zero string for m and 
sends M to Bob along with the output decoding function for ip. Bob can then 
compute and decode from Z and M the value z ® 0 = z. In the simulation, the 
simulator of corrupted Bob knows the watchlist and can hence behave honestly 
in the watchlist instances and use the freedom of m to make the output z ® m 
hit the desired output from the ideal functionality in the evaluation positions. 
This will be indistinguishable from the real world because of the confidentiality 
property. Since this trick does not require modifying the garbled function, our 
protocol will only require a projective garbling scheme which is confidential. It 
will work for any side-information function. Earlier protocols required that the 
side-information be the topology of the circuit to hide the modification of the 
function / needed for simulation, or they needed to do white box modifications 
of the output decoding function to make the needed cheating occur as part of 
the output decoding. 

5.1 Details of the Reactive 2PC Protocol 

We now give more details on the protocol. The different instances will be indexed 
by j E / = { 1 , . . . , s}. The watchlist is given by w = (wi , . . . , w s ) E { 0 , 1 } S , 
where Wj = 1 iff j is a watchlist instance. In the protocol s instances are run 
in parallel. When a copy of a variable v is used in each instance, the copy used 
in instance j is denoted by u J . In most cases the code for an instance does not 
depend on j explicitly but only on whether the instance is on the watchlist or the 
evaluation list, in which case we will write the code generically using the variable 
name v. The convention is that all s copies u 1 , . . . , v s are manipulated the same 
way, in single instruction multiple data program style. For instance, w = 1 will 
mean w* = 1 , such that w = 1 is true iff the instance is in the watchlist. 

We will use commitments and oblivious transfer within the protocol. We work 
in the OT hybrid model. We use OT. send (mo, 777,1) to mean that Alice sends 
two messages via the oblivious-transfer functionality and we use the notation 
OT.choose(fr) to say that Bob chooses to receive 777,5. We use a perfect binding 
and computationally hiding commitment scheme. If a public key is needed, it 
could be generated by Alice and sent to Bob in initialization. A commitment 
to a message m produced with randomness r is denoted by com (m;r), sending 
(ra, r) constitutes an opening of the commitment. 
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rule A. Initialize 
// Sample watchlist key and an 
evaluation key 
wk, ek ^{0, l} fc 

OT.send(ek, wk) 

<- 0 

rule B. Initialize 
// Learn either the watchlist 
key or the evaluation key 

w^{0, 1} 
k OT.choose(R;) 

<7 <- 0 

rule A.Func 

on (Func, £, /) 

a <- a || (Func, t, /) 

rule B.Func 

on (Func, £, /) 
a ^ a II (Func, t, /) 

rule A. Garble 

On (Garble, t) 

await 3f : (Func, £, /) E <7 
(Ft, e t , 0 t, dt) <- Gb(/, t; r) 

E <— E wk (r) 

send Ft, E to B 

O < — O || (Garble, t ) 

rule B. Garble 

On (Garble, t) 

await 3f : (Func, £, /) E 0 

on F x , E from A 
if w = 1 then 

r <— D wk (F) 

(■ F t ,et,o t ,dt ) <- Gb (/, £; r) 

verify F' — F t 

F t <-F' 

0^0 (Garble, t) 

rule A. Link 

On (Link, t \ , il , t, I 2 ) 
await (Garble, t) E 0 
await (Garble, tl) E O 

send , e t,i 2 ) to B 

O < — O || (Link, , t, I 2 ) 

rule B.Link 

On (Link, t\ , i \ , t, I 2 ) 
await (Garble, t) E O 
await (Garble, tl) E <7 

on L from A 

C <— C ||(ti,ii,t,z 2 ,L) 

if w = 1 then verify 

L — ) 

<7 < — <7 (Link, t, I 2 ) 


Fig. 10. Protocol (Initialize, Garble, Link) 


If we write A(x ; r) for a randomized algorithm, where r is not bound before, 
then it means that we make a random run of A on input x and that we use r in 
the following to denote the randomness used by A. If we send a set {x, yj, then 
it is sent as a vector with the bit strings x and y sorted lexicographically, such 
that all information extra to the elements is removed before sending. When rules 
are called, tags t are provided. It follows from the input sequences being legal 
that these tags are unique, except when referring to a legal previous occurrence. 
We further assume that all tags provided as inputs are of the form 0|| {0, 1}* , 
which allows us to use tags of the form 1 1| {0, 1}* for internal book keeping. Tags 
for internal use will be derived from the tags given as input and the name of the 
rule creating the new tag. For a garbling scheme Q, a commitment scheme com 
and an encryption scheme £, we use 7rg 5CO m,£ to denote protocol given by the set 
of rules in Figs. 10, 11, 12 13, 14 and 15. We add a few remarks to the figures. 
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rule A.Inputa 

on (input, t, i, x) 
await (Garble, t) E <J 
t < — 1 1| (input, t, l) || 0 

£i len (ft.Ai) 

£ 2 len^.^) 

£3 <— len (g £l .A3) 
m<^{ 0, l}^ 2 

// Garble auxiliary function g 

(G t -, e* , dt, Of) <- Gb(p^ , t; r) 

// Watchlist encryption of garbled auxilary function's randomness 

-E <- E wk (r) 
send (Gt, dt,2, E) to B 
for u € {1, . . . ,£1} do 
X u ,o <- En(et iliU , 0 ) 

X u ,i <- En(e f)liU , 1 ) 

r u ,o,r u ,i 4-{0, l} fe 

// Commit to tokens 

&,i <— {com(A u , 0 ;r u ,o),com(A u ,i;r u ,i)} 

// Watchlist encryption of tokens 
E u ,i * E W |< ( (A n? o 5 -Au, 1 ) ) 

// Watchlist encryption of commitment's randomness 

E u ,2 * E w k((r u ,o, r u ,i)) 

// Evaluation encryption of tokens for Alice's choice of input 

E u ,3 <— E e k ((X Uj x i u ,r u ,x ijU )) 

// Linking G to F t 

Lu * ^t,i,u) 

send (S u ,i, E u ,u E u ,2, E u ,3, L u ) to B 
for u E {1, ... , £2} do 

M u , 0 <- En(e t - 2jU , 0 ) 

M u , 1 <- En (et,2 fU , 1 ) 

5„,2 <- {com(M„ j o;r^ i o),com(M„ j i;r^ i i)} 

E u , 4 E w k((M u ,o, M u ,i)) 

E u , 5 4 E w k((r Wj Q 5 r u,i)) 

E u ,q < E e k (( u , T u rriu )) 
send (*Su,2 5 -F Uj 4, F/ Uj 5, F/ u? 6) to B 
// Auxiliary input from Bob 
on c from B 

// Encoding of auxiliary input 
for ix E { 1 , . . . ,£3} do send C u ,c u to B 

<J < — <J || (input, £, i, T) 


Fig. 11. Inputa 
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rule B.Inputa 

on (input, t, i, ?) 
await (Garble, t) G <7 
t < — 1 || (input, t, l) || 0 

c A{ 0 , 1} £ 3 

on G^, d'i 2 , E from A 

for u G { 1 , . . . , £\} do on (S Uj i, E Uj i, E u , 2, E u , 3, L w ) from A 
for u G ( 1 , . . . , £2} do on (S Uj 2, E Ut 4, £^,5, E Uj 6 ) from A 
send c to A 

for u G { 1 , . . . , -£3} do on C UjCu from A 

// Use watchlist key to verify correctness of garbling and commitments, 
if w — 1 then 

r 4- D wk (£), (Gf, e f , o f ) 4- Gb(^ 1 , t; r) 
for 14 G { 1 , . . . , £\) do 
X u ,o <- En(e^ 1;W , 0) 

X u ,i En (e t - il)U , 1) 

for u G { 1 , . . . , -62} do 
M Ui 0 <- En(et )2) n, 0 ) 

M U} ! 4- En(e f)2jU , 1 ) 

for 14 G { 1 , . . . , ^3} do 

C u , 0 4- En(e f> 3 !n , 0 ) 

C u ,i <- En(e f)3;U , 1) 
for 14 G { 1 , . . . , -G} do 

(Tu.Oj 7 *m ,1 ) <— D w k(-E w ,2) 
verify Dwk(^«,i) = (X u ,o,X uA ) 
verify S Ui 1 — {com(X Uj o; Pm,o) ? com(X Mj i ; r Wj i)} 
verify = li(ot >1>lt , e t ,i, u ) 
for 14 G { 1 , . . . , -62} do 

(r' U} o, ^ ;1 ) 4- D wk (£ w , 5 ) 
verify D wk (£ 7 Uj3 ) = (M U) 0 ,M U) i) 
verify S Uj 2 — {com(M U) o; r u ,o), com(M U) i , r Uj i)} 
for 14 G { 1 , . . . , £3} do 

verify C UjCu = En(et j3 ,u , c u ) 

else 

// Use evaluation key to extract tokens for Alice’s choice of input 
for 14 G { 1 , . . . , t\] do 

D ek (B„, 3 ) 

for 14 G { 1 , . . . , -62} do 

(M U) xi u 5 r U Xi u ) < D ek (£^ M) 6) 

// Verify commitments of tokens for Alice’s choice of input 

verify V14 G ( 1 , . . . , £1} (com {X UjX . u ]r UjXi u ) G S u , 1) 
verify V14 G ( 1 , . . . ,£2} (com (M u>mu ; r^ >mu ) G 5 U>2 ) 

* <- {(t,l,X x ),(t, 2 ,M m ),(t, 3 ,G c )} 
y^Ev({(t, G t -)},^) 

3/2 <— De(d 2 , ¥2) 

// Verify that auxiliary outputs are the same in each instance 
verify Vj, j' (■ y 3 2 = y J 2 ) 

X ^ x\\x 

(t, Gf) 

£ 4- £ || (t, l,f,i,L) 

(7 4 — 0" || (input, t, 1, T) 


Fig. 12. Inputa (continued) 


In the iNlTlALlZE-rules Alice and Bob setup the watchlist. They use a (sym- 
metric) encryption scheme £ = (E, D) with k - bit keys. For each instance j, Alice 
sends two keys via the oblivious transfer functionality, the watchlist key wk J 
and the evaluation key ek 7 . Alice will later encrypt and send the information 
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rule A.Inputb 

Oil (input, t, i, ?) 
await (Garble, t) E <J 

£ <— len (ft-Ai) 
h ^£ + 2s+l 

t < — 1 1| (input, t, l) || 0 
t' < — 1 1| (input, t, l) || 1 

// Garble the identity function 

(Idf, et, Of, <- Gb(id£ 1 , t\ r ) 

// Send to Bob the garbled identity function and the watchlist 
encryption of its randomness to Bob 
send E E w k(r), Idf to B 
for u G {1, . . . , G} do 

X u?0 <- En(ef jU , 0) 

X u , i «- En (ef jti , 1) 

// Oblivious Transfer of Bob's input tokens 
OT.send({X^ 0 } j€{li ... )S} ,{X^ 1 } je{li ... iS> ) 

// Await universal hash function 
on h from B 

// Garble universal hash function 

(H t i,et',o t ',dt') <— Gb(ft,t';r') 

// Send garbled hash function and the watchlist encryption of its 
randomness to Bob 
send i7 t /, E w k(r') to B 
for u G {1, ... , G} do 
// Link Idf to H t / 
send L u li(of jTi , e t / jU ) to B 
// Link H t > to 
send L u li(o t / jW , to B 

(7 < — (7 || (input, £, Z, T) 


Fig. 13. Inputb 


Bob is to learn for watchlist (evaluation) instances with the key wk (ek). In the 
FuNC-rules they simply associate a function to a tag. In the GARBLE-rules Alice 
garbles the function and sends the garbling to Bob, she also sends an encryption 
using the watchlist key of the randomness used to produce this garbling. This 
allows Bob, for the watchlist positions to check that Alice produced a correct 
garbling and to store the result of garbling. This knowledge will be used in other 
rules. In the LlNK-rules Alice sends linking information. Bob can for all watchlist 
positions check that the information is correct, since he knows the randomness 
used to garble. In the OuTPUT-rules Alice awaits that she has sent to Bob the 
encoded inputs and linkings to produce the encoded output associated to this 
rule. She produces a garbling of 'ip. She will link the output to ip and produce an 
encoding of the zero- string for the second component, she also sends an encryp- 
tion of the randomness used to produce the garbling of ip to Bob. Bob awaits 
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rule B.InpuTb 

on (input, t, z, x) 
await (Garble, t) E <J 
t < — 1 1| (input, t, z) || 0 
t' < — 1 1| (input, t, z) || 1 

// sample a random string x 

x^{o, l } (l 

// Sample a random universal hash function h such that h(x) = x 
/i4-{ he Hi | h(x) = x} 

II Await a garbled identity function from Alice 
on E , Idf from A 

// Obliviously learn tokens for x 
for u G {1, . . . ,^i} do 

OT.choose(x u ) 

Xt,X * (^1,^1 J • ■ • 5 ) 

if zr = 1 then 

/* Verify garbled identity function and the correctness of 
received tokens using the watchlist encryption of the 
randomness */ 

r D w k(^) 

(Id*, e*, Of, df) <— Gb(idf 1 , t; r) 

verify Id* = Idf 

verify Viz G {1, ... ,^i} : = En(ef, u , x u ) 

else 

X *- X \\(t,Xt,x) 

send h to A 
on H' , E' from A 
for u E {1, . . . ,^i} do 
on L u from A 
on L u from A 
if w = 1 then 

/* Verify garbled hash function using the watchlist encryption 
of the randomness */ 

r' <- D wk (F') 

(/f t /,e t /,o t /,d t /) <- Gb(MV') 

verify = /f' 

// Verify linking information 
for u E {1, . . . ,^i} do 

verify L u = li(of jlt , e t / jW ) 
verify L n = li(o t / >u , e t ,;, u ) 

else 

T ^ T || (t, Id) 

T^T\\ 

*<-*11 (t,X f> *) 

C ^ C ||(t', 1, t, z, L) 
for u E {1, . . . ,^i} do 
C ^ C || (t, iz, t', iz, L u ) 

O’ * — O' || (input, t, Z, T) 


Fig. 14. Inputb (continued) 
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rule A. Output 

on (output, t, i) 
await (£, i) G ready(cr) 

t< — 1 1 1 (output, t, i) 

// Garble ^ 

(^, et, df, Of) <- Gb(^, t; r) 

F li(o t ,i,et,i) 

E *- E wk (r) 

// Encode all zero-string 

En(ef 5 2: 0) 

send (L, E,\P,Xi j0 ,di) to B 
rule B. Output 

on (output, t, z) 

await (£, i,T) G ready(cr) 

t< — 1 1| (output, t, i) 

on (L, E, #, Xf j0 , dt) from A 
if w = 1 then 

r <— D wk ( J F) 

(^, et, dt , Of) <- Gb('0, t- r ) 

F <- li(ot,i,et ; i) 

/* Verify: 

1) E is the garbling of ^ 

2) Linking is correct 

3) Encoding of the all zero-string was sent 

4) Correct output decoding was sent */ 

verify L = L AE = E 

verify Xf,o = En(e t - 2 , 0) A dt , i = df, i 
else 

X *— X \\(i,2,Xf t0 ) 

£<-£\\(t,i,t,l,L) 

6 <- <5||(M,dt,i) 

await 3(£, l,Yi,i) G Ev(.F, A,£) 

// Apply majority decoding 

yt.i <- 


Fig. 15. Protocol (Output) 


that he has received the garbling, linking and encoding to produce the encoded 
output in question. For each instance of the watchlist, he uses the randomness to 
check that the linking was done correctly, that ijj was garbled correctly and that 
an encoding of an all zero- string was sent for the second component of 'ip. He 
then evaluates each instance in the evaluation set and takes the majority value 
as his output. 
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In the in P ut A -rules Alice commits to both her input encodings and encrypts 
the openings of the commitments using the watchlist key. The opening of Alice’s 
input encoding will be encrypted using the evaluation key. To verify Alice’s 
input, we first pass Alice’s input through an auxiliary function which combines 
the identity function with an additional verification function which forces Alice 
to use the same input in different instances. We then link the output of the 
identity function to the appropriate input. We denoted the auxiliary function by 
gi : A\ x A2 x A3 — » B\ x B 2 and gi(x, m , c) = (x, v^(x, m, c)) where A\ = A2 = 
B 1 = {0,1}^U{Y} and v# : A\ x A2 x A3 —> B2. Efficient such functions with 
the properties needed for the security of the protocol can be based on universal 
hash functions, see for instance [ 6 , 23 ]. 

In the input B -rules Alice first garbles the identity function. Bob then randomly 
samples a value x' and gets an encoding of that value via oblivious transfer for 
the garbled identity function. Then Bob samples uniformly at random a function 
h from a two-universal family of hash functions such that h(x') = x where x is 
the input of Bob. Alice will then garble the hash function. She will link the 
garbling of the identity function to the garbling of the hash function. She will 
then link the garbled hash function to the garbled function. We will denote by 
Hi a two-universal family of hash functions h : {0, 1 j^+ 2s + 1 — > {0, 1 } £ . We use 
id : A — » A to denote the identify function on A. 

In [ 22 ] we prove the following theorem. 

Theorem 2. Let L be the set of all legal sequences and let <L> be a side- 
information function. Let Q be a reactive garbling scheme. Let com be a com- 
mitment scheme and £ an encryption scheme. If Q is h-correct and (L, L>)~ 
confidential and com is computationally hiding and perfect binding and £ is 
IND-CPA secure, then 'Kg, CO m,s: UC securely realizes in the T^- hybrid model 
against a static, malicious adversary. 
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